On Fri, May 08, 2026 at 10:01:57PM +0200, Sebastian Andrzej Siewior wrote: > On 2026-05-08 14:02:45 [+0000], Alice Ryhl wrote: > > The sched/task.h header file currently exposes a tryget_task_struct() > > function, but it is very risky to use it: If the last refcount of the > > task is dropped using put_task_struct_many(), then the task is freed > > right away without an RCU grace period. > > > > This means that if the kernel contains a code path anywhere such that > > the last refcount of a task may be dropped with put_task_struct_many(), > > and it also contains a code path anywhere that tries to stash a task > > pointer under rcu and use tryget_task_struct() on it, then if they ever > > execute on the same 'struct task_struct', it results in a > > use-after-free. > > If the counter dropped to 0 then tryget_task_struct() won't increment > it.
Yes. If the 'struct task_struct' hasn't been freed yet. What is the scenario where it might be zero, but you are certain it is not yet freed? If not rcu, then I guess this applies only to those cases where __put_task_struct() itself removes the task from the relevant collection when 'users' hits zero. If tryget_task_struct() can only safely be used in that scenario, then I think that's worth at least a comment in the header file, because at first glance it's a surprising limitation. > There is also task_struct::rcu_users which holds one `usage' on it > and this RCU grace period we care about. Sure, but I guess my question is: why does tryget_task_struct() exist? The 'rcu_users' field is not the reason because 'usage' can't be zero when using that field. Alice > The only reason why there is a RCU free here is because of RT and it was > limited to RT only. Then a PI case came up (on RT again) I asked > repeatedly to have it unconditional on RT and !RT. Which then did > happen. > > I don't think I would mind to align the two code paths but not as a > "this might be UAF if" but to do the same "thing". The important RCU > grace period happens via put_task_struct_rcu_user(). > > Sebastian
