Re: [PATCH v3 3/9] fs/resctrl: Fix use-after-free during unmount

Next message: Ahmed S. Darwish: "[PATCH v7 071/120] dmaengine: ioatdma: Use parsed CPUID(0x9)"
Previous message: Ahmed S. Darwish: "[PATCH v7 120/120] MAINTAINERS: Extend x86 CPUID DATABASE file coverage"
In reply to: Chen Yu: "Re: [PATCH v3 3/9] fs/resctrl: Fix use-after-free during unmount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Reinette Chatre

Date: Thu May 28 2026 - 12:22:30 EST

Hi Chenyu,

On 5/28/26 6:48 AM, Chen Yu wrote:
> On Fri, 22 May 2026 12:15:07 -0700, Reinette Chatre wrote:
>> When the mutex is released, the reader wakes up, observes that RDT_DELETED
>> is not set for the default group, and dereferences the already-freed
>> file private data.
>
> I wonder if a code call sequence could be added in the commit log,
> which would be helpful to quickly understand the race condition:
>
> CPU 0 (read mon_data file) CPU 1 (umount)
> -------------------------- --------------
>
> rdtgroup_kn_lock_live()
> rdtgrp = &rdtgroup_default
> waitcount++
> break_active_protection()
> mutex_lock()
> mon_put_kn_priv()
> kfree(mon_data)
> mutex_unlock()
> mutex_lock()
> rdtgrp->flags & RDT_DELETED?
> // no -- never set for default
> return rdtgrp
>
> md = of->kn->priv // UAF: freed
>

Yes, something like this will make the issue easier to see. Will do.

>
> I did not find issues in current implementation,
>
> Reviewed-by: Chen Yu <yu.c.chen@xxxxxxxxx>

Thank you very much.
I just realized that I omitted your other tag from patch #2 [1]. I am
very sorry and will fix that it next posting.

Reinette

[1] https://lore.kernel.org/lkml/7f7712d9-2b23-412a-a3a8-e36c22b4ba32@xxxxxxxxx/