From: Tejun Heo <tj@kernel.org>
To: zhidao su <soolaugust@gmail.com>
Cc: sched-ext@lists.linux.dev, linux-kernel@vger.kernel.org,
void@manifault.com, arighi@nvidia.com, changwoo@igalia.com,
peterz@infradead.org, mingo@redhat.com,
zhidao su <suzhidao@xiaomi.com>
Subject: Re: [PATCH 1/3] sched_ext: fix NULL deref in bpf_scx_unreg() due to ops->priv race
Date: Wed, 25 Mar 2026 16:45:10 -1000 [thread overview]
Message-ID: <acSdtkMeCWBVuIOg@slm.duckdns.org> (raw)
In-Reply-To: <20260326022827.3826287-1-suzhidao@xiaomi.com>
On Thu, Mar 26, 2026 at 10:28:25AM +0800, zhidao su wrote:
> The reload_loop selftest triggers a KASAN null-ptr-deref at
> scx_claim_exit+0x83 when two threads concurrently attach and
> destroy BPF schedulers using the same ops map.
>
> The race occurs between bpf_scx_unreg() and a concurrent reg():
>
> 1. Thread A's bpf_scx_unreg() calls scx_disable() then
> kthread_flush_work(), which blocks until disable completes
> and transitions state back to SCX_DISABLED.
>
> 2. With state SCX_DISABLED, a concurrent reg() allocates a
> new sch_B and sets ops->priv = sch_B under scx_enable_mutex.
>
> 3. Thread A's bpf_scx_unreg() then executes
> RCU_INIT_POINTER(ops->priv, NULL), overwriting sch_B.
>
> 4. When Thread B's link is destroyed, bpf_scx_unreg() reads
> ops->priv == NULL and passes it to scx_disable(), which
> calls scx_claim_exit(NULL), crashing at NULL+0x310.
>
> Fix by adding a NULL guard for the case where ops->priv was
> never set, and by acquiring scx_enable_mutex before clearing
> ops->priv so that the check-and-clear is atomic with respect
> to reg() which also sets ops->priv under scx_enable_mutex.
Can you reproduce this? How do you trigger enable on the same ops that has
already been enabled?
Thanks.
--
tejun
next prev parent reply other threads:[~2026-03-26 2:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-26 2:28 [PATCH 1/3] sched_ext: fix NULL deref in bpf_scx_unreg() due to ops->priv race zhidao su
2026-03-26 2:28 ` [PATCH 2/3] selftests/sched_ext: Fix dsq_reenq test reliability zhidao su
2026-03-26 2:28 ` [PATCH 3/3] selftests/sched_ext: Fix consume_immed " zhidao su
2026-03-26 7:06 ` Andrea Righi
2026-03-26 2:45 ` Tejun Heo [this message]
2026-03-26 5:13 ` [PATCH 1/3] sched_ext: fix NULL deref in bpf_scx_unreg() due to ops->priv race zhidao su
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acSdtkMeCWBVuIOg@slm.duckdns.org \
--to=tj@kernel.org \
--cc=arighi@nvidia.com \
--cc=changwoo@igalia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=sched-ext@lists.linux.dev \
--cc=soolaugust@gmail.com \
--cc=suzhidao@xiaomi.com \
--cc=void@manifault.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.