[PATCH] cgroup: Use READ_ONCE() for task->flags in task_css_set_check()

[PATCH] cgroup: Use READ_ONCE() for task->flags in task_css_set_check()

[Guopeng Zhang]

From: Guopeng Zhang <zhangguopeng@kylinos.cn>

task_css_set_check() uses rcu_dereference_check() to verify that
task->cgroups can be dereferenced. One accepted condition is that the
task is already exiting, tested by checking PF_EXITING in task->flags.

This is a lockless snapshot used only for the CONFIG_PROVE_RCU debug
predicate. This was found by KCSAN during fuzz testing. KCSAN can report
a data race when another task flag bit is updated concurrently. One report
shows pids_release() reading task->flags through task_css_set_check() while
do_task_dead() sets PF_NOFREEZE:

  KCSAN: data-race in task_css() [inline]
  KCSAN: data-race in pids_release()

  task_css()
  pids_release()
  cgroup_release()
  release_task()
  wait_task_zombie()

  value changed: 0x0040004c -> 0x0040804c

The changed bit is PF_NOFREEZE, not PF_EXITING. PF_EXITING remains set
before and after the update, so the task_css_set_check() condition does
not change. This is not a race on task->cgroups and does not indicate
incorrect pids charging or uncharging.

Use READ_ONCE() to document the intended lockless snapshot of task->flags.

No functional change intended.

Signed-off-by: Guopeng Zhang <zhangguopeng@kylinos.cn>
---
 include/linux/cgroup.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index f2aa46a4f871..8afc4ec7f7a1 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -480,7 +480,7 @@ static inline void cgroup_unlock(void)
 		rcu_read_lock_sched_held() ||				\
 		lockdep_is_held(&cgroup_mutex) ||			\
 		lockdep_is_held(&css_set_lock) ||			\
-		((task)->flags & PF_EXITING) || (__c))
+		(READ_ONCE((task)->flags) & PF_EXITING) || (__c))
 #else
 #define task_css_set_check(task, __c)					\
 	rcu_dereference((task)->cgroups)
-- 
2.25.1

Re: [PATCH] cgroup: Use READ_ONCE() for task->flags in task_css_set_check()

[Tao Cui]

Looks fine — this is a benign, PROVE_RCU-only race, and READ_ONCE()
documents the lockless snapshot with no functional change.

Acked-by: Tao Cui <cuitao@kylinos.cn>

在 2026/6/23 10:29, Guopeng Zhang 写道:
> From: Guopeng Zhang <zhangguopeng@kylinos.cn>
> 
> task_css_set_check() uses rcu_dereference_check() to verify that
> task->cgroups can be dereferenced. One accepted condition is that the
> task is already exiting, tested by checking PF_EXITING in task->flags.
> 
> This is a lockless snapshot used only for the CONFIG_PROVE_RCU debug
> predicate. This was found by KCSAN during fuzz testing. KCSAN can report
> a data race when another task flag bit is updated concurrently. One report
> shows pids_release() reading task->flags through task_css_set_check() while
> do_task_dead() sets PF_NOFREEZE:
> ...
> The changed bit is PF_NOFREEZE, not PF_EXITING. PF_EXITING remains set
> before and after the update, so the task_css_set_check() condition does
> not change. This is not a race on task->cgroups and does not indicate
> incorrect pids charging or uncharging.
> 
> Use READ_ONCE() to document the intended lockless snapshot of task->flags.
> 
> No functional change intended.
> 
> Signed-off-by: Guopeng Zhang <zhangguopeng@kylinos.cn>