From: Tejun Heo <tj@kernel.org>
To: zhidao su <soolaugust@gmail.com>
Cc: sched-ext@lists.linux.dev, linux-kernel@vger.kernel.org,
void@manifault.com, arighi@nvidia.com, changwoo@igalia.com,
peterz@infradead.org, mingo@redhat.com,
zhidao su <suzhidao@xiaomi.com>
Subject: Re: [PATCH v2] sched_ext: Use WRITE_ONCE() for the write side of scx_enable helper pointer
Date: Fri, 6 Mar 2026 06:34:24 -1000 [thread overview]
Message-ID: <aasCEDc1Hi184it9@slm.duckdns.org> (raw)
In-Reply-To: <20260306141718.2721073-1-suzhidao@xiaomi.com>
On Fri, Mar 06, 2026 at 10:17:18PM +0800, zhidao su wrote:
> scx_enable() uses double-checked locking to lazily initialize a static
> kthread_worker pointer:
>
> if (!READ_ONCE(helper)) {
> mutex_lock(&helper_mutex);
> if (!helper) {
> helper = kthread_run_worker(0, "scx_enable_helper");
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> plain write -- KCSAN data race
>
> The outer READ_ONCE() annotates the lockless fast-path read, but the
> write side uses a plain assignment without the matching WRITE_ONCE().
> The KCSAN documentation requires that if one accessor uses READ_ONCE()
> or WRITE_ONCE() on a variable to annotate lock-free access, all other
> accesses must also use the appropriate accessor. A plain write leaves
> the pair incomplete and will trigger KCSAN warnings.
>
> The error path also has the same issue:
>
> helper = NULL;
> ^^^^^^^^^^
> plain write -- KCSAN data race
>
> Fix both plain writes by using WRITE_ONCE() to complete the concurrent
> access annotation and make the code KCSAN-clean.
>
> Fixes: b06ccbabe250 ("sched_ext: Fix starvation of scx_enable() under fair-class saturation")
> Signed-off-by: zhidao su <suzhidao@xiaomi.com>
> ---
> v2: Add missing Fixes: tag (Andrea Righi)
> ---
> kernel/sched/ext.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
> index 9a1471ad5ae7..c4ccd685259f 100644
> --- a/kernel/sched/ext.c
> +++ b/kernel/sched/ext.c
> @@ -5355,9 +5355,9 @@ static int scx_enable(struct sched_ext_ops *ops, struct bpf_link *link)
> if (!READ_ONCE(helper)) {
> mutex_lock(&helper_mutex);
> if (!helper) {
> - helper = kthread_run_worker(0, "scx_enable_helper");
> + WRITE_ONCE(helper, kthread_run_worker(0, "scx_enable_helper"));
> if (IS_ERR_OR_NULL(helper)) {
> - helper = NULL;
> + WRITE_ONCE(helper, NULL);
I think this is racy. Another enable instance can race and read an ERR value
and try to use it as a pointer. Can you add a temporary variable to hold the
returned kworker pointer so that it only writes to helper iff it's valid.
Thanks.
--
tejun
next prev parent reply other threads:[~2026-03-06 16:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-06 10:59 [PATCH] sched_ext: Use WRITE_ONCE() for the write side of scx_enable helper pointer zhidao su
2026-03-06 14:09 ` Andrea Righi
2026-03-06 14:17 ` [PATCH v2] " zhidao su
2026-03-06 16:34 ` Tejun Heo [this message]
2026-03-09 2:46 ` [PATCH v3] " zhidao su
2026-03-09 4:34 ` zhidao su
2026-03-09 16:20 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aasCEDc1Hi184it9@slm.duckdns.org \
--to=tj@kernel.org \
--cc=arighi@nvidia.com \
--cc=changwoo@igalia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=sched-ext@lists.linux.dev \
--cc=soolaugust@gmail.com \
--cc=suzhidao@xiaomi.com \
--cc=void@manifault.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox