Re: [PATCH v3 4/9] fs/resctrl: Fix deadlock for errors during mount

Next message: David Laight: "Re: [PATCH 05/29] crypto: talitos - Prepare crypto implementation file splitting"
Previous message: Ricardo Pardini via B4 Relay: "[PATCH v2 1/2] arm64: dts: rockchip: describe PCIe Ethernet controllers on NanoPC-T6"
In reply to: Chen, Yu C: "Re: [PATCH v3 4/9] fs/resctrl: Fix deadlock for errors during mount"
Next in thread: Chen, Yu C: "Re: [PATCH v3 4/9] fs/resctrl: Fix deadlock for errors during mount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Reinette Chatre

Date: Fri May 29 2026 - 12:24:44 EST

Hi Chenyu,

On 5/29/26 7:06 AM, Chen, Yu C wrote:
> On 5/23/2026 3:15 AM, Reinette Chatre wrote:
>> @@ -3085,10 +3105,37 @@ static int rdt_get_tree(struct fs_context *fc)
>>                              RESCTRL_PICK_ANY_CPU);
>>       }
>> -    goto out;
>> +    /*
>> +     * Ensure root kn remains accessible after mutex is unlocked so that
>
> Maybe a little more accurate to say "Ensure rdt_root remains accessible"?
> Here we increase reference for rdtgroup_default.kn, and protect
> against UAF of
> kernfs_kill_sb(sb) ->
> info = kernfs_info(sb) ->
>     kernfs_put(info->root->kn)
>
> where the info->root is UAF rather than the kn.

Right. The UAF is indeed on the root self while its lifetime is controlled by references
to its kn (root->kn). Dropping the last reference on root->kn causes root to be freed.

rdt_root is the name of a variable though and its value can actually change in the flow
involved here so I'd prefer not to phrase it exactly like that. How about just
"Ensure root remains accessible ..."?

>
> Other looks good to me.
>
> Reviewed-by: Chen Yu <yu.c.chen@xxxxxxxxx>

Thank you very much.

Reinette