Re: [PATCHSET sched_ext/for-7.1-fixes] sched_ext: Fix sched_ext_dead() races with task initialization

[Andrea Righi <arighi@nvidia.com>]

Hi Tejun,

On Sat, May 09, 2026 at 09:41:07PM -1000, Tejun Heo wrote:
> Hello,
> 
> zhidao su reported a NULL deref and an ops.init_task() leak when
> sched_ext_dead() races scx_root_enable_workfn() in CONFIG_EXT_SUB_SCHED
> kernels [1]. The same race window also affects the analogous sub-sched paths
> (scx_sub_enable_workfn()'s per-task init pass and scx_sub_disable()'s
> migration loop), and the wrapper-disable paths trip on the NONE state that
> scx_fail_parent() leaves behind. Closing all of these calls for a
> state-machine extension rather than a localized fix.
> 
> The series introduces SCX_TASK_INIT_BEGIN as an explicit intermediate state
> between NONE and INIT, and replaces the SCX_TASK_OFF_TASKS marker flag with
> a real SCX_TASK_DEAD terminal state. With the state machine in place, every
> init path uses the same handshake: write INIT_BEGIN under rq lock, init
> outside the lock, recheck DEAD under rq lock, unwind via
> scx_sub_init_cancel_task() on hit. The wrapper-disable and
> switched_from_scx() paths get NONE early-returns to handle the
> scx_fail_parent() residue.
> 
> It is more invasive than zhidao's patches but covers the related races
> uniformly and avoids the implicit list_empty() check his approach relies
> on. Credit to him for finding and reporting the bug.
> 
>  0001 sched_ext: Cleanups in preparation for the SCX_TASK_INIT_BEGIN/DEAD work
>  0002 sched_ext: Inline scx_init_task() and move RESET_RUNNABLE_AT into scx_set_task_state()
>  0003 sched_ext: Replace SCX_TASK_OFF_TASKS flag with SCX_TASK_DEAD state
>  0004 sched_ext: Close root-enable vs sched_ext_dead() race with SCX_TASK_INIT_BEGIN
>  0005 sched_ext: Close sub-sched init race with post-init DEAD recheck
>  0006 sched_ext: Handle SCX_TASK_NONE in disable/switched_from paths

Apart than a small comment about PATCH 2/6, I haven't found any issues with this
series. Looks good to me.

Reviewed-by: Andrea Righi <arighi@nvidia.com>

Thanks,
-Andrea

> 
> Based on sched_ext/for-7.1-fixes (ab28a0673daa).
> 
> Git tree: git://git.kernel.org/pub/scm/linux/kernel/git/tj/sched_ext.git for-7.1-fixes-dead-race
> 
> Verified with a debug patch that widens the unlocked init windows on the
> root and sub-sched paths and counts post-init DEAD-recheck hits.
> Reproducers exercise each of the original races plus the scx_fail_parent
> NONE-state regression, followed by a multi-iteration stress under fork
> churn. Counters show the windows are hit and no
> BUG/WARNING/Oops/Invalid-task-state appears.
> 
> [1] https://lore.kernel.org/all/20260429133155.3825247-1-suzhidao@xiaomi.com/
> 
>  include/linux/sched/ext.h |  17 ++--
>  kernel/sched/ext.c        | 221 +++++++++++++++++++++++++++++++---------------
>  2 files changed, 162 insertions(+), 76 deletions(-)
> 
> Thanks.
> 
> --
> tejun