From: Pankaj Raghav <pankaj.raghav@linux.dev>
To: "Darrick J. Wong" <djwong@kernel.org>, cem@kernel.org
Cc: linux-xfs@vger.kernel.org, p.raghav@samsung.com
Subject: Re: [PATCH 4/6] xfs: fix potential pointer access race in xfs_healthmon_get
Date: Thu, 19 Feb 2026 14:15:54 +0100 [thread overview]
Message-ID: <0ca84d35-ed3e-4387-9b38-a85d62afa1c2@linux.dev> (raw)
In-Reply-To: <177145925494.401799.17980890890269795712.stgit@frogsfrogsfrogs>
On 2/19/2026 7:01 AM, Darrick J. Wong wrote:
> From: Darrick J. Wong <djwong@kernel.org>
>
> Pankaj Raghav asks about this code in xfs_healthmon_get:
>
> hm = mp->m_healthmon;
> if (hm && !refcount_inc_not_zero(&hm->ref))
> hm = NULL;
> rcu_read_unlock();
> return hm;
>
> (slightly edited to compress a mailing list thread)
>
> "Nit: Should we do a READ_ONCE(mp->m_healthmon) here to avoid any
> compiler tricks that can result in an undefined behaviour? I am not sure
> if I am being paranoid here.
>
> "So this is my understanding: RCU guarantees that we get a valid object
> (actual data of m_healthmon) but does not guarantee the compiler will
> not reread the pointer between checking if hm is !NULL and accessing the
> pointer as we are doing it lockless.
>
> "So just a barrier() call in rcu_read_lock is enough to make sure this
> doesn't happen and probably adding a READ_ONCE() is not needed?"
>
> After some initial confusion I concluded that he's correct. The
> compiler could very well eliminate the hm variable in favor of walking
> the pointers twice, turning the code into:
>
> if (mp->m_healthmon && !refcount_inc_not_zero(&mp->m_healthmon->ref))
>
> If this happens, then xfs_healthmon_detach can sneak in between the
> two sides of the && expression and set mp->m_healthmon to NULL, and
> thereby cause a null pointer dereference crash. Fix this by using the
> rcu pointer assignment and dereference functions, which ensure that the
> proper reordering barriers are in place.
>
> Practically speaking, gcc seems to allocate an actual variable for hm
> and only reads mp->m_healthmon once (as intended), but we ought to be
> more explicit about requiring this.
>
> Reported-by: Pankaj Raghav <pankaj.raghav@linux.dev>
> Fixes: a48373e7d35a89f6f ("xfs: start creating infrastructure for health monitoring")
> Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
> ---
Looks good,
Reviewed-by: Pankaj Raghav <p.raghav@samsung.com>
--
Pankaj
next prev parent reply other threads:[~2026-02-19 13:15 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-19 6:00 [PATCHSET 1/2] xfs: bug fixes for 7.0 Darrick J. Wong
2026-02-19 6:00 ` [PATCH 1/6] xfs: fix copy-paste error in previous fix Darrick J. Wong
2026-02-19 6:41 ` Christoph Hellwig
2026-02-19 12:56 ` Carlos Maiolino
2026-02-19 6:01 ` [PATCH 2/6] xfs: fix xfs_group release bug in xfs_verify_report_losses Darrick J. Wong
2026-02-19 6:41 ` Christoph Hellwig
2026-02-19 12:57 ` Carlos Maiolino
2026-02-19 6:01 ` [PATCH 3/6] " Darrick J. Wong
2026-02-19 6:42 ` Christoph Hellwig
2026-02-19 13:02 ` Carlos Maiolino
2026-02-19 21:48 ` Darrick J. Wong
2026-02-19 6:01 ` [PATCH 4/6] xfs: fix potential pointer access race in xfs_healthmon_get Darrick J. Wong
2026-02-19 6:43 ` Christoph Hellwig
2026-02-19 13:09 ` Carlos Maiolino
2026-02-19 21:52 ` Darrick J. Wong
2026-02-19 13:15 ` Pankaj Raghav [this message]
2026-02-19 6:02 ` [PATCH 5/6] xfs: don't report metadata inodes to fserror Darrick J. Wong
2026-02-19 6:44 ` Christoph Hellwig
2026-02-19 13:11 ` Carlos Maiolino
2026-02-19 6:02 ` [PATCH 6/6] xfs: don't report half-built " Darrick J. Wong
2026-02-19 6:44 ` Christoph Hellwig
2026-02-19 13:21 ` Carlos Maiolino
2026-02-19 22:02 ` Darrick J. Wong
2026-02-24 11:39 ` Carlos Maiolino
2026-02-24 19:40 ` Darrick J. Wong
-- strict thread matches above, loose matches on Subject: below --
2026-02-20 1:00 [PATCHSET v2 1/2] xfs: bug fixes for 7.0 Darrick J. Wong
2026-02-20 1:01 ` [PATCH 4/6] xfs: fix potential pointer access race in xfs_healthmon_get Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0ca84d35-ed3e-4387-9b38-a85d62afa1c2@linux.dev \
--to=pankaj.raghav@linux.dev \
--cc=cem@kernel.org \
--cc=djwong@kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=p.raghav@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox