Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
From:   Yanfei Xu <yanfei.xu@windriver.com>
To:     paulmck@kernel.org, josh@joshtriplett.org, rostedt@goodmis.org,
        mathieu.desnoyers@efficios.com, jiangshanlai@gmail.com,
        joel@joelfernandes.org
Cc:     rcu@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] rcu-tasks: remove the task from holdout list a same place
Date:   Mon, 24 May 2021 02:37:27 +0800
Message-Id: <20210523183727.31536-1-yanfei.xu@windriver.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from pek-lpggp1.wrs.com (60.247.85.82) by HK2PR06CA0011.apcprd06.prod.outlook.com (2603:1096:202:2e::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.24 via Frontend Transport; Sun, 23 May 2021 18:37:39 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4068e622-d9c0-45b7-2e8f-08d91e19d8c1
X-MS-TrafficTypeDiagnostic: BYAPR11MB3718:
X-Microsoft-Antispam-PRVS: <BYAPR11MB371805E1640766DFA8659C6AE4279@BYAPR11MB3718.namprd11.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:7691;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: eHBVc/RZuf3Fetkl0ePP9QqGx+pE98aRidORPKPriCkkJpa7rHCCHkpuvTp7mYN2wGV31XIiXsDjtWwF2Kux54tPc4MFV2VH+zN6RRVHkIhsTaIvHQ4JHPaDQpC9b0W5Z2Uc+c5BJIFyQMZXU8IZN/JZ0UgcGy5vW2M/DJQtEU0rvtuwxRGro5B1psRi/Vn/PJT4rp+3/wDqrRVv0v9+aGpaztPr/I57Atq9gCj+C+7nb+nkdS3W7aPRlH2XVS0OV81TzCsGuMgGvg8v5zQaawlcdIXNJBKOFp4UkZLulAqrIrJoBcyvHHlTKykCncO/1YV5bP0qUqMXcGZ1KoFE2Ri5uWFJYx/GyQT/jqmryulnQOx48dCsmHhpGtRN6oRKJHqvA4dd9NH2Oe3JdPyJ7HPlGd7kshZuOWqR+GOj0d9wI+tP6boSCjInhC7TLlhzIR6va1z7KFd+15TurF0OGgOpbaRYOsxmVGobOUpBlqDZ3iK1mNZVdomDOQ1M94E3AV3U5Qz77MhXtryLediHFGyHA+U38gV+A3crKkBHrA54pSqlsTD7ofQMgPGZ0Qg58QHLDQlMi7EKeh3Gawu8zM3csJymqmjnLJ0h/xVRilhX7q1A+QpBBs6KH8znA+6pwRYaBd5IvhJx0rm44eHqLw==
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR11MB4241.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(39830400003)(136003)(396003)(376002)(366004)(38100700002)(2616005)(83380400001)(8936002)(26005)(956004)(1076003)(8676002)(38350700002)(36756003)(316002)(5660300002)(66476007)(6666004)(4326008)(478600001)(16526019)(2906002)(86362001)(6512007)(52116002)(66946007)(6506007)(44832011)(66556008)(186003)(6486002);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?TTUdxfY8vzRy+FaxEQbjDkq6Gtj+dOyaOcRj3qz0E75cxgRnPS58vMlhxcTV?=
 =?us-ascii?Q?e+EcynIpAT/yeq+vPtJFF+5V8hVuenGP2PgXanUXurWhiXS7G8Yfdv/IgYUQ?=
 =?us-ascii?Q?XB5dIuWAQAw090ddFpQeFZUXmkn5gPEQRyJnpD62xX9KbeaytTA3Tpdya8Ko?=
 =?us-ascii?Q?nq8NhnyPfpF4hQ330TXwvLH3SuY7bZ4t1AGhL2ArEbPFZ4xQfyrSTaRZolD9?=
 =?us-ascii?Q?nSqvm3MuEbmgg55juiTv2/lin4A9Evl1rrNlyo2dOGdJx7CEy5P1KG3L0o20?=
 =?us-ascii?Q?Sey4wUPrarqw2rdBqGEfdYA0tKel/7nzV626ny8CSrCwbhjrz6WB3+taGiyn?=
 =?us-ascii?Q?BAJ4KUmFkx6dA5lqMdrLH/a9toery2H37rhbSdbJdb9fK/GwUnck2jkWu5v5?=
 =?us-ascii?Q?o2FJtyxv40TGnpphR4VXT/Nt9rj3yTMlaPMIcxuCgQ4WZPISKxH0rpMwGLl2?=
 =?us-ascii?Q?xPesbArd6fPeZ6vv9MZZ910TCAYRzzqjzs90LzMqiaAOtUAiA2U8m0H2Orl+?=
 =?us-ascii?Q?JKOPfmvX0iFootpN+YGbiSA2iIHOdqaqetJ1weljaj7k3fkE2ViTNYVc2qi3?=
 =?us-ascii?Q?ygvjQm8kQbss5q0zoLiOXMRAp4MwlUPiJaTPBXHDOErT8Jy2uMmOv+cZAaBN?=
 =?us-ascii?Q?J3Ji2o5Heh1UwrW/IBUnBWSpqxsd81LgFif/8/l/3PUIMQOGkOJJRofukcaG?=
 =?us-ascii?Q?QDIeE1NnfLQ2gYlLmIRTcwZh5kKXPj8GMgg8or/3zk4RCQJwNvlZuritQFva?=
 =?us-ascii?Q?M1rHe7m7MDS+2hW46Sex7M9EsZ93TyhdfAOZuchyh008y4wNc7H4kpYx40y+?=
 =?us-ascii?Q?Xsae0zsicX6UD/Zq+yNbvzjGXJ4YdEef47G0R2FhZin5Rpf7qIcgn9mbs6pt?=
 =?us-ascii?Q?A1VERIKz9OTTnTTWq9N/Dpg1c/Htdibf1byWmBtlcdZGHzGr0zwMp529ydkr?=
 =?us-ascii?Q?adrVomkUrQ80vEv2cetALQriOKV14e9o08OlAzd8KsBZFOKsDklAmnHFLEt0?=
 =?us-ascii?Q?Dl5YJKBMjEirtMu2rcnTb/w9wBShpS47ApcNPkTWgUs2org4ahNnPjU5lVpF?=
 =?us-ascii?Q?cSgpKiLWxe1DakaOveJKZ2pl4dkz5eITZA2uH4YVTj1oDG2XQMaEYR3aj/7W?=
 =?us-ascii?Q?GDsuC9pCCQHAdVJceLy4XHRBHG8dS79fMPKIF/eDmTeNXKg489LAe2cR7Z5p?=
 =?us-ascii?Q?wX4jQT81Xr6GRiZPInGQD7RHhAMHgsC9b/6BQQtWEgp6IEkRZMFtuaQIqv/l?=
 =?us-ascii?Q?w5WP1ZKBG2NpkHvVV6aWyesqiDSJcCWJZ6vl/Uho8qQATtU418IZ/8dqz/8U?=
 =?us-ascii?Q?/fEbtstm774J+HYnJfjJLckj?=
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4068e622-d9c0-45b7-2e8f-08d91e19d8c1
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4241.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 May 2021 18:37:41.1069
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: SHnm90pntmk+Lv+2YMZxnhNYi/6R2Rx1pbG/nJg16ZX1jbRyv371AU7PEYwvF5uAZRby9XrJ6yzLIr9tQGdFFQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3718
X-Proofpoint-GUID: AkEfiqES0rIKS9MQ6o66P899hKyNwkq-
X-Proofpoint-ORIG-GUID: AkEfiqES0rIKS9MQ6o66P899hKyNwkq-
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761
 definitions=2021-05-23_03:2021-05-20,2021-05-23 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 impostorscore=0
 suspectscore=0 adultscore=0 phishscore=0 clxscore=1011 mlxlogscore=999
 bulkscore=0 spamscore=0 malwarescore=0 lowpriorityscore=0
 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2104190000 definitions=main-2105230139
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

