Re: [PATCH RT] signal: Prevent double-free of user struct

[Daniel Wagner]

Hi Sebastian,

On 15.04.20 18:46, Sebastian Andrzej Siewior wrote:
> On 2020-04-07 10:54:13 [+0100], Matt Fleming wrote:
> > The way user struct reference counting works changed significantly with,
> >
> >    fda31c50292a ("signal: avoid double atomic counter increments for user accounting")
> >
> > Now user structs are only freed once the last pending signal is
> > dequeued. Make sigqueue_free_current() follow this new convention to
> > avoid freeing the user struct multiple times and triggering this
> > warning:
> >
> >   refcount_t: underflow; use-after-free.
> >   WARNING: CPU: 0 PID: 6794 at lib/refcount.c:288 refcount_dec_not_one+0x45/0x50
> >   Call Trace:
> >    refcount_dec_and_lock_irqsave+0x16/0x60
> >    free_uid+0x31/0xa0
> >    ? schedule_hrtimeout_range_clock+0x104/0x110
> >    __dequeue_signal+0x17c/0x190
> >    dequeue_signal+0x5a/0x1b0
> >    do_sigtimedwait+0x208/0x250
> >    __x64_sys_rt_sigtimedwait+0x6f/0xd0
> >    do_syscall_64+0x72/0x200
> >    entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> While all this sounds reasonable, may I ask what did you do to trigger
> this?

This can be triggered by running sigwaittest.

 # sigwaittest -t -a -p 98

a few seconds should be enough to get the splat.

> This is v5.6 only, correct?

I've seen this also with a frankstein version of 5.2-rt...v5-4-rt :)

Thanks,
Daniel