From: sashiko-bot@kernel.org
To: "Tejun Heo" <tj@kernel.org>
Cc: sched-ext@lists.linux.dev
Subject: Re: [PATCH 2/6] sched_ext: Inline scx_init_task() and move RESET_RUNNABLE_AT into scx_set_task_state()
Date: Mon, 11 May 2026 21:40:31 +0000 [thread overview]
Message-ID: <20260511214031.AF5E9C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260510074113.2049514-3-tj@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Use-After-Free (UAF) of task_struct fields `p->comm` and `p->pid` in the error path of `scx_root_enable_workfn()`.
--
commit ff748fbf4ba914d4e370692e8c52959bf3619890
Author: Tejun Heo <tj@kernel.org>
sched_ext: Inline scx_init_task() and move RESET_RUNNABLE_AT into scx_set_task_state()
This commit prepares for the SCX_TASK_INIT_BEGIN/DEAD work by collapsing the
scx_init_task() helper and moving the SCX_TASK_RESET_RUNNABLE_AT setting
into scx_set_task_state(). It also inlines scx_init_task() into scx_fork()
and scx_root_enable_workfn(), dropping the helper.
> diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
> --- a/kernel/sched/ext.c
> +++ b/kernel/sched/ext.c
[ ... ]
> @@ -6884,8 +6870,8 @@ static void scx_root_enable_workfn(struct kthread_work *work)
>
> scx_task_iter_unlock(&sti);
>
> - ret = scx_init_task(sch, p, false);
> - if (ret) {
> + ret = __scx_init_task(sch, p, false);
> + if (unlikely(ret)) {
> put_task_struct(p);
> scx_task_iter_stop(&sti);
> scx_error(sch, "ops.init_task() failed (%d) for %s[%d]",
> ret, p->comm, p->pid);
This isn't a bug introduced by this commit, but could this lead to a
use-after-free of the task struct?
If put_task_struct(p) drops the last reference (for example, if the task is
concurrently exiting), it will schedule the task struct for RCU-delayed
freeing.
Immediately after, scx_task_iter_stop() releases the task iterator locks,
which can re-enable preemption and interrupts. Since the thread holds
sleeping locks, an RCU grace period could potentially elapse before execution
resumes.
If that happens, accessing p->comm and p->pid in scx_error() would
dereference freed memory.
Should put_task_struct(p) be moved after scx_error() to prevent this?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260510074113.2049514-1-tj@kernel.org?part=2
next prev parent reply other threads:[~2026-05-11 21:40 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-10 7:41 [PATCHSET sched_ext/for-7.1-fixes] sched_ext: Fix sched_ext_dead() races with task initialization Tejun Heo
2026-05-10 7:41 ` [PATCH 1/6] sched_ext: Cleanups in preparation for the SCX_TASK_INIT_BEGIN/DEAD work Tejun Heo
2026-05-10 7:41 ` [PATCH 2/6] sched_ext: Inline scx_init_task() and move RESET_RUNNABLE_AT into scx_set_task_state() Tejun Heo
2026-05-10 17:20 ` Andrea Righi
2026-05-10 20:04 ` [PATCH v2 " Tejun Heo
2026-05-11 21:40 ` sashiko-bot [this message]
2026-05-10 7:41 ` [PATCH 3/6] sched_ext: Replace SCX_TASK_OFF_TASKS flag with SCX_TASK_DEAD state Tejun Heo
2026-05-10 7:41 ` [PATCH 4/6] sched_ext: Close root-enable vs sched_ext_dead() race with SCX_TASK_INIT_BEGIN Tejun Heo
2026-05-10 7:41 ` [PATCH 5/6] sched_ext: Close sub-sched init race with post-init DEAD recheck Tejun Heo
2026-05-10 7:41 ` [PATCH 6/6] sched_ext: Handle SCX_TASK_NONE in disable/switched_from paths Tejun Heo
2026-05-11 23:55 ` sashiko-bot
2026-05-10 17:47 ` [PATCHSET sched_ext/for-7.1-fixes] sched_ext: Fix sched_ext_dead() races with task initialization Andrea Righi
2026-05-10 21:55 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260511214031.AF5E9C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=sashiko@lists.linux.dev \
--cc=sched-ext@lists.linux.dev \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox