From: John Stultz Date: Tue, 24 Mar 2026 19:13:20 +0000 (+0000) Subject: sched: Fix modifying donor->blocked on without proper locking X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56f4b24267a643b0b9ab73f09feaaabfee5a37ae;p=thirdparty%2Fkernel%2Flinux.git sched: Fix modifying donor->blocked on without proper locking Introduce an action enum in find_proxy_task() which allows us to handle work needed to be done outside the mutex.wait_lock and task.blocked_lock guard scopes. This ensures proper locking when we clear the donor's blocked_on pointer in proxy_deactivate(), and the switch statement will be useful as we add more cases to handle later in this series. Signed-off-by: John Stultz Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: K Prateek Nayak Link: https://patch.msgid.link/20260324191337.1841376-6-jstultz@google.com --- diff --git a/kernel/sched/core.c b/kernel/sched/core.c index 1913dbc68eb98..bf4338f71667f 100644 --- a/kernel/sched/core.c +++ b/kernel/sched/core.c @@ -6568,7 +6568,7 @@ static struct task_struct *proxy_deactivate(struct rq *rq, struct task_struct *d * as unblocked, as we aren't doing proxy-migrations * yet (more logic will be needed then). */ - donor->blocked_on = NULL; + clear_task_blocked_on(donor, NULL); } return NULL; } @@ -6592,6 +6592,7 @@ static struct task_struct *proxy_deactivate(struct rq *rq, struct task_struct *d static struct task_struct * find_proxy_task(struct rq *rq, struct task_struct *donor, struct rq_flags *rf) { + enum { FOUND, DEACTIVATE_DONOR } action = FOUND; struct task_struct *owner = NULL; int this_cpu = cpu_of(rq); struct task_struct *p; @@ -6625,12 +6626,14 @@ find_proxy_task(struct rq *rq, struct task_struct *donor, struct rq_flags *rf) if (!READ_ONCE(owner->on_rq) || owner->se.sched_delayed) { /* XXX Don't handle blocked owners/delayed dequeue yet */ - return proxy_deactivate(rq, donor); + action = DEACTIVATE_DONOR; + break; } if (task_cpu(owner) != this_cpu) { /* XXX Don't handle migrations yet */ - return proxy_deactivate(rq, donor); + action = DEACTIVATE_DONOR; + break; } if (task_on_rq_migrating(owner)) { @@ -6688,6 +6691,13 @@ find_proxy_task(struct rq *rq, struct task_struct *donor, struct rq_flags *rf) */ } + /* Handle actions we need to do outside of the guard() scope */ + switch (action) { + case DEACTIVATE_DONOR: + return proxy_deactivate(rq, donor); + case FOUND: + /* fallthrough */; + } WARN_ON_ONCE(owner && !owner->on_rq); return owner; }