Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp6127034pxv; Thu, 29 Jul 2021 07:09:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwLJ2nuUuTY1DfSFCY+R7IQdSe0i3eUm5ohM6hfbRo70To2XQTQFqszK8zo8pUwn63pPg8W X-Received: by 2002:a92:cb06:: with SMTP id s6mr3935749ilo.87.1627567798959; Thu, 29 Jul 2021 07:09:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627567798; cv=none; d=google.com; s=arc-20160816; b=NZpNlauypzHgfMkIdx6N/CJukxqdDaEOm8XycoI2jt8V4ki/n2ae7Hq+JgHhdwo2C/ EgROQ71Klk9wQ2zdB+T9Veb70EM5M/LoMWbozUhliU6+kCtLKxtV1cT3JJkEX0tGxyW5 ZLQULy71xhuLkN6ZxzQeQyp/6HVohKuytSiATHqbSNgjSl28f67Vlq/Mmyk2FXbOfF5R EQe2YLEfWhybjFAp/nVmAcMnqtWU2Xj3sGK1oqyCHhjHeU5Ukl7tozVj0zlF+x4rndIe ZBsK/9Xf7kDEQxJnNEIu80qDIPIuakZsJW2VFLaNIjYo55MvghQmLxv8Yt8ngo2ZfPyX fhpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Xdn4t2fLsYvs0aNd+PqEvbzJ6K0QcezRipb91m3gHTY=; b=aBWBNj0/ZHI0yBLUr+dZuwq+YxsMXnB8JX3sp9PWFrAS2dFRBHTOV8CZZSzHuZGOlO paK80g2wz/nfC4dCYys0+QjhQpKaX33QfYJGjyhRqFuKlOIsAVl6klsVsvQ7XPFQ8dRX il5SgCee5Xp9OtuzQDEQXy821jZrDigW30rOWpavXOlmzvwKOIVLkNQ2JTt+gNgUuL7F KUWXVI9AjltqeKOPiCWegRDiW3FqfRU9peSVHmWnvjkX04GVfsSC3keDkRbDPMpZzMcg P3clq3hchi6eF2cQhQ0/tdQEjHFyOMmKyKiQ2pPvWX3M38iroimFlt05TDYRbGDayXWc yAYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=M3zDo4W7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t3si3591318ile.109.2021.07.29.07.09.46; Thu, 29 Jul 2021 07:09:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=M3zDo4W7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239178AbhG2OI2 (ORCPT + 99 others); Thu, 29 Jul 2021 10:08:28 -0400 Received: from mail.kernel.org ([198.145.29.99]:50106 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238107AbhG2OA2 (ORCPT ); Thu, 29 Jul 2021 10:00:28 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7B0AD61077; Thu, 29 Jul 2021 13:59:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627567182; bh=xw6zDoSU74NpL/uDTjp7oyz3ugME9gQet2DxmHPBumQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M3zDo4W7q6wiL44zVMc9LiimIMT9/Pzsh6lyivHOHxqA8Z/HcqmGgBrPyaa1NG684 IhL5zTIO8W9FlS2OFeHaWj4wE8fviazTa65Uk4F+9IBSpJvvhmjkw80KuCAVnYBVdK l4Oz8u4xJeMqrBO2RhW0U8PV90UJVoBuDjSKhuKU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "Xu, Yanfei" , "Paul E. McKenney" , Sasha Levin Subject: [PATCH 5.13 08/22] rcu-tasks: Dont delete holdouts within trc_inspect_reader() Date: Thu, 29 Jul 2021 15:54:39 +0200 Message-Id: <20210729135137.603219354@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210729135137.336097792@linuxfoundation.org> References: <20210729135137.336097792@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paul E. McKenney [ Upstream commit 1d10bf55d85d34eb73dd8263635f43fd72135d2d ] As Yanfei pointed out, although invoking trc_del_holdout() is safe from the viewpoint of the integrity of the holdout list itself, the put_task_struct() invoked by trc_del_holdout() can result in use-after-free errors due to later accesses to this task_struct structure by the RCU Tasks Trace grace-period kthread. This commit therefore removes this call to trc_del_holdout() from trc_inspect_reader() in favor of the grace-period thread's existing call to trc_del_holdout(), thus eliminating that particular class of use-after-free errors. Reported-by: "Xu, Yanfei" Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin --- kernel/rcu/tasks.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h index 350ebf5051f9..71e9d625371a 100644 --- a/kernel/rcu/tasks.h +++ b/kernel/rcu/tasks.h @@ -908,10 +908,9 @@ static bool trc_inspect_reader(struct task_struct *t, void *arg) in_qs = likely(!t->trc_reader_nesting); } - // Mark as checked. Because this is called from the grace-period - // kthread, also remove the task from the holdout list. + // Mark as checked so that the grace-period kthread will + // remove it from the holdout list. t->trc_reader_checked = true; - trc_del_holdout(t); if (in_qs) return true; // Already in quiescent state, done!!! -- 2.30.2