From: "Luck, Tony" <tony.luck@intel.com>
To: Reinette Chatre <reinette.chatre@intel.com>
Cc: <james.morse@arm.com>, <Dave.Martin@arm.com>,
<babu.moger@amd.com>, <bp@alien8.de>, <tglx@linutronix.de>,
<dave.hansen@linux.intel.com>, <x86@kernel.org>, <hpa@zytor.com>,
<ben.horgan@arm.com>, <fustini@kernel.org>, <fenghuay@nvidia.com>,
<peternewman@google.com>, <yu.c.chen@intel.com>,
<linux-kernel@vger.kernel.org>, <patches@lists.linux.dev>
Subject: Re: [PATCH v6 08/10] fs/resctrl: Prevent deadlock and use-after-free in info file handlers
Date: Tue, 7 Jul 2026 16:33:41 -0700 [thread overview]
Message-ID: <ak2M1RZ0EaMzPi7H@agluck-desk3> (raw)
In-Reply-To: <e5468d05f984f4db2c0fc378562b2c4a9cca301b.1783377598.git.reinette.chatre@intel.com>
On Mon, Jul 06, 2026 at 03:46:28PM -0700, Reinette Chatre wrote:
Internal AI noted a couple of extra blank lines introduced by this
patch. See below.
> resctrl provides files under the info/ directory to expose global
> configuration and capabilities to userspace. These files are instantiated
> statically during filesystem mount and expose data associated with internal
> schema structures via kernfs private pointers.
>
> A potential deadlock exists between userspace readers of these info files
> and the unmount filesystem teardown process. Reading an info file invokes
> kernfs which acquires an active reference, after which the handler typically
> attempts to acquire the rdtgroup_mutex. Concurrently, unmounting the
> filesystem holds the rdtgroup_mutex and then attempts to recursively
> remove the info kernfs nodes involving kernfs_drain() which blocks until
> all active references are released. Another problem exists where info files
> might be accessed from an outdated mount if the filesystem is unmounted and
> remounted during a reader's execution, leading to a use-after-free when
> reading the now-deleted private schema data.
>
> Introduce info_kn_lock() and info_kn_unlock() helpers to coordinate locking
> across all info handlers. These helpers mirror similar logic used by resource
> group handlers by deliberately breaking the kernfs active protection before
> attempting to acquire the rdtgroup_mutex, preventing the deadlock. To guard
> against the vulnerability from rapid mount cycling, info_kn_lock() securely
> walks the parent lineage of the kernfs node under an RCU section to confirm
> the node belongs to the globally active root before permitting the operation
> to proceed. Convert all info file handlers to use this helper and only
> de-reference the schema after it is determined safe to do so.
>
> Make no attempt to output an error message to last_cmd_status on failure
> since failure implies there is no filesystem with which to display the error
> to user space.
>
> Reported-by: Sashiko <sashiko-bot@kernel.org>
> Closes: https://sashiko.dev/#/patchset/20260515193944.15114-1-tony.luck%40intel.com?part=3
> Assisted-by: GitHub_Copilot:gemini-3.1-pro
> Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
> Reviewed-by: Tony Luck <tony.luck@intel.com>
> ---
> Changes since V2:
> - New patch
>
> Changes since V3:
> - Add Tony's Reviewed-by tag.
> - Changelog grammar fixes.
...
> @@ -1020,9 +1030,15 @@ static int rdt_min_cbm_bits_show(struct kernfs_open_file *of,
> struct seq_file *seq, void *v)
> {
> struct resctrl_schema *s = rdt_kn_parent_priv(of->kn);
> - struct rdt_resource *r = s->res;
> + struct rdt_resource *r;
> +
Extra blank line added here.
>
> + if (!info_kn_lock(of->kn))
> + return -ENOENT;
> + r = s->res;
> seq_printf(seq, "%u\n", r->cache.min_cbm_bits);
> + info_kn_unlock(of->kn);
> +
> return 0;
> }
>
...
> @@ -1652,8 +1718,8 @@ static int mbm_config_show(struct seq_file *s, struct rdt_resource *r, u32 evtid
> struct rdt_l3_mon_domain *dom;
> bool sep = false;
>
> - cpus_read_lock();
> - mutex_lock(&rdtgroup_mutex);
> + lockdep_assert_cpus_held();
> + lockdep_assert_held(&rdtgroup_mutex);
>
> list_for_each_entry_rcu(dom, &r->mon_domains, hdr.list, lockdep_is_cpus_held()) {
> if (sep)
> @@ -1670,8 +1736,6 @@ static int mbm_config_show(struct seq_file *s, struct rdt_resource *r, u32 evtid
> }
> seq_puts(s, "\n");
>
> - mutex_unlock(&rdtgroup_mutex);
> - cpus_read_unlock();
>
Extra blank line here after deleting those two lines.
> return 0;
> }
-Tony
next prev parent reply other threads:[~2026-07-07 23:33 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 22:46 [PATCH v6 00/10] x86,fs/resctrl: Fix long-standing issues Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 01/10] fs/resctrl: Free mon_data structures on rdt_get_tree() failure Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 02/10] fs/resctrl: Fix use-after-free during unmount Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 03/10] fs/resctrl: Fix double-add of pseudo-locked region's RMID to free list Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 04/10] x86,fs/resctrl: Document safe RCU list traversal Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 05/10] fs/resctrl: Move functions to avoid forward references in subsequent fixes Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 06/10] fs/resctrl: Fix deadlock on errors during mount Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 07/10] fs/resctrl: Prevent use-after-free in rdtgroup_kn_put() Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 08/10] fs/resctrl: Prevent deadlock and use-after-free in info file handlers Reinette Chatre
2026-07-07 23:33 ` Luck, Tony [this message]
2026-07-07 23:54 ` Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 09/10] x86/resctrl: Ensure domain fully initialized before placed on RCU list Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 10/10] fs/resctrl: Fix UAF from worker threads when domains are removed Reinette Chatre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ak2M1RZ0EaMzPi7H@agluck-desk3 \
--to=tony.luck@intel.com \
--cc=Dave.Martin@arm.com \
--cc=babu.moger@amd.com \
--cc=ben.horgan@arm.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=fenghuay@nvidia.com \
--cc=fustini@kernel.org \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=peternewman@google.com \
--cc=reinette.chatre@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yu.c.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.