From: Reinette Chatre <reinette.chatre@intel.com>
To: "Chen, Yu C" <yu.c.chen@intel.com>
Cc: <x86@kernel.org>, <hpa@zytor.com>, <ben.horgan@arm.com>,
<tony.luck@intel.com>, <fustini@kernel.org>,
<fenghuay@nvidia.com>, <peternewman@google.com>,
<linux-kernel@vger.kernel.org>, <patches@lists.linux.dev>,
<james.morse@arm.com>, <Dave.Martin@arm.com>,
<babu.moger@amd.com>, <bp@alien8.de>, <tglx@linutronix.de>,
<dave.hansen@linux.intel.com>
Subject: Re: [PATCH v3 4/9] fs/resctrl: Fix deadlock for errors during mount
Date: Fri, 29 May 2026 08:53:59 -0700 [thread overview]
Message-ID: <a9b51eee-fb53-4a41-a4f3-2c50b49d93d3@intel.com> (raw)
In-Reply-To: <6140c3f9-b172-4552-b96f-1b8514b0e75b@intel.com>
Hi Chenyu,
On 5/29/26 7:06 AM, Chen, Yu C wrote:
> On 5/23/2026 3:15 AM, Reinette Chatre wrote:
>> @@ -3085,10 +3105,37 @@ static int rdt_get_tree(struct fs_context *fc)
>> RESCTRL_PICK_ANY_CPU);
>> }
>> - goto out;
>> + /*
>> + * Ensure root kn remains accessible after mutex is unlocked so that
>
> Maybe a little more accurate to say "Ensure rdt_root remains accessible"?
> Here we increase reference for rdtgroup_default.kn, and protect
> against UAF of
> kernfs_kill_sb(sb) ->
> info = kernfs_info(sb) ->
> kernfs_put(info->root->kn)
>
> where the info->root is UAF rather than the kn.
Right. The UAF is indeed on the root self while its lifetime is controlled by references
to its kn (root->kn). Dropping the last reference on root->kn causes root to be freed.
rdt_root is the name of a variable though and its value can actually change in the flow
involved here so I'd prefer not to phrase it exactly like that. How about just
"Ensure root remains accessible ..."?
>
> Other looks good to me.
>
> Reviewed-by: Chen Yu <yu.c.chen@intel.com>
Thank you very much.
Reinette
next prev parent reply other threads:[~2026-05-29 15:54 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-22 19:15 [PATCH v3 0/9] x86,fs/resctrl: Fix long-standing issues Reinette Chatre
2026-05-22 19:15 ` [PATCH v3 1/9] fs/resctrl: Move functions to avoid forward references in subsequent fixes Reinette Chatre
2026-05-28 10:06 ` Ben Horgan
2026-05-22 19:15 ` [PATCH v3 2/9] fs/resctrl: Free mon_data structures on rdt_get_tree() failure Reinette Chatre
2026-05-27 15:18 ` Ben Horgan
2026-05-22 19:15 ` [PATCH v3 3/9] fs/resctrl: Fix use-after-free during unmount Reinette Chatre
2026-05-28 9:45 ` Ben Horgan
2026-05-28 16:09 ` Reinette Chatre
2026-05-28 13:48 ` Chen Yu
2026-05-28 16:09 ` Reinette Chatre
2026-05-22 19:15 ` [PATCH v3 4/9] fs/resctrl: Fix deadlock for errors during mount Reinette Chatre
2026-05-28 10:11 ` Ben Horgan
2026-05-29 14:06 ` Chen, Yu C
2026-05-29 15:53 ` Reinette Chatre [this message]
2026-05-31 8:41 ` Chen, Yu C
2026-05-22 19:15 ` [PATCH v3 5/9] fs/resctrl: Prevent use-after-free in rdtgroup_kn_put() Reinette Chatre
2026-05-28 10:51 ` Ben Horgan
2026-05-22 19:15 ` [PATCH v3 6/9] fs/resctrl: Fix pseudo-locking lifetime handling Reinette Chatre
2026-05-28 10:56 ` Ben Horgan
2026-05-28 16:10 ` Reinette Chatre
2026-05-22 19:15 ` [PATCH v3 7/9] fs/resctrl: Prevent deadlock and use-after-free in info file handlers Reinette Chatre
2026-05-22 19:15 ` [PATCH v3 8/9] x86/resctrl: Ensure domain fully initialized before placed on RCU list Reinette Chatre
2026-05-28 16:11 ` Reinette Chatre
2026-05-28 19:04 ` Babu Moger
2026-05-28 20:56 ` Reinette Chatre
2026-05-28 23:10 ` Moger, Babu
2026-05-31 8:37 ` Chen, Yu C
2026-06-01 15:40 ` Reinette Chatre
2026-05-22 19:15 ` [PATCH v3 9/9] fs/resctrl: Fix UAF from worker threads when domains are removed Reinette Chatre
2026-05-26 15:32 ` Luck, Tony
2026-05-26 17:53 ` Reinette Chatre
2026-05-26 18:27 ` Luck, Tony
2026-05-26 21:05 ` Reinette Chatre
2026-05-26 21:26 ` Luck, Tony
2026-05-27 1:49 ` Reinette Chatre
2026-05-28 16:12 ` Reinette Chatre
2026-05-28 20:08 ` [PATCH v3 0/9] x86,fs/resctrl: Fix long-standing issues Luck, Tony
2026-05-29 18:37 ` Reinette Chatre
2026-05-29 19:06 ` Luck, Tony
2026-05-29 20:19 ` Reinette Chatre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a9b51eee-fb53-4a41-a4f3-2c50b49d93d3@intel.com \
--to=reinette.chatre@intel.com \
--cc=Dave.Martin@arm.com \
--cc=babu.moger@amd.com \
--cc=ben.horgan@arm.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=fenghuay@nvidia.com \
--cc=fustini@kernel.org \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=peternewman@google.com \
--cc=tglx@linutronix.de \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
--cc=yu.c.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox