[PATCHSET sched_ext/for-7.1-fixes] sched_ext: Fix sched_ext_dead() races with task initialization

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tejun Heo <tj@kernel.org>
To: void@manifault.com, arighi@nvidia.com, changwoo@igalia.com
Cc: emil@etsalapatis.com, suzhidao@xiaomi.com,
	sched-ext@lists.linux.dev, linux-kernel@vger.kernel.org,
	Tejun Heo <tj@kernel.org>
Subject: [PATCHSET sched_ext/for-7.1-fixes] sched_ext: Fix sched_ext_dead() races with task initialization
Date: Sat,  9 May 2026 21:41:07 -1000	[thread overview]
Message-ID: <20260510074113.2049514-1-tj@kernel.org> (raw)

Hello,

zhidao su reported a NULL deref and an ops.init_task() leak when
sched_ext_dead() races scx_root_enable_workfn() in CONFIG_EXT_SUB_SCHED
kernels [1]. The same race window also affects the analogous sub-sched paths
(scx_sub_enable_workfn()'s per-task init pass and scx_sub_disable()'s
migration loop), and the wrapper-disable paths trip on the NONE state that
scx_fail_parent() leaves behind. Closing all of these calls for a
state-machine extension rather than a localized fix.

The series introduces SCX_TASK_INIT_BEGIN as an explicit intermediate state
between NONE and INIT, and replaces the SCX_TASK_OFF_TASKS marker flag with
a real SCX_TASK_DEAD terminal state. With the state machine in place, every
init path uses the same handshake: write INIT_BEGIN under rq lock, init
outside the lock, recheck DEAD under rq lock, unwind via
scx_sub_init_cancel_task() on hit. The wrapper-disable and
switched_from_scx() paths get NONE early-returns to handle the
scx_fail_parent() residue.

It is more invasive than zhidao's patches but covers the related races
uniformly and avoids the implicit list_empty() check his approach relies
on. Credit to him for finding and reporting the bug.

 0001 sched_ext: Cleanups in preparation for the SCX_TASK_INIT_BEGIN/DEAD work
 0002 sched_ext: Inline scx_init_task() and move RESET_RUNNABLE_AT into scx_set_task_state()
 0003 sched_ext: Replace SCX_TASK_OFF_TASKS flag with SCX_TASK_DEAD state
 0004 sched_ext: Close root-enable vs sched_ext_dead() race with SCX_TASK_INIT_BEGIN
 0005 sched_ext: Close sub-sched init race with post-init DEAD recheck
 0006 sched_ext: Handle SCX_TASK_NONE in disable/switched_from paths

Based on sched_ext/for-7.1-fixes (ab28a0673daa).

Git tree: git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext.git for-7.1-fixes-dead-race

Verified with a debug patch that widens the unlocked init windows on the
root and sub-sched paths and counts post-init DEAD-recheck hits.
Reproducers exercise each of the original races plus the scx_fail_parent
NONE-state regression, followed by a multi-iteration stress under fork
churn. Counters show the windows are hit and no
BUG/WARNING/Oops/Invalid-task-state appears.

[1] https://lore.kernel.org/all/20260429133155.3825247-1-suzhidao@xiaomi.com/

 include/linux/sched/ext.h |  17 ++--
 kernel/sched/ext.c        | 221 +++++++++++++++++++++++++++++++---------------
 2 files changed, 162 insertions(+), 76 deletions(-)

Thanks.

--
tejun

next             reply	other threads:[~2026-05-10  7:41 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-10  7:41 Tejun Heo [this message]
2026-05-10  7:41 ` [PATCH 1/6] sched_ext: Cleanups in preparation for the SCX_TASK_INIT_BEGIN/DEAD work Tejun Heo
2026-05-10  7:41 ` [PATCH 2/6] sched_ext: Inline scx_init_task() and move RESET_RUNNABLE_AT into scx_set_task_state() Tejun Heo
2026-05-10 17:20   ` Andrea Righi
2026-05-10 20:04   ` [PATCH v2 " Tejun Heo
2026-05-11 21:40   ` [PATCH " sashiko-bot
2026-05-10  7:41 ` [PATCH 3/6] sched_ext: Replace SCX_TASK_OFF_TASKS flag with SCX_TASK_DEAD state Tejun Heo
2026-05-10  7:41 ` [PATCH 4/6] sched_ext: Close root-enable vs sched_ext_dead() race with SCX_TASK_INIT_BEGIN Tejun Heo
2026-05-10  7:41 ` [PATCH 5/6] sched_ext: Close sub-sched init race with post-init DEAD recheck Tejun Heo
2026-05-10  7:41 ` [PATCH 6/6] sched_ext: Handle SCX_TASK_NONE in disable/switched_from paths Tejun Heo
2026-05-11 23:55   ` sashiko-bot
2026-05-10 17:47 ` [PATCHSET sched_ext/for-7.1-fixes] sched_ext: Fix sched_ext_dead() races with task initialization Andrea Righi
2026-05-10 21:55 ` Tejun Heo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260510074113.2049514-1-tj@kernel.org \
    --to=tj@kernel.org \
    --cc=arighi@nvidia.com \
    --cc=changwoo@igalia.com \
    --cc=emil@etsalapatis.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sched-ext@lists.linux.dev \
    --cc=suzhidao@xiaomi.com \
    --cc=void@manifault.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.