From: Pankaj Raghav <pankaj.raghav@linux.dev>
To: "Darrick J. Wong" <djwong@kernel.org>, cem@kernel.org
Cc: linux-xfs@vger.kernel.org, p.raghav@samsung.com
Subject: Re: [PATCH 4/6] xfs: fix potential pointer access race in xfs_healthmon_get
Date: Thu, 19 Feb 2026 14:15:54 +0100 [thread overview]
Message-ID: <0ca84d35-ed3e-4387-9b38-a85d62afa1c2@linux.dev> (raw)
In-Reply-To: <177145925494.401799.17980890890269795712.stgit@frogsfrogsfrogs>
On 2/19/2026 7:01 AM, Darrick J. Wong wrote:
> From: Darrick J. Wong <djwong@kernel.org>
>
> Pankaj Raghav asks about this code in xfs_healthmon_get:
>
> hm = mp->m_healthmon;
> if (hm && !refcount_inc_not_zero(&hm->ref))
> hm = NULL;
> rcu_read_unlock();
> return hm;
>
> (slightly edited to compress a mailing list thread)
>
> "Nit: Should we do a READ_ONCE(mp->m_healthmon) here to avoid any
> compiler tricks that can result in an undefined behaviour? I am not sure
> if I am being paranoid here.
>
> "So this is my understanding: RCU guarantees that we get a valid object
> (actual data of m_healthmon) but does not guarantee the compiler will
> not reread the pointer between checking if hm is !NULL and accessing the
> pointer as we are doing it lockless.
>
> "So just a barrier() call in rcu_read_lock is enough to make sure this
> doesn't happen and probably adding a READ_ONCE() is not needed?"
>
> After some initial confusion I concluded that he's correct. The
> compiler could very well eliminate the hm variable in favor of walking
> the pointers twice, turning the code into:
>
> if (mp->m_healthmon && !refcount_inc_not_zero(&mp->m_healthmon->ref))
>
> If this happens, then xfs_healthmon_detach can sneak in between the
> two sides of the && expression and set mp->m_healthmon to NULL, and
> thereby cause a null pointer dereference crash. Fix this by using the
> rcu pointer assignment and dereference functions, which ensure that the
> proper reordering barriers are in place.
>
> Practically speaking, gcc seems to allocate an actual variable for hm
> and only reads mp->m_healthmon once (as intended), but we ought to be
> more explicit about requiring this.
>
> Reported-by: Pankaj Raghav <pankaj.raghav@linux.dev>
> Fixes: a48373e7d35a89f6f ("xfs: start creating infrastructure for health monitoring")
> Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
> ---
Looks good,
Reviewed-by: Pankaj Raghav <p.raghav@samsung.com>
--
Pankaj
next prev parent reply other threads:[~2026-02-19 13:15 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-19 6:00 [PATCHSET 1/2] xfs: bug fixes for 7.0 Darrick J. Wong
2026-02-19 6:00 ` [PATCH 1/6] xfs: fix copy-paste error in previous fix Darrick J. Wong
2026-02-19 6:41 ` Christoph Hellwig
2026-02-19 12:56 ` Carlos Maiolino
2026-02-19 6:01 ` [PATCH 2/6] xfs: fix xfs_group release bug in xfs_verify_report_losses Darrick J. Wong
2026-02-19 6:41 ` Christoph Hellwig
2026-02-19 12:57 ` Carlos Maiolino
2026-02-19 6:01 ` [PATCH 3/6] " Darrick J. Wong
2026-02-19 6:42 ` Christoph Hellwig
2026-02-19 13:02 ` Carlos Maiolino
2026-02-19 21:48 ` Darrick J. Wong
2026-02-19 6:01 ` [PATCH 4/6] xfs: fix potential pointer access race in xfs_healthmon_get Darrick J. Wong
2026-02-19 6:43 ` Christoph Hellwig
2026-02-19 13:09 ` Carlos Maiolino
2026-02-19 21:52 ` Darrick J. Wong
2026-02-19 13:15 ` Pankaj Raghav [this message]
2026-02-19 6:02 ` [PATCH 5/6] xfs: don't report metadata inodes to fserror Darrick J. Wong
2026-02-19 6:44 ` Christoph Hellwig
2026-02-19 13:11 ` Carlos Maiolino
2026-02-19 6:02 ` [PATCH 6/6] xfs: don't report half-built " Darrick J. Wong
2026-02-19 6:44 ` Christoph Hellwig
2026-02-19 13:21 ` Carlos Maiolino
2026-02-19 22:02 ` Darrick J. Wong
2026-02-24 11:39 ` Carlos Maiolino
2026-02-24 19:40 ` Darrick J. Wong
-- strict thread matches above, loose matches on Subject: below --
2026-02-20 1:00 [PATCHSET v2 1/2] xfs: bug fixes for 7.0 Darrick J. Wong
2026-02-20 1:01 ` [PATCH 4/6] xfs: fix potential pointer access race in xfs_healthmon_get Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0ca84d35-ed3e-4387-9b38-a85d62afa1c2@linux.dev \
--to=pankaj.raghav@linux.dev \
--cc=cem@kernel.org \
--cc=djwong@kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=p.raghav@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.