From: Reinette Chatre <reinette.chatre@intel.com>
To: "Luck, Tony" <tony.luck@intel.com>
Cc: Borislav Petkov <bp@alien8.de>, <x86@kernel.org>,
Fenghua Yu <fenghuay@nvidia.com>,
Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>,
Peter Newman <peternewman@google.com>,
James Morse <james.morse@arm.com>,
Babu Moger <babu.moger@amd.com>,
"Drew Fustini" <dfustini@baylibre.com>,
Dave Martin <Dave.Martin@arm.com>, Chen Yu <yu.c.chen@intel.com>,
<linux-kernel@vger.kernel.org>, <patches@lists.linux.dev>
Subject: Re: [PATCH] fs/resctrl: Fix use-after-free in resctrl_offline_mon_domain()
Date: Thu, 7 May 2026 10:06:04 -0700 [thread overview]
Message-ID: <58652f6b-77a6-4655-a8b9-59c6b97cd49e@intel.com> (raw)
In-Reply-To: <afy0VG8ctiJBPyf7@agluck-desk3>
Hi Tony,
On 5/7/26 8:48 AM, Luck, Tony wrote:
> On Wed, May 06, 2026 at 11:24:30AM -0700, Reinette Chatre wrote:
>> diff --git a/fs/resctrl/rdtgroup.c b/fs/resctrl/rdtgroup.c
>> index 02f87c4bc03c..cc8620ace7ed 100644
>> --- a/fs/resctrl/rdtgroup.c
>> +++ b/fs/resctrl/rdtgroup.c
>> @@ -4539,8 +4539,19 @@ void resctrl_offline_cpu(unsigned int cpu)
>> d = get_mon_domain_from_cpu(cpu, l3);
>> if (d) {
>> if (resctrl_is_mbm_enabled() && cpu == d->mbm_work_cpu) {
>> - cancel_delayed_work(&d->mbm_over);
>> - mbm_setup_overflow_handler(d, 0, cpu);
>> + if (cancel_delayed_work(&d->mbm_over)) {
>> + mbm_setup_overflow_handler(d, 0, cpu);
>
> Per your comment[1] should this "0" also be MBM_OVERFLOW_INTERVAL?
>
> Does the same "delay 0 is magic, ignore the cpu argument and run right away" apply?
More specifically a 0 delay means the work is *queued* (not run) right away. The
distinction is important here since the queuing logic has a "non-reentrance"
guarantee that may change where work is queued depending on whether the work is
currently executing.
To better understand this I found the following comments and surrounding code insightful:
kernel/workqueue.c:__queue_work()
{
/* pwq which will be used unless @work is executing elsewhere */
...
/*
* If @work was previously on a different pool, it might still be
* running there, in which case the work needs to be queued on that
* pool to guarantee non-reentrancy.
* ...
*/
...
}
From what I understand _queue_work() first checks if the work is currently
running (see find_worker_executing_work()) and if it is then it does not matter
if the new work is requested to run on a different CPU - it will be queued on the
same CPU as the currently executing work.
So it looks like that if the work is *not* currently executing then a delay of 0
would indeed queue the work to be executed at earliest possible on the requested/new
CPU. This is what the snippet you quote intends.
In above snippet mbm_setup_overflow_handler() is called with a 0 delay only if
cancel_delayed_work() returns "true". Per cancel_delayed_work() function comments:
/*
* ...
* Note:
* The work callback function may still be running on return, unless
* it returns %true and the work doesn't re-arm itself.
* ...
/
From above I understand that the work is *not* currently running and the the
other planned change (the if (!is_percpu_thread()) check added to the worker) will
prevent the work from re-arming itself.
It thus looks to me as though calling mbm_setup_overflow_handler() with 0 delay is
ok here and will indeed result in work being queued onto new CPU's queue.
What do you think?
With this reasoning there may be a current issue since mbm_setup_overflow_handler()
is currently called with 0 delay irrespective of work currently executing or not?
Fortunately the work always re-schedules itself instead of staying put.
Reinette
> Link: https://lore.kernel.org/all/389bd92c-47ba-46af-81cb-9b669533b1fe@intel.com/ [1]
prev parent reply other threads:[~2026-05-07 17:06 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260501213611.25600-1-tony.luck@intel.com>
2026-05-04 15:11 ` [PATCH] fs/resctrl: Fix use-after-free in resctrl_offline_mon_domain() Reinette Chatre
2026-05-04 22:50 ` Luck, Tony
2026-05-05 4:39 ` Reinette Chatre
2026-05-05 16:45 ` Luck, Tony
2026-05-05 21:26 ` Reinette Chatre
2026-05-05 23:07 ` Luck, Tony
2026-05-06 18:24 ` Reinette Chatre
2026-05-06 19:48 ` Luck, Tony
2026-05-06 21:45 ` Reinette Chatre
2026-05-06 22:11 ` Luck, Tony
2026-05-06 22:28 ` Reinette Chatre
2026-05-06 23:14 ` Luck, Tony
2026-05-07 3:42 ` Reinette Chatre
2026-05-07 15:12 ` Luck, Tony
2026-05-06 20:02 ` Luck, Tony
2026-05-06 20:33 ` Reinette Chatre
2026-05-06 20:52 ` Luck, Tony
2026-05-07 15:48 ` Luck, Tony
2026-05-07 17:06 ` Reinette Chatre [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58652f6b-77a6-4655-a8b9-59c6b97cd49e@intel.com \
--to=reinette.chatre@intel.com \
--cc=Dave.Martin@arm.com \
--cc=babu.moger@amd.com \
--cc=bp@alien8.de \
--cc=dfustini@baylibre.com \
--cc=fenghuay@nvidia.com \
--cc=james.morse@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=maciej.wieczor-retman@intel.com \
--cc=patches@lists.linux.dev \
--cc=peternewman@google.com \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
--cc=yu.c.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox