Re: [PATCH v3 9/9] fs/resctrl: Fix UAF from worker threads when domains are removed

Next message: Ahmed S. Darwish: "[PATCH v7 086/120] perf/x86/zhaoxin: Use parsed CPUID(0xa)"
Previous message: Ahmed S. Darwish: "[PATCH v7 069/120] x86/cpuid: Parse CPUID(0x6), CPUID(0x9), and CPUID(0x15)"
In reply to: Reinette Chatre: "Re: [PATCH v3 9/9] fs/resctrl: Fix UAF from worker threads when domains are removed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Reinette Chatre

Date: Thu May 28 2026 - 12:26:44 EST

On 5/22/26 12:15 PM, Reinette Chatre wrote:
> @@ -841,7 +860,10 @@ void mbm_handle_overflow(struct work_struct *work)
> struct list_head *head;
> struct rdt_resource *r;
>
> - cpus_read_lock();
> + /*
> + * Safe to run without CPU hotplug lock. Work is guaranteed to be
> + * canceled before the domain structure is removed.
> + */
> mutex_lock(&rdtgroup_mutex);
>
> /*

I resubmitted the last three patches of series to obtain Sashiko review [1] and
respond to that feedback here:

Sashiko: "Could running this worker without the hotplug lock trigger lockdep splats
and expose the architecture backend to races against CPU hotplug?"

No.

Sashiko points out that the MPAM resctrl_arch_get_config() and resctrl_arch_update_one()
hooks contain lockdep_assert_cpus_held() and since these hooks are called via mbm_handle_overflow()
it seems that this could trigger lockdep splats.

Recent commit f52abe650241 ("fs/resctrl: Disallow the software controller when MBM counters are assignable")
established that MPAM does not support the software controller and these hooks will
thus not be called from overflow handler.

Reinette

[1] https://sashiko.dev/#/patchset/cover.1779834897.git.reinette.chatre%40intel.com