[PATCH sched_ext/for-7.0-fixes] sched_ext: Fix invalid kobj cast in scx_uevent()

[PATCH sched_ext/for-7.0-fixes] sched_ext: Fix invalid kobj cast in scx_uevent()

[Cheng-Yang Chou]

When the sched_ext kset is first registered, kset_register() emits a
KOBJ_ADD uevent for the kset's own kobject, which is routed to
scx_uevent().

scx_uevent() unconditionally uses container_of() to cast the incoming
kobject to struct scx_sched, producing a wild pointer when the kobject
belongs to the kset itself rather than a scheduler instance. Accessing
sch->ops.name through this pointer causes a KASAN slab-out-of-bounds
read:

  BUG: KASAN: slab-out-of-bounds in string+0x3b6/0x4c0
  Read of size 1 at addr ffff888004d04348 by task scx_enable_help/748

  Call Trace:
   string+0x3b6/0x4c0
   vsnprintf+0x3ec/0x1550
   add_uevent_var+0x160/0x3a0
   scx_uevent+0x22/0x30
   kobject_uevent_env+0x5dc/0x1730
   kset_register+0x192/0x280
   scx_alloc_and_add_sched+0x130d/0x1c60
   ...

Fix this by checking the kobject's ktype against scx_ktype before
performing the cast, and returning 0 for non-matching kobjects.

Fixes: 494eaf465197 ("sched_ext: Replace naked scx_root dereferences in kobject callbacks")
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
---
Link to full log:
- https://gist.github.com/EricccTaiwan/9d3a2bfa11326fe134cec9f46125094c

 kernel/sched/ext.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index 94548ee9ad85..9164a2348e39 100644
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -4834,6 +4834,9 @@ static const struct kobj_type scx_ktype = {
 
 static int scx_uevent(const struct kobject *kobj, struct kobj_uevent_env *env)
 {
+	if (kobj->ktype != &scx_ktype)
+		return 0;
+
 	const struct scx_sched *sch = container_of(kobj, struct scx_sched, kobj);
 
 	return add_uevent_var(env, "SCXOPS=%s", sch->ops.name);
-- 
2.48.1

Re: [PATCH sched_ext/for-7.0-fixes] sched_ext: Fix invalid kobj cast in scx_uevent()

[Tejun Heo]

Hello,

The fix itself looks correct but could you please update a few things for v2?

- The patch description says that kset_register() of the sched_ext kset
  itself triggers this during init. That's not actually the case -
  kset_create_and_add() sets kobj.kset = NULL on the kset's own kobject,
  so kobject_uevent_env() can't find a kset and the uevent is silently
  dropped.

  The actual trigger is the sub-scheduler kset created at
  scx_alloc_and_add_sched() -> kset_create_and_add("sub", NULL,
  &sch->kobj). That sub-kset's kobject has sch->kobj as its parent, and
  sch->kobj.kset = scx_kset, so the uevent walk finds scx_kset and calls
  scx_uevent() with the sub-kset's kobject which isn't a struct scx_sched.

  Please update the description to reflect this.

- Move the variable declaration to the top of the function. There's no
  functional difference but the current placement looks messy - just put
  the ktype check between the declaration and the use.

- Add a comment explaining why the check is needed - that scx_uevent()
  can be reached by both scx_sched kobjects (scx_ktype) and sub-scheduler
  kset kobjects (kset_ktype) through the parent chain walk, and we need to
  filter out the latter.

Thanks.

--
tejun