[PATCH] cgroup: Use READ_ONCE() for task->flags in task_css_set_check()

From: Guopeng Zhang

Date: Mon Jun 22 2026 - 22:30:25 EST


From: Guopeng Zhang <zhangguopeng@xxxxxxxxxx>

task_css_set_check() uses rcu_dereference_check() to verify that
task->cgroups can be dereferenced. One accepted condition is that the
task is already exiting, tested by checking PF_EXITING in task->flags.

This is a lockless snapshot used only for the CONFIG_PROVE_RCU debug
predicate. This was found by KCSAN during fuzz testing. KCSAN can report
a data race when another task flag bit is updated concurrently. One report
shows pids_release() reading task->flags through task_css_set_check() while
do_task_dead() sets PF_NOFREEZE:

KCSAN: data-race in task_css() [inline]
KCSAN: data-race in pids_release()

task_css()
pids_release()
cgroup_release()
release_task()
wait_task_zombie()

value changed: 0x0040004c -> 0x0040804c

The changed bit is PF_NOFREEZE, not PF_EXITING. PF_EXITING remains set
before and after the update, so the task_css_set_check() condition does
not change. This is not a race on task->cgroups and does not indicate
incorrect pids charging or uncharging.

Use READ_ONCE() to document the intended lockless snapshot of task->flags.

No functional change intended.

Signed-off-by: Guopeng Zhang <zhangguopeng@xxxxxxxxxx>
---
include/linux/cgroup.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index f2aa46a4f871..8afc4ec7f7a1 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -480,7 +480,7 @@ static inline void cgroup_unlock(void)
rcu_read_lock_sched_held() || \
lockdep_is_held(&cgroup_mutex) || \
lockdep_is_held(&css_set_lock) || \
- ((task)->flags & PF_EXITING) || (__c))
+ (READ_ONCE((task)->flags) & PF_EXITING) || (__c))
#else
#define task_css_set_check(task, __c) \
rcu_dereference((task)->cgroups)
--
2.25.1