* [PATCH v2 sched_ext/for-7.1] sched_ext: Fix invalid kobj cast in scx_uevent()
@ 2026-03-23 10:48 Cheng-Yang Chou
2026-03-23 17:47 ` Tejun Heo
2026-03-23 17:54 ` Tejun Heo
0 siblings, 2 replies; 4+ messages in thread
From: Cheng-Yang Chou @ 2026-03-23 10:48 UTC (permalink / raw)
To: sched-ext, Tejun Heo, David Vernet, Andrea Righi, Changwoo Min
Cc: Ching-Chun Huang, Chia-Ping Tsai, yphbchou0911
When scx_alloc_and_add_sched() creates the sub-scheduler kset, it sets
sch->kobj as the parent. Because sch->kobj.kset points to scx_kset,
registering this sub-kset triggers a KOBJ_ADD uevent. The uevent walk
finds scx_kset and calls scx_uevent() with the sub-kset's kobject.
scx_uevent() unconditionally uses container_of() to cast the incoming
kobject to struct scx_sched, producing a wild pointer when the kobject
belongs to the kset itself rather than a scheduler instance. Accessing
sch->ops.name through this pointer causes a KASAN slab-out-of-bounds
read:
BUG: KASAN: slab-out-of-bounds in string+0x3b6/0x4c0
Read of size 1 at addr ffff888004d04348 by task scx_enable_help/748
Call Trace:
string+0x3b6/0x4c0
vsnprintf+0x3ec/0x1550
add_uevent_var+0x160/0x3a0
scx_uevent+0x22/0x30
kobject_uevent_env+0x5dc/0x1730
kset_register+0x192/0x280
scx_alloc_and_add_sched+0x130d/0x1c60
...
Fix this by checking the kobject's ktype against scx_ktype before
performing the cast, and returning 0 for non-matching kobjects.
Tested with vng and scx_qmap without triggering any KASAN errors.
Fixes: ebeca1f930ea ("sched_ext: Introduce cgroup sub-sched support")
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
---
Changes in v2:
- Update the commit message to clarify the root cause involving the
sub-scheduler kset uevent walk. (Tejun Heo)
- Move the variable declaration to the top of the function. (Tejun Heo)
- Add an inline comment explaining the necessity of filtering out
kset_ktype kobjects. (Tejun Heo)
- Update the Fixes tag to correctly point to the commit that introduced
cgroup sub-scheduler support (ebeca1f930ea).
- Link to v1:
https://lore.kernel.org/r/20260322171309.2640439-1-yphbchou0911@gmail.com/
kernel/sched/ext.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index 94548ee9ad85..f13cab38ea25 100644
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -4834,7 +4834,17 @@ static const struct kobj_type scx_ktype = {
static int scx_uevent(const struct kobject *kobj, struct kobj_uevent_env *env)
{
- const struct scx_sched *sch = container_of(kobj, struct scx_sched, kobj);
+ const struct scx_sched *sch;
+
+ /*
+ * scx_uevent() can be reached by both scx_sched kobjects (scx_ktype)
+ * and sub-scheduler kset kobjects (kset_ktype) through the parent
+ * chain walk. Filter out the latter to avoid invalid casts.
+ */
+ if (kobj->ktype != &scx_ktype)
+ return 0;
+
+ sch = container_of(kobj, struct scx_sched, kobj);
return add_uevent_var(env, "SCXOPS=%s", sch->ops.name);
}
--
2.48.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v2 sched_ext/for-7.1] sched_ext: Fix invalid kobj cast in scx_uevent()
2026-03-23 10:48 [PATCH v2 sched_ext/for-7.1] sched_ext: Fix invalid kobj cast in scx_uevent() Cheng-Yang Chou
@ 2026-03-23 17:47 ` Tejun Heo
2026-03-24 9:57 ` Cheng-Yang Chou
2026-03-23 17:54 ` Tejun Heo
1 sibling, 1 reply; 4+ messages in thread
From: Tejun Heo @ 2026-03-23 17:47 UTC (permalink / raw)
To: Cheng-Yang Chou
Cc: sched-ext, David Vernet, Andrea Righi, Changwoo Min,
Ching-Chun Huang, Chia-Ping Tsai
On Mon, Mar 23, 2026 at 06:48:29PM +0800, Cheng-Yang Chou wrote:
> static int scx_uevent(const struct kobject *kobj, struct kobj_uevent_env *env)
> {
> - const struct scx_sched *sch = container_of(kobj, struct scx_sched, kobj);
> + const struct scx_sched *sch;
> +
> + /*
> + * scx_uevent() can be reached by both scx_sched kobjects (scx_ktype)
> + * and sub-scheduler kset kobjects (kset_ktype) through the parent
> + * chain walk. Filter out the latter to avoid invalid casts.
> + */
> + if (kobj->ktype != &scx_ktype)
> + return 0;
> +
> + sch = container_of(kobj, struct scx_sched, kobj);
I'll apply as-is but you don't need to move container_of() here. It's just
address calculation, not a dereference.
Thanks.
--
tejun
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH v2 sched_ext/for-7.1] sched_ext: Fix invalid kobj cast in scx_uevent()
2026-03-23 17:47 ` Tejun Heo
@ 2026-03-24 9:57 ` Cheng-Yang Chou
0 siblings, 0 replies; 4+ messages in thread
From: Cheng-Yang Chou @ 2026-03-24 9:57 UTC (permalink / raw)
To: Tejun Heo
Cc: sched-ext, David Vernet, Andrea Righi, Changwoo Min,
Ching-Chun Huang, Chia-Ping Tsai
Hi Tejun,
On Mon, Mar 23, 2026 at 07:47:56AM -1000, Tejun Heo wrote:
> I'll apply as-is but you don't need to move container_of() here. It's just
> address calculation, not a dereference.
>
Ah, I see. I'll keep that in mind for the future.
Thanks for pointing it out and applying the patch!
--
Thanks,
Cheng-Yang
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2 sched_ext/for-7.1] sched_ext: Fix invalid kobj cast in scx_uevent()
2026-03-23 10:48 [PATCH v2 sched_ext/for-7.1] sched_ext: Fix invalid kobj cast in scx_uevent() Cheng-Yang Chou
2026-03-23 17:47 ` Tejun Heo
@ 2026-03-23 17:54 ` Tejun Heo
1 sibling, 0 replies; 4+ messages in thread
From: Tejun Heo @ 2026-03-23 17:54 UTC (permalink / raw)
To: Cheng-Yang Chou
Cc: sched-ext, David Vernet, Andrea Righi, Changwoo Min,
Ching-Chun Huang, Chia-Ping Tsai
Applied to sched_ext/for-7.1.
Thanks.
--
tejun
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-24 9:57 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-23 10:48 [PATCH v2 sched_ext/for-7.1] sched_ext: Fix invalid kobj cast in scx_uevent() Cheng-Yang Chou
2026-03-23 17:47 ` Tejun Heo
2026-03-24 9:57 ` Cheng-Yang Chou
2026-03-23 17:54 ` Tejun Heo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox