Commit 9bc9ccbf authored by Breno Leitao's avatar Breno Leitao Committed by Andrew Morton
Browse files

mm/kfence: fix potential deadlock in reboot notifier 

The reboot notifier callback can deadlock when calling
cancel_delayed_work_sync() if toggle_allocation_gate() is blocked in
wait_event_idle() waiting for allocations, that might not happen on
shutdown path.

The issue is that cancel_delayed_work_sync() waits for the work to
complete, but the work is waiting for kfence_allocation_gate > 0 which
requires allocations to happen (each allocation is increased by 1) -
allocations that may have stopped during shutdown.

Fix this by:
1. Using cancel_delayed_work() (non-sync) to avoid blocking. Now the
   callback succeeds and return.
2. Adding wake_up() to unblock any waiting toggle_allocation_gate()
3. Adding !kfence_enabled to the wait condition so the wake succeeds

The static_branch_disable() IPI will still execute after the wake, but at
this early point in shutdown (reboot notifier runs with INT_MAX priority),
the system is still functional and CPUs can respond to IPIs.

Link: https://lkml.kernel.org/r/20260116-kfence_fix-v1-1-4165a055933f@debian.org


Fixes: ce2bba89 ("mm/kfence: add reboot notifier to disable KFENCE on shutdown")
Signed-off-by: default avatarBreno Leitao <leitao@debian.org>
Reported-by: default avatarChris Mason <clm@meta.com>
Closes: https://lore.kernel.org/all/20260113140234.677117-1-clm@meta.com/


Reviewed-by: default avatarMarco Elver <elver@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Breno Leitao <leitao@debian.org>
Cc: Chris Mason <clm@meta.com>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
parent cb7d761b

mm/kfence/core.c

+12 −5
Original line number Diff line number Diff line
@@ -823,6 +823,9 @@ static struct notifier_block kfence_check_canary_notifier = { 
static struct delayed_work kfence_timer;



#ifdef CONFIG_KFENCE_STATIC_KEYS

/* Wait queue to wake up allocation-gate timer task. */

static DECLARE_WAIT_QUEUE_HEAD(allocation_wait);



static int kfence_reboot_callback(struct notifier_block *nb,

				  unsigned long action, void *data)

{
@@ -832,7 +835,12 @@ static int kfence_reboot_callback(struct notifier_block *nb, 
	 */

	WRITE_ONCE(kfence_enabled, false);

	/* Cancel any pending timer work */

	cancel_delayed_work_sync(&kfence_timer);

	cancel_delayed_work(&kfence_timer);

	/*

	 * Wake up any blocked toggle_allocation_gate() so it can complete

	 * early while the system is still able to handle IPIs.

	 */

	wake_up(&allocation_wait);



	return NOTIFY_OK;

}
@@ -842,9 +850,6 @@ static struct notifier_block kfence_reboot_notifier = { 
	.priority = INT_MAX, /* Run early to stop timers ASAP */

};



/* Wait queue to wake up allocation-gate timer task. */

static DECLARE_WAIT_QUEUE_HEAD(allocation_wait);



static void wake_up_kfence_timer(struct irq_work *work)

{

	wake_up(&allocation_wait);
@@ -873,7 +878,9 @@ static void toggle_allocation_gate(struct work_struct *work) 
	/* Enable static key, and await allocation to happen. */

	static_branch_enable(&kfence_allocation_key);



	wait_event_idle(allocation_wait, atomic_read(&kfence_allocation_gate) > 0);

	wait_event_idle(allocation_wait,

			atomic_read(&kfence_allocation_gate) > 0 ||

			!READ_ONCE(kfence_enabled));



	/* Disable static key and reset timer. */

	static_branch_disable(&kfence_allocation_key);