[PATCH 6.1.y] rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access

Tue, 03 Mar 2026 18:50:08 -0800 

From: Zqiang <[email protected]>

[ Upstream commit 1bba3900ca18bdae28d1b9fa10f16a8f8cb2ada1 ]

In the preparation stage of CPU online, if the corresponding
the rdp's->nocb_cb_kthread does not exist, will be created,
there is a situation where the rdp's rcuop kthreads creation fails,
and then de-offload this CPU's rdp, does not assign this CPU's
rdp->nocb_cb_kthread pointer, but this rdp's->nocb_gp_rdp and
rdp's->rdp_gp->nocb_gp_kthread is still valid.

This will cause the subsequent re-offload operation of this offline
CPU, which will pass the conditional check and the kthread_unpark()
will access invalid rdp's->nocb_cb_kthread pointer.

This commit therefore use rdp's->nocb_gp_kthread instead of
rdp_gp's->nocb_gp_kthread for safety check.

Signed-off-by: Zqiang <[email protected]>
Reviewed-by: Frederic Weisbecker <[email protected]>
Signed-off-by: Neeraj Upadhyay (AMD) <[email protected]>
[ Minor conflict resolved. ]
Signed-off-by: Jianqiang kang <[email protected]>
---
 kernel/rcu/tree_nocb.h | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h
index 7c28d154b094..2f501de7bec9 100644
--- a/kernel/rcu/tree_nocb.h
+++ b/kernel/rcu/tree_nocb.h
@@ -1112,7 +1112,6 @@ static long rcu_nocb_rdp_offload(void *arg)
        struct rcu_segcblist *cblist = &rdp->cblist;
        unsigned long flags;
        int wake_gp;
-       struct rcu_data *rdp_gp = rdp->nocb_gp_rdp;
 
        WARN_ON_ONCE(rdp->cpu != raw_smp_processor_id());
        /*
@@ -1122,7 +1121,7 @@ static long rcu_nocb_rdp_offload(void *arg)
        if (!rdp->nocb_gp_rdp)
                return -EINVAL;
 
-       if (WARN_ON_ONCE(!rdp_gp->nocb_gp_kthread))
+       if (WARN_ON_ONCE(!rdp->nocb_gp_kthread))
                return -EINVAL;
 
        pr_info("Offloading %d\n", rdp->cpu);
@@ -1151,7 +1150,7 @@ static long rcu_nocb_rdp_offload(void *arg)
         */
        wake_gp = rdp_offload_toggle(rdp, true, flags);
        if (wake_gp)
-               wake_up_process(rdp_gp->nocb_gp_kthread);
+               wake_up_process(rdp->nocb_gp_kthread);
        swait_event_exclusive(rdp->nocb_state_wq,
                              rcu_segcblist_test_flags(cblist, 
SEGCBLIST_KTHREAD_CB) &&
                              rcu_segcblist_test_flags(cblist, 
SEGCBLIST_KTHREAD_GP));
-- 
2.34.1

Reply via email to