On 2026-05-08 14:02:45 [+0000], Alice Ryhl wrote: > The sched/task.h header file currently exposes a tryget_task_struct() > function, but it is very risky to use it: If the last refcount of the > task is dropped using put_task_struct_many(), then the task is freed > right away without an RCU grace period. > > This means that if the kernel contains a code path anywhere such that > the last refcount of a task may be dropped with put_task_struct_many(), > and it also contains a code path anywhere that tries to stash a task > pointer under rcu and use tryget_task_struct() on it, then if they ever > execute on the same 'struct task_struct', it results in a > use-after-free.
If the counter dropped to 0 then tryget_task_struct() won't increment it. There is also task_struct::rcu_users which holds one `usage' on it and this RCU grace period we care about. The only reason why there is a RCU free here is because of RT and it was limited to RT only. Then a PI case came up (on RT again) I asked repeatedly to have it unconditional on RT and !RT. Which then did happen. I don't think I would mind to align the two code paths but not as a "this might be UAF if" but to do the same "thing". The important RCU grace period happens via put_task_struct_rcu_user(). Sebastian
