From: "Luck, Tony" <tony.luck@intel.com>
To: Reinette Chatre <reinette.chatre@intel.com>
Cc: <james.morse@arm.com>, <Dave.Martin@arm.com>,
<babu.moger@amd.com>, <bp@alien8.de>, <tglx@linutronix.de>,
<dave.hansen@linux.intel.com>, <x86@kernel.org>, <hpa@zytor.com>,
<ben.horgan@arm.com>, <fustini@kernel.org>, <fenghuay@nvidia.com>,
<peternewman@google.com>, <yu.c.chen@intel.com>,
<linux-kernel@vger.kernel.org>, <patches@lists.linux.dev>
Subject: Re: [PATCH v6 08/10] fs/resctrl: Prevent deadlock and use-after-free in info file handlers
Date: Tue, 7 Jul 2026 16:33:41 -0700 [thread overview]
Message-ID: <ak2M1RZ0EaMzPi7H@agluck-desk3> (raw)
In-Reply-To: <e5468d05f984f4db2c0fc378562b2c4a9cca301b.1783377598.git.reinette.chatre@intel.com>
On Mon, Jul 06, 2026 at 03:46:28PM -0700, Reinette Chatre wrote:
Internal AI noted a couple of extra blank lines introduced by this
patch. See below.
> resctrl provides files under the info/ directory to expose global
> configuration and capabilities to userspace. These files are instantiated
> statically during filesystem mount and expose data associated with internal
> schema structures via kernfs private pointers.
>
> A potential deadlock exists between userspace readers of these info files
> and the unmount filesystem teardown process. Reading an info file invokes
> kernfs which acquires an active reference, after which the handler typically
> attempts to acquire the rdtgroup_mutex. Concurrently, unmounting the
> filesystem holds the rdtgroup_mutex and then attempts to recursively
> remove the info kernfs nodes involving kernfs_drain() which blocks until
> all active references are released. Another problem exists where info files
> might be accessed from an outdated mount if the filesystem is unmounted and
> remounted during a reader's execution, leading to a use-after-free when
> reading the now-deleted private schema data.
>
> Introduce info_kn_lock() and info_kn_unlock() helpers to coordinate locking
> across all info handlers. These helpers mirror similar logic used by resource
> group handlers by deliberately breaking the kernfs active protection before
> attempting to acquire the rdtgroup_mutex, preventing the deadlock. To guard
> against the vulnerability from rapid mount cycling, info_kn_lock() securely
> walks the parent lineage of the kernfs node under an RCU section to confirm
> the node belongs to the globally active root before permitting the operation
> to proceed. Convert all info file handlers to use this helper and only
> de-reference the schema after it is determined safe to do so.
>
> Make no attempt to output an error message to last_cmd_status on failure
> since failure implies there is no filesystem with which to display the error
> to user space.
>
> Reported-by: Sashiko <sashiko-bot@kernel.org>
> Closes: https://sashiko.dev/#/patchset/20260515193944.15114-1-tony.luck%40intel.com?part=3
> Assisted-by: GitHub_Copilot:gemini-3.1-pro
> Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
> Reviewed-by: Tony Luck <tony.luck@intel.com>
> ---
> Changes since V2:
> - New patch
>
> Changes since V3:
> - Add Tony's Reviewed-by tag.
> - Changelog grammar fixes.
...
> @@ -1020,9 +1030,15 @@ static int rdt_min_cbm_bits_show(struct kernfs_open_file *of,
> struct seq_file *seq, void *v)
> {
> struct resctrl_schema *s = rdt_kn_parent_priv(of->kn);
> - struct rdt_resource *r = s->res;
> + struct rdt_resource *r;
> +
Extra blank line added here.
>
> + if (!info_kn_lock(of->kn))
> + return -ENOENT;
> + r = s->res;
> seq_printf(seq, "%u\n", r->cache.min_cbm_bits);
> + info_kn_unlock(of->kn);
> +
> return 0;
> }
>
...
> @@ -1652,8 +1718,8 @@ static int mbm_config_show(struct seq_file *s, struct rdt_resource *r, u32 evtid
> struct rdt_l3_mon_domain *dom;
> bool sep = false;
>
> - cpus_read_lock();
> - mutex_lock(&rdtgroup_mutex);
> + lockdep_assert_cpus_held();
> + lockdep_assert_held(&rdtgroup_mutex);
>
> list_for_each_entry_rcu(dom, &r->mon_domains, hdr.list, lockdep_is_cpus_held()) {
> if (sep)
> @@ -1670,8 +1736,6 @@ static int mbm_config_show(struct seq_file *s, struct rdt_resource *r, u32 evtid
> }
> seq_puts(s, "\n");
>
> - mutex_unlock(&rdtgroup_mutex);
> - cpus_read_unlock();
>
Extra blank line here after deleting those two lines.
> return 0;
> }
-Tony
next prev parent reply other threads:[~2026-07-07 23:33 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 22:46 [PATCH v6 00/10] x86,fs/resctrl: Fix long-standing issues Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 01/10] fs/resctrl: Free mon_data structures on rdt_get_tree() failure Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 02/10] fs/resctrl: Fix use-after-free during unmount Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 03/10] fs/resctrl: Fix double-add of pseudo-locked region's RMID to free list Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 04/10] x86,fs/resctrl: Document safe RCU list traversal Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 05/10] fs/resctrl: Move functions to avoid forward references in subsequent fixes Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 06/10] fs/resctrl: Fix deadlock on errors during mount Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 07/10] fs/resctrl: Prevent use-after-free in rdtgroup_kn_put() Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 08/10] fs/resctrl: Prevent deadlock and use-after-free in info file handlers Reinette Chatre
2026-07-07 23:33 ` Luck, Tony [this message]
2026-07-07 23:54 ` Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 09/10] x86/resctrl: Ensure domain fully initialized before placed on RCU list Reinette Chatre
2026-07-06 22:46 ` [PATCH v6 10/10] fs/resctrl: Fix UAF from worker threads when domains are removed Reinette Chatre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ak2M1RZ0EaMzPi7H@agluck-desk3 \
--to=tony.luck@intel.com \
--cc=Dave.Martin@arm.com \
--cc=babu.moger@amd.com \
--cc=ben.horgan@arm.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=fenghuay@nvidia.com \
--cc=fustini@kernel.org \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=peternewman@google.com \
--cc=reinette.chatre@intel.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=yu.c.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox