[PATCH OLK-6.6 1/2] xsched: protect group member list with xcu_lock to prevent corruption

17 Dec 2025

hulk inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IDB5TR

-----------------------------------------

The xsched_group_xse_detach() function in delete_ctx can race with
xsched_group_xse_attach() in xcu_move_task, potentially corrupting the
xg->members linked list due to concurrent modifications.

Race scenario:
    CPU0                              CPU1
    mutex_lock(xcu_lock)
        dequeue_ctx
    mutex_unlock(xcu_lock)
                                      mutex_lock(xcu_lock)
                                      dequeue_ctx
    xse_detach                        xse_attach
                                      enqueue_ctx
                                      mutex_unlock(xcu_lock)

Without proper synchronization, xse_detach() and xse_attach() can
concurrently manipulate xg->members, leading to linked list corruption.

Fix:
1. Move xsched_group_xse_detach() inside the xcu_lock critical section
   to serialize access with xsched_group_xse_attach()
2. Update nr_ctx counter after list_del(&ctx->ctx_node) for better
   semantic alignment and consistency

This ensures atomic operations on group membership lists and prevents
data structure corruption under concurrent access patterns.

Fixes: 43bbefc53356 ("xsched: Add XCU control group implementation and its backend in xsched CFS")
Signed-off-by: Liu Kai <liukai284@huawei.com>
---
 kernel/xsched/core.c    | 7 +++----
 kernel/xsched/vstream.c | 1 +
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/xsched/core.c b/kernel/xsched/core.c
index 5e6c5eec2dc9..1bf7a93985bb 100644
--- a/kernel/xsched/core.c
+++ b/kernel/xsched/core.c
@@ -174,15 +174,14 @@ int delete_ctx(struct xsched_context *ctx)
 	if (curr_xse == xse)
 		xcu->xrq.curr_xse = NULL;
 	dequeue_ctx(xse, xcu);
-	--xcu->nr_ctx;
-	mutex_unlock(&xcu->xcu_lock);
-
-	xse->class->xse_deinit(xse);
 
 #ifdef CONFIG_CGROUP_XCU
 	xsched_group_xse_detach(xse);
 #endif
 
+	mutex_unlock(&xcu->xcu_lock);
+
+	xse->class->xse_deinit(xse);
 	return 0;
 }
 
diff --git a/kernel/xsched/vstream.c b/kernel/xsched/vstream.c
index ebde50cbb8c6..bf2f8c6b5c6c 100644
--- a/kernel/xsched/vstream.c
+++ b/kernel/xsched/vstream.c
@@ -87,6 +87,7 @@ static void xsched_task_free(struct kref *kref)
 
 	delete_ctx(ctx);
 	list_del(&ctx->ctx_node);
+	--xcu->nr_ctx;
 	mutex_unlock(&xcu->ctx_list_lock);
 
 	mutex_lock(&xcu->xcu_lock);
-- 
2.34.1

    