Re: [PATCH 6/6] sched_ext: Handle SCX_TASK_NONE in disable/switched_from paths

Sched_ext development
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Tejun Heo" <tj@kernel.org>
Cc: sched-ext@lists.linux.dev
Subject: Re: [PATCH 6/6] sched_ext: Handle SCX_TASK_NONE in disable/switched_from paths
Date: Mon, 11 May 2026 23:55:21 +0000	[thread overview]
Message-ID: <20260511235521.D8B19C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260510074113.2049514-7-tj@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] The newly added early return in `scx_disable_and_exit_task()` skips clearing the `p->scx.sched` pointer for tasks in the `SCX_TASK_NONE` state, creating a deterministic Use-After-Free (UAF) vulnerability.
--

commit edcdc86f04b3e413339b79eef811a59560178144
Author: Tejun Heo <tj@kernel.org>

sched_ext: Handle SCX_TASK_NONE in disable/switched_from paths

This commit adds early returns for tasks in the SCX_TASK_NONE state
during scx_disable_and_exit_task() and switched_from_scx(). It prevents
writing state=READY on already detached tasks and clobbering the parent
scheduler left by scx_fail_parent().

> diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
> index 08e7dad437b32..eba25eb4e0543 100644
> --- a/kernel/sched/ext.c
> +++ b/kernel/sched/ext.c
> @@ -3704,6 +3704,15 @@ static void scx_sub_init_cancel_task(struct scx_sched *sch, struct task_struct *
>  static void scx_disable_and_exit_task(struct scx_sched *sch,
>  				      struct task_struct *p)
>  {
> +	/*
> +	 * %NONE means @p is already detached at the SCX level (e.g. handed
> +	 * back to the parent by scx_fail_parent() with no init to undo).
> +	 * Skip to avoid clobbering scx_task_sched() and writing %NONE again
> +	 * on a state that's already %NONE.
> +	 */
> +	if (scx_get_task_state(p) == SCX_TASK_NONE)
> +		return;
> +

Does this early return leave a dangling pointer in p->scx.sched?

When scx_fail_parent() hands a task back to the parent scheduler, it
transitions the task to SCX_TASK_NONE and sets p->scx.sched = parent.

If the parent scheduler is subsequently torn down, it iterates over all
tasks to detach them. Because the state is SCX_TASK_NONE, this early return
bypasses the trailing scx_set_task_sched(p, NULL) cleanup step at the end of
this function.

The task is migrated back to CFS but retains a dangling p->scx.sched
pointer to the freed parent scheduler. If /proc/self/sched is read
afterward, print_scx_info() retrieves this pointer via
scx_task_sched_rcu(p) and dereferences it to print sch->ops.name, causing a
use-after-free read.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260510074113.2049514-1-tj@kernel.org?part=6

next prev parent reply	other threads:[~2026-05-11 23:55 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-10  7:41 [PATCHSET sched_ext/for-7.1-fixes] sched_ext: Fix sched_ext_dead() races with task initialization Tejun Heo
2026-05-10  7:41 ` [PATCH 1/6] sched_ext: Cleanups in preparation for the SCX_TASK_INIT_BEGIN/DEAD work Tejun Heo
2026-05-10  7:41 ` [PATCH 2/6] sched_ext: Inline scx_init_task() and move RESET_RUNNABLE_AT into scx_set_task_state() Tejun Heo
2026-05-10 17:20   ` Andrea Righi
2026-05-10 20:04   ` [PATCH v2 " Tejun Heo
2026-05-11 21:40   ` [PATCH " sashiko-bot
2026-05-10  7:41 ` [PATCH 3/6] sched_ext: Replace SCX_TASK_OFF_TASKS flag with SCX_TASK_DEAD state Tejun Heo
2026-05-10  7:41 ` [PATCH 4/6] sched_ext: Close root-enable vs sched_ext_dead() race with SCX_TASK_INIT_BEGIN Tejun Heo
2026-05-10  7:41 ` [PATCH 5/6] sched_ext: Close sub-sched init race with post-init DEAD recheck Tejun Heo
2026-05-10  7:41 ` [PATCH 6/6] sched_ext: Handle SCX_TASK_NONE in disable/switched_from paths Tejun Heo
2026-05-11 23:55   ` sashiko-bot [this message]
2026-05-10 17:47 ` [PATCHSET sched_ext/for-7.1-fixes] sched_ext: Fix sched_ext_dead() races with task initialization Andrea Righi
2026-05-10 21:55 ` Tejun Heo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260511235521.D8B19C2BCB0@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=sashiko@lists.linux.dev \
    --cc=sched-ext@lists.linux.dev \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox