From: sashiko-bot@kernel.org
To: "John Groves" <john@jagalactic.com>
Cc: linux-cxl@vger.kernel.org
Subject: Re: [PATCH V6 08/10] dax: read holder_ops once in dax_holder_notify_failure()
Date: Mon, 15 Jun 2026 16:20:04 +0000 [thread overview]
Message-ID: <20260615162004.658B51F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <0100019ecc09bb56-5ecc9c6b-35ba-44f8-b112-921b01b34478-000000@email.amazonses.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The patch uses READ_ONCE() to prevent a NULL pointer dereference on `holder_ops` but fails to address a critical race condition with `holder_data`, leaving the code vulnerable to an immediate NULL pointer dereference or Use-After-Free in the filesystem callback.
--
commit ee437cee4c275726ddf2ce4c7880e48e8f58eab5
Author: John Groves <John@Groves.net>
dax: read holder_ops once in dax_holder_notify_failure()
This commit uses READ_ONCE() to fetch dax_dev->holder_ops exactly once in
dax_holder_notify_failure(). This prevents a race condition where a concurrent
fs_put_dax() clears holder_ops between the NULL check and the indirect call.
> diff --git a/drivers/dax/super.c b/drivers/dax/super.c
> index 25cf99dd9360b..433cd431a6c06 100644
> --- a/drivers/dax/super.c
> +++ b/drivers/dax/super.c
> @@ -311,12 +312,19 @@ int dax_holder_notify_failure(struct dax_device *dax_dev, u64 off,
> goto out;
> }
>
> - if (!dax_dev->holder_ops) {
> + /*
> + * Read holder_ops once: a concurrent fs_put_dax() can clear it without
> + * synchronizing against readers. Without the single fetch the compiler
> + * could reload between the NULL check and the call and dereference a
> + * NULL ops.
> + */
> + ops = READ_ONCE(dax_dev->holder_ops);
> + if (!ops) {
> rc = -EOPNOTSUPP;
> goto out;
> }
>
> - rc = dax_dev->holder_ops->notify_failure(dax_dev, off, len, mf_flags);
> + rc = ops->notify_failure(dax_dev, off, len, mf_flags);
[Severity: High]
This is a pre-existing issue, but does fixing the holder_ops race still leave
a race with holder_data?
If a concurrent fs_put_dax() executes right after ops is fetched but before
ops->notify_failure() executes, holder_data could be cleared to NULL because
fs_put_dax() does not call synchronize_srcu(&dax_srcu) to wait for active
readers:
drivers/dax/super.c:fs_put_dax() {
if (dax_dev && holder) {
void *prev;
WRITE_ONCE(dax_dev->holder_ops, NULL);
prev = cmpxchg(&dax_dev->holder_data, holder, NULL);
WARN_ON(prev && prev != holder);
}
put_dax(dax_dev);
}
The filesystem callback in XFS retrieves holder_data via dax_holder() and
expects it to be valid:
fs/xfs/xfs_notify_failure.c:xfs_dax_notify_failure() {
struct xfs_mount *mp = dax_holder(dax_dev);
if (!(mp->m_super->s_flags & SB_BORN)) {
xfs_warn(mp, "filesystem is not ready for notify_failure()!");
...
}
Because xfs_dax_notify_failure() unconditionally dereferences the retrieved
holder without a NULL check, could this result in an immediate NULL pointer
dereference or a use-after-free as the unmount proceeds?
A later patch in the series changes the ordering of how these pointers are
cleared, but it appears to still lack synchronization with dax_read_lock()
readers.
> out:
> dax_read_unlock(id);
> return rc;
--
Sashiko AI review · https://sashiko.dev/#/patchset/0100019ecc080a68-8dc0c99f-ab17-4aa9-83d9-490e9c97ac2e-000000@email.amazonses.com?part=8
next prev parent reply other threads:[~2026-06-15 16:20 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260615160531.17432-1-john@jagalactic.com>
2026-06-15 16:05 ` [PATCH V6 0/10] Fixes to the previously-merged drivers/dax/fsdev series John Groves
2026-06-15 16:06 ` [PATCH V6 01/10] dax: fix misleading comment about share/index union in dax_folio_reset_order() John Groves
2026-06-15 16:06 ` [PATCH V6 02/10] dax/fsdev: fix multi-range offset in memory_failure handler John Groves
2026-06-15 16:25 ` sashiko-bot
2026-06-15 16:06 ` [PATCH V6 03/10] dax/fsdev: clear vmemmap_shift when binding static pgmap John Groves
2026-06-15 16:25 ` sashiko-bot
2026-06-15 16:06 ` [PATCH V6 04/10] dax/fsdev: don't leave a dangling dev_dax->pgmap on probe failure John Groves
2026-06-15 16:18 ` sashiko-bot
2026-06-15 16:07 ` [PATCH V6 05/10] dax/fsdev: clear pgmap ops and owner on unbind John Groves
2026-06-15 16:22 ` sashiko-bot
2026-06-15 16:07 ` [PATCH V6 06/10] dax/fsdev: use __va(phys) for kaddr in direct_access John Groves
2026-06-15 16:19 ` sashiko-bot
2026-06-15 16:07 ` [PATCH V6 07/10] dax/fsdev: fail probe on invalid pgmap offset John Groves
2026-06-15 18:22 ` sashiko-bot
2026-06-15 16:07 ` [PATCH V6 08/10] dax: read holder_ops once in dax_holder_notify_failure() John Groves
2026-06-15 16:20 ` sashiko-bot [this message]
2026-06-15 16:07 ` [PATCH V6 09/10] dax: fix holder_ops race in fs_put_dax() John Groves
2026-06-15 16:23 ` sashiko-bot
2026-06-15 16:07 ` [PATCH V6 10/10] dax: fsdev.c minor formatting cleanup John Groves
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260615162004.658B51F00A3D@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=john@jagalactic.com \
--cc=linux-cxl@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.