[PATCH sched_ext/for-7.1] sched_ext: Fix slab-out-of-bounds in scx_alloc_and_add

public inbox for sched-ext@lists.linux.dev
 help / color / mirror / Atom feed

* [PATCH sched_ext/for-7.1] sched_ext: Fix slab-out-of-bounds in scx_alloc_and_add_sched()
@ 2026-03-16 17:49 Cheng-Yang Chou
  2026-03-16 17:57 ` Tejun Heo
  0 siblings, 1 reply; 2+ messages in thread
From: Cheng-Yang Chou @ 2026-03-16 17:49 UTC (permalink / raw)
  To: sched-ext, Tejun Heo, David Vernet, Andrea Righi, Changwoo Min
  Cc: Ching-Chun Huang, Chia-Ping Tsai, yphbchou0911

ancestors[] is a flexible array member that needs level + 1 slots to
hold all ancestors including self (indices 0..level), but kzalloc_flex()
only allocates `level` slots:

  sch = kzalloc_flex(*sch, ancestors, level);
  ...
  sch->ancestors[level] = sch;  /* one past the end */

For the root scheduler (level = 0), zero slots are allocated and
ancestors[0] is written immediately past the end of the object.

KASAN reports:

  BUG: KASAN: slab-out-of-bounds in scx_alloc_and_add_sched+0x1c17/0x1d10
  Write of size 8 at addr ffff888066b56538 by task scx_enable_help/667

  The buggy address is located 0 bytes to the right of
   allocated 1336-byte region [ffff888066b56000, ffff888066b56538)

Fix by passing level + 1 to kzalloc_flex().

Tested with vng + scx_lavd, KASAN no longer triggers.

Fixes: ebeca1f930ea ("sched_ext: Introduce cgroup sub-sched support")
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
---
 kernel/sched/ext.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index b942918fa364..ab8150b8de57 100644
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -6365,7 +6365,7 @@ static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops,
 	s32 level = parent ? parent->level + 1 : 0;
 	s32 node, cpu, ret, bypass_fail_cpu = nr_cpu_ids;
 
-	sch = kzalloc_flex(*sch, ancestors, level);
+	sch = kzalloc_flex(*sch, ancestors, level + 1);
 	if (!sch) {
 		ret = -ENOMEM;
 		goto err_put_cgrp;
-- 
2.48.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH sched_ext/for-7.1] sched_ext: Fix slab-out-of-bounds in scx_alloc_and_add_sched()
  2026-03-16 17:49 [PATCH sched_ext/for-7.1] sched_ext: Fix slab-out-of-bounds in scx_alloc_and_add_sched() Cheng-Yang Chou
@ 2026-03-16 17:57 ` Tejun Heo
  0 siblings, 0 replies; 2+ messages in thread
From: Tejun Heo @ 2026-03-16 17:57 UTC (permalink / raw)
  To: Cheng-Yang Chou
  Cc: sched-ext, David Vernet, Andrea Righi, Changwoo Min,
	Ching-Chun Huang, Chia-Ping Tsai, Emil Tsalapatis, linux-kernel

Hello,

Applied to sched_ext/for-7.1.

Thanks.

--
tejun

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-16 17:57 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-16 17:49 [PATCH sched_ext/for-7.1] sched_ext: Fix slab-out-of-bounds in scx_alloc_and_add_sched() Cheng-Yang Chou
2026-03-16 17:57 ` Tejun Heo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox