[Devel] [PATCH vz9 1/2] sched/fair: fix use-after-free in CFS CPULIMIT active_timer on task group teardown

[Konstantin Khorenko]

On 3/18/26 10:49, Pavel Tikhomirov wrote:
...
>>
>> 2. Move the atomic_dec(&cfs_rq->tg->nr_cpus_active) inside the rq lock
>>     in sched_cfs_active_timer(). In the original code the callback
>>     releases the rq lock before executing atomic_dec, creating a window
>>     where the teardown path can run between the unlock and the
>>     atomic_dec:
>>
>>       CPU B (timer callback)              CPU A (teardown)
>>       ──────────────────────              ────────────────
>>       sched_cfs_active_timer()
>>         raw_spin_rq_lock()
>>         cfs_rq->active = ...
>>         raw_spin_rq_unlock()
>>         ← lock released, atomic_dec
>>           not yet executed
>>                                           unregister_fair_sched_group()
>>                                             raw_spin_rq_lock()
>>                                             list_del_leaf_cfs_rq()
> 
> This explanation and stack seem incorrect. As we already add hrtimer_cancel(&tg->cfs_rq[cpu]->active_timer); (in first part of the fix) before list_del_leaf_cfs_rq(), which will already wait for (timer callback) sched_cfs_active_timer() to finish before continuing to free tg.
> 
> So the second part of the fix is excess.

Pasha, thank you very much for the review!