Re: [PATCH v3 3/9] fs/resctrl: Fix use-after-free during unmount

Next message: Piotr Zarycki: "Re: [PATCH] KVM: selftests: hyperv_tlb_flush: use swap() to swap PTEs"
Previous message: Dave Hansen: "Re: [PATCH v2] x86/vm86: Remove deprecated VM86 support"
In reply to: Reinette Chatre: "Re: [PATCH v3 3/9] fs/resctrl: Fix use-after-free during unmount"
Next in thread: Reinette Chatre: "Re: [PATCH v3 3/9] fs/resctrl: Fix use-after-free during unmount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chen Yu

Date: Thu May 28 2026 - 10:08:54 EST

On Fri, 22 May 2026 12:15:07 -0700, Reinette Chatre wrote:
> When the mutex is released, the reader wakes up, observes that RDT_DELETED
> is not set for the default group, and dereferences the already-freed
> file private data.

I wonder if a code call sequence could be added in the commit log,
which would be helpful to quickly understand the race condition:

CPU 0 (read mon_data file) CPU 1 (umount)
-------------------------- --------------

rdtgroup_kn_lock_live()
rdtgrp = &rdtgroup_default
waitcount++
break_active_protection()
mutex_lock()
mon_put_kn_priv()
kfree(mon_data)
mutex_unlock()
mutex_lock()
rdtgrp->flags & RDT_DELETED?
// no -- never set for default
return rdtgrp

md = of->kn->priv // UAF: freed

I did not find issues in current implementation,

Reviewed-by: Chen Yu <yu.c.chen@xxxxxxxxx>