Re: [PATCH v2 03/12] rv: Reset per-task DA monitors before releasing the slot

Next message: Yan Zhao: "[PATCH v3 07/15] KVM: x86/tdp_mmu: Morph !is_frozen_spte() check into a KVM_MMU_WARN_ON()"
Previous message: Bartosz Golaszewski: "Re: [PATCH v1 0/3] gpio: Use named initializers for platform_device_id arrays"
In reply to: Gabriele Monaco: "[PATCH v2 03/12] rv: Reset per-task DA monitors before releasing the slot"
Next in thread: Gabriele Monaco: "[PATCH v2 05/12] rv: Prevent in-flight per-task handlers from using invalid slots"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nam Cao

Date: Thu May 28 2026 - 04:55:29 EST

Gabriele Monaco <gmonaco@xxxxxxxxxx> writes:
> Per-task monitors use task_mon_slot to determine which slot in the array
> to use for the monitor. During destruction, this slot is returned but
> this is done before resetting the monitor. As a result, the monitor's
> reset is in fact resetting a slot that is outside of the array
> (RV_PER_TASK_MONITOR_INIT).

Oh crap.

> Release the slot only after the reset to avoid out-of-bound memory
> access.

I think KASAN can catch this type of issue.

> Fixes: f5587d1b6ec93 ("rv: Add Hybrid Automata monitor type")
> Suggested-by: Wen Yang <wen.yang@xxxxxxxxx>
> Reviewed-by: Wen Yang <wen.yang@xxxxxxxxx>
> Signed-off-by: Gabriele Monaco <gmonaco@xxxxxxxxxx>

Should we have
Cc: stable@xxxxxxxxxxxxxxx
?

Reviewed-by: Nam Cao <namcao@xxxxxxxxxxxxx>