Re: [5.4-rt] kdb: push 'bt' command output to console immediately.

[Joe Korty <joe.korty@concurrent-rt.com>]

On Tue, May 26, 2020 at 12:55:02PM -0400, Joe Korty wrote:
> On Tue, May 26, 2020 at 06:44:49PM +0200, Sebastian Andrzej Siewior wrote:
> > On 2020-05-20 17:33:25 [+0200], John Ogness wrote:
> > > On 2020-05-20, Joe Korty <joe.korty@concurrent-rt.com> wrote:
> > > > [5.4-rt] kdb: push 'bt' command output to console immediately.
> > > >
> > > > The rt patch for 5.4 and 5.2 broke kdb slightly.  The kdb
> > > > 'bt' command now prints a single line then returns to the
> > > > kdb prompt.  There is no stack trace being shown.
> > > ...
> > > >
> > > > I have attached a small patch that Seems To Work.  It
> > > > taps earlier into printk than the official tap does.
> > > 
> > > On LKML a similar patch was recently posted[0]. It would probably be
> > > better to follow that (patching vprintk_func and using
> > > KDB_MSGSRC_PRINTK).
> > 
> > Should I do here anything?
> 
> Hi John,
> Probably not.
> 
> Since the bug is in mainline, not rt, ideally rt should
> just wait for the fix you so graciously found for me to
> enter mainline and propagate down to the various stable
> trees.
...



Hi Sebastian,
Oops, my mistake .. the bug is in rt, not mainline.  The
status of the long-term rt's w.r.t. this patch is:

       5.6-rt    -- already has fix
       5.4-rt    -- needs fix
       4.19-rt   -- needs fix
       4.14-rt   -- needs fix
       4.9-rt    -- needs fix
       4.4-rt    -- needs fix

For your convenience, I've attached the needed patch.

Regards,
Joe

> From: Matt Fleming <matt@codeblueprint.co.uk>
> To: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
> Cc: linux-rt@vger.kernel.org, linux-kernel@vger.kernel.org,
>	Daniel Wagner <wagi@monom.org>,
>	Matt Fleming <matt@codeblueprint.co.uk>
>Subject: [PATCH RT] signal: Prevent double-free of user struct
>Date: Tue,  7 Apr 2020 10:54:13 +0100

The way user struct reference counting works changed significantly with,

  fda31c50292a ("signal: avoid double atomic counter increments for user accounting")

Now user structs are only freed once the last pending signal is
dequeued. Make sigqueue_free_current() follow this new convention to
avoid freeing the user struct multiple times and triggering this
warning:

 refcount_t: underflow; use-after-free.
 WARNING: CPU: 0 PID: 6794 at lib/refcount.c:288 refcount_dec_not_one+0x45/0x50
 Call Trace:
  refcount_dec_and_lock_irqsave+0x16/0x60
  free_uid+0x31/0xa0
  ? schedule_hrtimeout_range_clock+0x104/0x110
  __dequeue_signal+0x17c/0x190
  dequeue_signal+0x5a/0x1b0
  do_sigtimedwait+0x208/0x250
  __x64_sys_rt_sigtimedwait+0x6f/0xd0
  do_syscall_64+0x72/0x200
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
Reported-by: Daniel Wagner <wagi@monom.org>

Index: b/kernel/signal.c
===================================================================
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -494,8 +494,8 @@ static void sigqueue_free_current(struct
 
 	up = q->user;
 	if (rt_prio(current->normal_prio) && !put_task_cache(current, q)) {
-		atomic_dec(&up->sigpending);
-		free_uid(up);
+		if (atomic_dec_and_test(&up->sigpending))
+			free_uid(up);
 	} else
 		  __sigqueue_free(q);
 }