From: sashiko-bot@kernel.org
To: "John Groves" <john@jagalactic.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH V3 2/9] dax/fsdev: fix multi-range offset in memory_failure handler
Date: Sat, 30 May 2026 17:13:45 +0000 [thread overview]
Message-ID: <20260530171345.B380F1F00893@smtp.kernel.org> (raw)
In-Reply-To: <0100019e79cb8953-e505a8dc-63a4-4bc3-a9bd-3b86ec081838-000000@email.amazonses.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Lockless iteration over `dev_dax->ranges` in `fsdev_pfn_to_offset` causes a Use-After-Free.
--
commit 104845be5fb1300e103dae52129fee9336fbed14
Author: John Groves <John@Groves.net>
dax/fsdev: fix multi-range offset in memory_failure handler
This commit fixes the memory_failure offset calculation for multi-range
devices by introducing fsdev_pfn_to_offset() to walk the range list and
compute the correct device-linear byte offset.
> diff --git a/drivers/dax/fsdev.c b/drivers/dax/fsdev.c
> index 188b2526bee45..f315533b299e9 100644
> --- a/drivers/dax/fsdev.c
> +++ b/drivers/dax/fsdev.c
[ ... ]
> @@ -135,11 +135,26 @@ static void fsdev_clear_ops(void *data)
> * The core mm code in free_zone_device_folio() handles the wake_up_var()
> * directly for this memory type.
> */
> +static u64 fsdev_pfn_to_offset(struct dev_dax *dev_dax, unsigned long pfn)
> +{
> + phys_addr_t phys = PFN_PHYS(pfn);
> + u64 offset = 0;
> +
> + for (int i = 0; i < dev_dax->nr_range; i++) {
> + struct range *range = &dev_dax->ranges[i].range;
[Severity: High]
This is a pre-existing issue, but does iterating over dev_dax->ranges here
without locks expose us to a use-after-free?
Because fsdev_pfn_to_offset() is called asynchronously by the memory_failure
handler, it seems possible for it to race with root writing to the mapping
sysfs attribute to append ranges. That write invokes mapping_store().
Unlike size_store(), mapping_store() does not check if the DAX device is
currently bound to a driver before calling alloc_dev_dax_range(). That function
uses krealloc() to expand the dev_dax->ranges array, freeing the old memory.
If fsdev_pfn_to_offset() executes concurrently with this sysfs write, could it
dereference the freed array pointer?
Would it be safer to pass the pgmap parameter down from the memory failure
handler and iterate over pgmap->ranges instead, since it contains a stable,
immutable snapshot of the ranges created during driver probe?
> +
> + if (phys >= range->start && phys <= range->end)
> + return offset + (phys - range->start);
> + offset += range_len(range);
> + }
> + return -1ULL;
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/0100019e79caead2-5795328c-af48-4a93-b147-c11df7446e1a-000000@email.amazonses.com?part=2
next prev parent reply other threads:[~2026-05-30 17:13 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260530164953.6578-1-john@jagalactic.com>
2026-05-30 16:50 ` [PATCH V3 0/9] Fixes to the previously-merged drivers/dax/fsdev series John Groves
2026-05-30 16:50 ` [PATCH V3 1/9] dax: fix misleading comment about share/index union in dax_folio_reset_order() John Groves
2026-06-01 21:51 ` Dave Jiang
2026-06-03 0:12 ` Alison Schofield
2026-05-30 16:50 ` [PATCH V3 2/9] dax/fsdev: fix multi-range offset in memory_failure handler John Groves
2026-05-30 17:13 ` sashiko-bot [this message]
2026-06-03 0:12 ` Alison Schofield
2026-06-03 0:17 ` Dave Jiang
2026-05-30 16:50 ` [PATCH V3 3/9] dax/fsdev: clear vmemmap_shift when binding static pgmap John Groves
2026-05-30 17:28 ` sashiko-bot
2026-06-01 22:06 ` Dave Jiang
2026-06-03 0:13 ` Alison Schofield
2026-05-30 16:50 ` [PATCH V3 4/9] dax/fsdev: clear dev_dax->pgmap on probe failure John Groves
2026-05-30 17:37 ` sashiko-bot
2026-06-01 23:10 ` Dave Jiang
2026-06-03 0:14 ` Alison Schofield
2026-05-30 16:51 ` [PATCH V3 5/9] dax/fsdev: use __va(phys) for kaddr in direct_access John Groves
2026-05-30 17:48 ` sashiko-bot
2026-06-01 23:24 ` Dave Jiang
2026-06-03 0:14 ` Alison Schofield
2026-05-30 16:51 ` [PATCH V3 6/9] dax/fsdev: fail probe on invalid pgmap offset John Groves
2026-05-30 17:57 ` sashiko-bot
2026-06-03 0:15 ` Alison Schofield
2026-05-30 16:51 ` [PATCH V3 7/9] dax: fix holder_ops race in fs_put_dax() John Groves
2026-05-30 18:08 ` sashiko-bot
2026-06-02 0:03 ` Dave Jiang
2026-05-30 16:51 ` [PATCH V3 8/9] dax: replace exported dax_dev_get() with non-allocating dax_dev_find() John Groves
2026-05-30 18:20 ` sashiko-bot
2026-06-02 0:13 ` Dave Jiang
2026-06-03 0:15 ` Alison Schofield
2026-05-30 16:51 ` [PATCH V3 9/9] dax: fsdev.c minor formatting cleanup John Groves
2026-06-03 0:16 ` Alison Schofield
2026-06-03 0:11 ` [PATCH V3 0/9] Fixes to the previously-merged drivers/dax/fsdev series Alison Schofield
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260530171345.B380F1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=john@jagalactic.com \
--cc=linux-cxl@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.