From: "Danilo Krummrich" <dakr@kernel.org>
To: "Tzung-Bi Shih" <tzungbi@kernel.org>
Cc: "Johan Hovold" <johan@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Rafael J . Wysocki" <rafael@kernel.org>,
"Bartosz Golaszewski" <bartosz.golaszewski@oss.qualcomm.com>,
"Linus Walleij" <linusw@kernel.org>,
"Jonathan Corbet" <corbet@lwn.net>,
"Shuah Khan" <shuah@kernel.org>,
"Laurent Pinchart" <laurent.pinchart@ideasonboard.com>,
"Wolfram Sang" <wsa+renesas@sang-engineering.com>,
"Simona Vetter" <simona.vetter@ffwll.ch>,
"Dan Williams" <dan.j.williams@intel.com>,
"Jason Gunthorpe" <jgg@nvidia.com>, <linux-doc@vger.kernel.org>,
<linux-kselftest@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 3/3] Revert "revocable: Revocable resource management"
Date: Thu, 05 Feb 2026 12:56:47 +0100 [thread overview]
Message-ID: <DG70CSP8NCJ0.316VXMVLD2ARN@kernel.org> (raw)
In-Reply-To: <aYRaB5wI3mS2J54K@google.com>
On Thu Feb 5, 2026 at 9:51 AM CET, Tzung-Bi Shih wrote:
> On Wed, Feb 04, 2026 at 03:28:49PM +0100, Johan Hovold wrote:
>> Specifically, the latest design relies on RCU for storing a pointer to
>> the revocable provider, but since the resource can be shared by value
>> (e.g. as in the now reverted selftests) this does not work at all and
>> can also lead to use-after-free:
> [...]
>> producer:
>>
>> priv->rp = revocable_provider_alloc(&priv->res);
>> // pass priv->rp by value to consumer
>> revocable_provider_revoke(&priv->rp);
>>
>> consumer:
>>
>> struct revocable_provider __rcu *rp = filp->private_data;
>> struct revocable *rev;
>>
>> revocable_init(rp, &rev);
>>
>> as _rp would still be non-NULL in revocable_init() regardless of whether
>> the producer has revoked the resource and set its pointer to NULL.
>
> You're right to point out the issue with copying the pointer of revocable
> provider. If a consumer stores this pointer directly, rcu_replace_pointer()
> in the producer's revocable_provider_revoke() will not affect the consumer's
> copy. I understand this concern.
>
> The intention was never for consumers to cache the pointer of revocable
> provider long-term. The design relies on consumers obtaining the current
> valid provider pointer at the point of access.
Yeah, I think this part is not a bug in the API, but I think revocable_init()
should be
int revocable_init(struct revocable_provider __rcu **_rp, ...)
instead of
int revocable_init(struct revocable_provider __rcu *_rp, ...)
for the same reason revocable_provider_revoke() takes a double pointer.
Otherwise this seems racy:
int revocable_init(struct revocable_provider __rcu *_rp, struct revocable *rev)
{
struct revocable_provider *rp;
if (!_rp)
return -ENODEV;
/*
* If revocable_provider_revoke() is called concurrently at this
* point, _rp is not affectd by rcu_replace_pointer().
*
* Additionally, nothing prevents a concurrent kfree_rcu() from
* freeing the revocable provider before we enter the RCU
* read-side critical section below.
*/
/*
* Enter a read-side critical section.
*
* This prevents kfree_rcu() from freeing the struct revocable_provider
* memory, for the duration of this scope.
*/
scoped_guard(rcu) {
...
}
Do I miss anything?
next prev parent reply other threads:[~2026-02-05 11:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 14:28 [PATCH v2 0/3] Revert "revocable: Revocable resource management" Johan Hovold
2026-02-04 14:28 ` [PATCH v2 1/3] Revert "selftests: revocable: Add kselftest cases" Johan Hovold
2026-02-04 14:28 ` [PATCH v2 2/3] Revert "revocable: Add Kunit test cases" Johan Hovold
2026-02-04 14:28 ` [PATCH v2 3/3] Revert "revocable: Revocable resource management" Johan Hovold
2026-02-05 8:51 ` Tzung-Bi Shih
2026-02-05 11:56 ` Danilo Krummrich [this message]
2026-02-06 9:14 ` Tzung-Bi Shih
2026-02-05 14:03 ` Johan Hovold
2026-02-06 9:14 ` Tzung-Bi Shih
2026-02-06 15:07 ` Johan Hovold
2026-02-06 15:13 ` [PATCH v2 0/3] " Greg Kroah-Hartman
2026-02-07 14:00 ` Tzung-Bi Shih
2026-02-13 8:32 ` Bartosz Golaszewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DG70CSP8NCJ0.316VXMVLD2ARN@kernel.org \
--to=dakr@kernel.org \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jgg@nvidia.com \
--cc=johan@kernel.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linusw@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=shuah@kernel.org \
--cc=simona.vetter@ffwll.ch \
--cc=tzungbi@kernel.org \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.