Re: BUG: KASAN: use-after-free in dec_rlimit_ucounts

From: Qian Cai
Date: Thu Nov 18 2021 - 15:32:38 EST

On Thu, Nov 18, 2021 at 01:46:05PM -0600, Eric W. Biederman wrote:
> Is it possible? Yes it is possible. That is one place where
> a use-after-free has shown up and I expect would show up in the
> future.
> That said it is hard to believe there is still a user-after-free in the
> code. We spent the last kernel development cycle pouring through and
> correcting everything we saw until we ultimately found one very subtle
> use-after-free.
> If you have a reliable reproducer that you can share, we can look into
> this and see if we can track down where the reference count is going
> bad.
> It tends to take instrumenting the entire life cycle every increment and
> every decrement and then pouring through the logs to track down a
> use-after-free. Which is not something we can really do without a
> reproducer.

The reproducer is just to run trinity by an unprivileged user on defconfig
with KASAN enabled (On linux-next, you can do "make defconfig debug.conf"
[1], but dont think other debugging options are relevent here.)

$ trinity -C 31 -N 10000000

It is always reproduced on an arm64 server here within 5-minute so far.
Some debugging progress so far. BTW, this could happen on user_shm_unlock()
path as well.

Call trace:
(inlined by) user_shm_unlock at mm/mlock.c:854

I noticed in dec_rlimit_ucounts(), dec == 0 and type ==