From: Andrea Righi <arighi@nvidia.com>
To: Tejun Heo <tj@kernel.org>
Cc: Cheng-Yang Chou <yphbchou0911@gmail.com>,
sched-ext@lists.linux.dev, David Vernet <void@manifault.com>,
Changwoo Min <changwoo@igalia.com>,
Ching-Chun Huang <jserv@ccns.ncku.edu.tw>,
Chia-Ping Tsai <chia7712@gmail.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] sched_ext: Prevent RB-tree corruption in scx_bpf_task_set_dsq_vtime()
Date: Thu, 16 Apr 2026 20:00:30 +0200 [thread overview]
Message-ID: <aeEjvvOdQBNPdHA4@gpd4> (raw)
In-Reply-To: <aeEi0X4Fn70bUgva@slm.duckdns.org>
On Thu, Apr 16, 2026 at 07:56:33AM -1000, Tejun Heo wrote:
> On Thu, Apr 16, 2026 at 03:32:44AM +0800, Cheng-Yang Chou wrote:
> > scx_bpf_task_set_dsq_vtime() allows modifying a task's dsq_vtime without
> > checking if it is already enqueued on SCX_DSQ_PRIQ. Since dsq_vtime is
> > the rb-tree sorting key, mutating it in-place violates the BST invariant
> > and corrupts the tree structure.
> >
> > In ops.dispatch():
> > p = scx_bpf_dsq_peek(PRIO_DSQ); // Get a task already in the DSQ
> > if (p) {
> > // This illegally returns %true
> > scx_bpf_task_set_dsq_vtime(p, 0xFFFFFFFFFFFFFFFF);
> > }
> >
> > Fix this by adding a check for the SCX_TASK_DSQ_ON_PRIQ flag. Disallow
> > vtime modification and trigger scx_error() if the task is already queued
> > on a priority DSQ.
>
> If the user updates the vtime after inserting, the tree looks wrong but it
> won't cause crashes or anything. Later insertions might get confused in
> terms of ordering but it's a rather obvious user-shotting-their-own-foot, so
> I'm more inclined to leave it as-is.
I agree. This looks like intentionally breaking the tree. If users do so, they
can keep the pieces. :)
Thanks,
-Andrea
next prev parent reply other threads:[~2026-04-16 18:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 19:32 [PATCH] sched_ext: Prevent RB-tree corruption in scx_bpf_task_set_dsq_vtime() Cheng-Yang Chou
2026-04-16 1:49 ` Zhao Mengmeng
2026-04-16 5:02 ` Cheng-Yang Chou
2026-04-16 17:56 ` Tejun Heo
2026-04-16 18:00 ` Andrea Righi [this message]
2026-04-16 18:09 ` Cheng-Yang Chou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeEjvvOdQBNPdHA4@gpd4 \
--to=arighi@nvidia.com \
--cc=changwoo@igalia.com \
--cc=chia7712@gmail.com \
--cc=jserv@ccns.ncku.edu.tw \
--cc=sched-ext@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
--cc=void@manifault.com \
--cc=yphbchou0911@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.