trc_del_holdout() invokes put_task_struct() may cause the task_struct
is freed once the task is exsiting. If happened, we shouldn't access
the task_strcut, or it will triger a use-after-free. Hence we defer
the trc_del_holdout(), and do it in trc_wait_for_one_reader() after
checking t->trc_reader_checked.

Reported-by: syzbot+7b2b13f4943374609532@syzkaller.appspotmail.com
Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
---
 kernel/rcu/tasks.h | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h
index 350ebf5051f9..d8a4367eb501 100644
--- a/kernel/rcu/tasks.h
+++ b/kernel/rcu/tasks.h
@@ -908,10 +908,8 @@ static bool trc_inspect_reader(struct task_struct *t, void *arg)
 		in_qs = likely(!t->trc_reader_nesting);
 	}
 
-	// Mark as checked.  Because this is called from the grace-period
-	// kthread, also remove the task from the holdout list.
+	// Mark as checked. Because this is called from the grace-period kthread.
 	t->trc_reader_checked = true;
-	trc_del_holdout(t);
 
 	if (in_qs)
 		return true;  // Already in quiescent state, done!!!
@@ -938,7 +936,6 @@ static void trc_wait_for_one_reader(struct task_struct *t,
 	// The current task had better be in a quiescent state.
 	if (t == current) {
 		t->trc_reader_checked = true;
-		trc_del_holdout(t);
 		WARN_ON_ONCE(t->trc_reader_nesting);
 		return;
 	}
-- 
2.27.0