trc_del_holdout() invokes put_task_struct() may cause the task_struct
is freed once the task is exsiting. If happened, we shouldn't access
the task_strcut, or it will triger a use-after-free. Hence we defer
the trc_del_holdout(), and do it in trc_wait_for_one_reader() after
checking t->trc_reader_checked.
Reported-by: syzbot+7b2b13f4943374609532@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Yanfei Xu <yanfei.xu@xxxxxxxxxxxxx>
---
kernel/rcu/tasks.h | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h
index 350ebf5051f9..d8a4367eb501 100644
--- a/kernel/rcu/tasks.h
+++ b/kernel/rcu/tasks.h
@@ -908,10 +908,8 @@ static bool trc_inspect_reader(struct task_struct *t, void *arg)
in_qs = likely(!t->trc_reader_nesting);
}
- // Mark as checked. Because this is called from the grace-period
- // kthread, also remove the task from the holdout list.
+ // Mark as checked. Because this is called from the grace-period kthread.
t->trc_reader_checked = true;
- trc_del_holdout(t);
if (in_qs)
return true; // Already in quiescent state, done!!!
@@ -938,7 +936,6 @@ static void trc_wait_for_one_reader(struct task_struct *t,
// The current task had better be in a quiescent state.
if (t == current) {
t->trc_reader_checked = true;
- trc_del_holdout(t);
WARN_ON_ONCE(t->trc_reader_nesting);
return;
}
--
2.27.0
