From: sashiko-bot@kernel.org
To: "Andrea Righi" <arighi@nvidia.com>
Cc: sched-ext@lists.linux.dev
Subject: Re: [PATCH sched_ext/for-7.1-fixes] sched_ext: Clear ops->priv on scx_alloc_and_add_sched() error paths
Date: Tue, 12 May 2026 01:26:43 +0000 [thread overview]
Message-ID: <20260512012644.1292AC2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260511083130.3174880-1-arighi@nvidia.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Use-After-Free in error path due to synchronous free of an RCU-published scheduler object.
--
commit d7deeed41c3e10702cde2a93eca3d9b6aba8924d
Author: Andrea Righi <arighi@nvidia.com>
sched_ext: Clear ops->priv on scx_alloc_and_add_sched() error paths
This commit addresses an issue where a failed attach leaves a dangling pointer
in ops->priv, preventing future attach attempts. It adds code to clear the
pointer on the failure paths in scx_alloc_and_add_sched() so the data returns
to its pre-attach state.
> diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
> index 1d7f206941f0c..535bbb678cc5b 100644
> --- a/kernel/sched/ext.c
> +++ b/kernel/sched/ext.c
> @@ -6824,6 +6824,7 @@ static struct scx_sched *scx_alloc_and_add_sched(struct scx_enable_cmd *cmd,
> ret = kobject_init_and_add(&sch->kobj, &scx_ktype, NULL, "root");
>
> if (ret < 0) {
> + RCU_INIT_POINTER(ops->priv, NULL);
Could this lead to a use-after-free for concurrent RCU readers?
The scheduler object is published to lockless RCU readers earlier in the
function via rcu_assign_pointer(ops->priv, sch).
If an initialization step fails after that point, the pointer is correctly
cleared here, but the object and its inner allocations are then synchronously
freed in the teardown chain (for example, via kobject_put() or kfree(sch))
without waiting for an RCU grace period. Concurrent BPF programs could still
be accessing the freed memory as RCU readers.
Would it be safer to defer the rcu_assign_pointer() publication until the
very end of the function, ensuring the object is only published once all
fallible initializations have succeeded? This might also naturally
eliminate the need to clear ops->priv on these error paths.
> kobject_put(&sch->kobj);
> return ERR_PTR(ret);
> }
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260511083130.3174880-1-arighi@nvidia.com?part=1
prev parent reply other threads:[~2026-05-12 1:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 8:31 [PATCH sched_ext/for-7.1-fixes] sched_ext: Clear ops->priv on scx_alloc_and_add_sched() error paths Andrea Righi
2026-05-11 8:52 ` Tejun Heo
2026-05-12 1:26 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260512012644.1292AC2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=arighi@nvidia.com \
--cc=sashiko@lists.linux.dev \
--cc=sched-ext@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox