From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 36F72371065 for ; Thu, 26 Feb 2026 05:26:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772083608; cv=none; b=cNXENoe54YCj6PaLkREwOCYqgarKXCqPvOAR7GxPNvMRVqLAaNxQPceayPt/y4SBxiLNYJ5QgLeRJgsFkjcPCQ3FgwG5I4MhYPpPKSEzuJ7HEXrskLahRCwHLfvLvt1RpEmJxDcJEbpK9MRad9v1B+bWsL/9NQ29Y7GajTCXKmw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772083608; c=relaxed/simple; bh=uYwtbS1oZuQ8Bzw24P7PG6Pq0Ci8GanhdYvxCag7soQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=c2bmvsh1DdHqJEdtyK6RKkqguvipEf8bawN6/nuvxNef7rfEwAV2/aPiCLLgnigj5kZVWgE3W6JuLbXU0X0hQjFzPzdx/gyX2Ujz3F+bQooA+PTMS6Dl+hHZ8LcXbh9brAn5yU7u+xszei9pCza1YuwL6FDioQ3zRjjfU334GA4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CumlCC+3; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CumlCC+3" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4836e3288cdso2661785e9.0 for ; Wed, 25 Feb 2026 21:26:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772083606; x=1772688406; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=lvRhqydlsI6d5Byhlzj6Y9tAk8mI9GAvl3HvcaOoCPY=; b=CumlCC+3CyfhDGHrfC6b6YQzKXrfOMtLsXJKnfFzvLol3VYfZ9s2n6igGVExG35xIv 567xLsZOVasafYUaZgTKfH+LGBWm3LMPiobYANUHFYERWdKFM67uFP//BK8l8SPe0mpL rkmn0T9YsU+5gZ83rUeOJ3XasG3l8q2V8jXSxKcuWr/QGrtF97z2cRyoWW2hBP2y6PR7 6E3fLrK+7kmzi4olE3a+izLVrOX26Y/UL1Em0xRoar8cpB+n1xuC1I+pqRL3OkqFd1fC GMqf/BPqjGj+ri1czuKpRy8keo3IdchsndtVJETg2/oGJjYVeHtI3HWIkkRALBlFRZMw cS8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772083606; x=1772688406; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=lvRhqydlsI6d5Byhlzj6Y9tAk8mI9GAvl3HvcaOoCPY=; b=Nxf1XK6gMhi0uBGaA4dH60oyeDdtDxJ8cOX/FNWXwUb6kbuTTB335j9jqttO63/2qH 4B5URxZtd1ax6oE0QssxxpKS8h6Cf99AwmOI+KVSPd/pgLgBOdMBuuWkhpTmKidNOmVc pLRYhyCU9lK/n65h7/Nf9Muhn8Ja84YCz/ZH8KJYp1Pdxz2+WEnU8UQ/tzYk9MbNtP+R rB870Geg0hg1/mywqWcjzZjHR0MUbMfUQ3w14ZCCm/60YHEpeigOiX50meY/79+YMxki gwYVOsNH+MFpbIQ3Z+rOyaHdO73Z5TMpXocnAZwYrXIDNYpNEaZ2OYMuuMVY0LR/mjh+ PENQ== X-Gm-Message-State: AOJu0YwCQdk8Vt1ZB1VQzMXr2BhycPoWV9KtslJ7dzN7oCI8v9u3FkJ5 Lbaa0qm26YN/FdQhbgkz89lxdcXkKBUOD4YeJE2Ju02RsKynjkmueul6 X-Gm-Gg: ATEYQzygaUHzxS8PkyDtzMDcMY7ELjYhUdvDkqnffuMfzWO+cWuJqmVXBKd65QS8/ub fAZoEIfD4/oxV8BL/4Z8ZOv6oIXQij19HGqNzDG6hI4a4A+DfOnfjgiuEGToBcYZpK9a18gj709 po3idUInnzbzL5N+FaY6fZfb1zF27/g4pkIoTz9YzA7d7++RZUXCW8ESQEg+zMjRg4X5hE4/6iD UOIMjKCCAJQ2RuPzjTFwdsteWVZ7Ka6WUeL2sffT0YqM3x6d6Um5graJ9EJaLyD0kh0gHuoRGI1 C1Y/oUchEFJytgT0WtypMLSS9F9ZYmuCSXIzRgI5gEaCQDzyy+yKuhC7VU6X2HhqN/5pDSx4ezd ocZLaXLtid4B6VzAv8MQZBv1hTyCOdQe669h5nN8Q3MOrJnxQfLQu4yhxcMFwqeavDDgViCbSrD 2pI/ptd7owxncl3Rrbvcpm1RyXNRy3fgUyZ8PD5Vox08NmF3JxWn5lqkVx2CMzB1WVU0VANCcgV zstltzpdwCGBc6Tnkbb X-Received: by 2002:a05:600c:2307:b0:483:6cf0:5d8b with SMTP id 5b1f17b1804b1-483c33e4f63mr16510555e9.9.1772083605397; Wed, 25 Feb 2026 21:26:45 -0800 (PST) Received: from rozandragon.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bd75df90sm120961275e9.14.2026.02.25.21.26.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Feb 2026 21:26:45 -0800 (PST) From: David Carlier To: Tejun Heo , David Vernet Cc: linux-kernel@vger.kernel.org, David Carlier Subject: [PATCH 1/2] sched_ext: Use rcu_dereference() for scx_root in dump paths Date: Thu, 26 Feb 2026 05:26:39 +0000 Message-ID: <20260226052640.7191-1-devnexen@gmail.com> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit scx_dump_task() and scx_dump_state() read scx_root directly without rcu_dereference() or NULL check. If the BPF scheduler is torn down concurrently, scx_root can become NULL between the read and the dereference in SCX_HAS_OP(), causing a NULL pointer dereference. Use rcu_dereference() to properly access scx_root under RCU protection and bail out early if it is NULL. Signed-off-by: David Carlier --- kernel/sched/ext.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c index 9280381f8923..eb539b671c49 100644 --- a/kernel/sched/ext.c +++ b/kernel/sched/ext.c @@ -4580,7 +4580,19 @@ static void scx_dump_task(struct seq_buf *s, struct scx_dump_ctx *dctx, struct task_struct *p, char marker) { static unsigned long bt[SCX_EXIT_BT_LEN]; - struct scx_sched *sch = scx_root; + struct scx_sched *sch; + + /* + * The BPF scheduler can be torn down concurrently + */ + rcu_read_lock(); + sch = rcu_dereference(scx_root); + if (!sch) { + rcu_read_unlock(); + return; + } + rcu_read_unlock(); + char dsq_id_buf[19] = "(n/a)"; unsigned long ops_state = atomic_long_read(&p->scx.ops_state); unsigned int bt_len = 0; @@ -4623,7 +4635,19 @@ static void scx_dump_state(struct scx_exit_info *ei, size_t dump_len) { static DEFINE_SPINLOCK(dump_lock); static const char trunc_marker[] = "\n\n~~~~ TRUNCATED ~~~~\n"; - struct scx_sched *sch = scx_root; + struct scx_sched *sch; + + /* + * The BPF scheduler can be torn down concurrently + */ + rcu_read_lock(); + sch = rcu_dereference(scx_root); + if (!sch) { + rcu_read_unlock(); + return; + } + rcu_read_unlock(); + struct scx_dump_ctx dctx = { .kind = ei->kind, .exit_code = ei->exit_code, -- 2.51.0