From: "Danilo Krummrich" <dakr@kernel.org>
To: "Tzung-Bi Shih" <tzungbi@kernel.org>
Cc: "Johan Hovold" <johan@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Rafael J . Wysocki" <rafael@kernel.org>,
"Bartosz Golaszewski" <bartosz.golaszewski@oss.qualcomm.com>,
"Linus Walleij" <linusw@kernel.org>,
"Jonathan Corbet" <corbet@lwn.net>,
"Shuah Khan" <shuah@kernel.org>,
"Laurent Pinchart" <laurent.pinchart@ideasonboard.com>,
"Wolfram Sang" <wsa+renesas@sang-engineering.com>,
"Simona Vetter" <simona.vetter@ffwll.ch>,
"Dan Williams" <dan.j.williams@intel.com>,
"Jason Gunthorpe" <jgg@nvidia.com>, <linux-doc@vger.kernel.org>,
<linux-kselftest@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 3/3] Revert "revocable: Revocable resource management"
Date: Thu, 05 Feb 2026 12:56:47 +0100 [thread overview]
Message-ID: <DG70CSP8NCJ0.316VXMVLD2ARN@kernel.org> (raw)
In-Reply-To: <aYRaB5wI3mS2J54K@google.com>
On Thu Feb 5, 2026 at 9:51 AM CET, Tzung-Bi Shih wrote:
> On Wed, Feb 04, 2026 at 03:28:49PM +0100, Johan Hovold wrote:
>> Specifically, the latest design relies on RCU for storing a pointer to
>> the revocable provider, but since the resource can be shared by value
>> (e.g. as in the now reverted selftests) this does not work at all and
>> can also lead to use-after-free:
> [...]
>> producer:
>>
>> priv->rp = revocable_provider_alloc(&priv->res);
>> // pass priv->rp by value to consumer
>> revocable_provider_revoke(&priv->rp);
>>
>> consumer:
>>
>> struct revocable_provider __rcu *rp = filp->private_data;
>> struct revocable *rev;
>>
>> revocable_init(rp, &rev);
>>
>> as _rp would still be non-NULL in revocable_init() regardless of whether
>> the producer has revoked the resource and set its pointer to NULL.
>
> You're right to point out the issue with copying the pointer of revocable
> provider. If a consumer stores this pointer directly, rcu_replace_pointer()
> in the producer's revocable_provider_revoke() will not affect the consumer's
> copy. I understand this concern.
>
> The intention was never for consumers to cache the pointer of revocable
> provider long-term. The design relies on consumers obtaining the current
> valid provider pointer at the point of access.
Yeah, I think this part is not a bug in the API, but I think revocable_init()
should be
int revocable_init(struct revocable_provider __rcu **_rp, ...)
instead of
int revocable_init(struct revocable_provider __rcu *_rp, ...)
for the same reason revocable_provider_revoke() takes a double pointer.
Otherwise this seems racy:
int revocable_init(struct revocable_provider __rcu *_rp, struct revocable *rev)
{
struct revocable_provider *rp;
if (!_rp)
return -ENODEV;
/*
* If revocable_provider_revoke() is called concurrently at this
* point, _rp is not affectd by rcu_replace_pointer().
*
* Additionally, nothing prevents a concurrent kfree_rcu() from
* freeing the revocable provider before we enter the RCU
* read-side critical section below.
*/
/*
* Enter a read-side critical section.
*
* This prevents kfree_rcu() from freeing the struct revocable_provider
* memory, for the duration of this scope.
*/
scoped_guard(rcu) {
...
}
Do I miss anything?
next prev parent reply other threads:[~2026-02-05 11:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 14:28 [PATCH v2 0/3] Revert "revocable: Revocable resource management" Johan Hovold
2026-02-04 14:28 ` [PATCH v2 1/3] Revert "selftests: revocable: Add kselftest cases" Johan Hovold
2026-02-04 14:28 ` [PATCH v2 2/3] Revert "revocable: Add Kunit test cases" Johan Hovold
2026-02-04 14:28 ` [PATCH v2 3/3] Revert "revocable: Revocable resource management" Johan Hovold
2026-02-05 8:51 ` Tzung-Bi Shih
2026-02-05 11:56 ` Danilo Krummrich [this message]
2026-02-06 9:14 ` Tzung-Bi Shih
2026-02-05 14:03 ` Johan Hovold
2026-02-06 9:14 ` Tzung-Bi Shih
2026-02-06 15:07 ` Johan Hovold
2026-02-06 15:13 ` [PATCH v2 0/3] " Greg Kroah-Hartman
2026-02-07 14:00 ` Tzung-Bi Shih
2026-02-13 8:32 ` Bartosz Golaszewski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DG70CSP8NCJ0.316VXMVLD2ARN@kernel.org \
--to=dakr@kernel.org \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jgg@nvidia.com \
--cc=johan@kernel.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linusw@kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=rafael@kernel.org \
--cc=shuah@kernel.org \
--cc=simona.vetter@ffwll.ch \
--cc=tzungbi@kernel.org \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox