From: Tejun Heo <tj@kernel.org>
To: Cheng-Yang Chou <yphbchou0911@gmail.com>
Cc: sched-ext@lists.linux.dev, David Vernet <void@manifault.com>,
Andrea Righi <arighi@nvidia.com>,
Changwoo Min <changwoo@igalia.com>,
Ching-Chun Huang <jserv@ccns.ncku.edu.tw>,
Chia-Ping Tsai <chia7712@gmail.com>,
stable@vger.kernel.org
Subject: Re: [PATCH] sched_ext: Prevent RB-tree corruption in scx_bpf_task_set_dsq_vtime()
Date: Thu, 16 Apr 2026 07:56:33 -1000 [thread overview]
Message-ID: <aeEi0X4Fn70bUgva@slm.duckdns.org> (raw)
In-Reply-To: <20260415193459.933175-1-yphbchou0911@gmail.com>
On Thu, Apr 16, 2026 at 03:32:44AM +0800, Cheng-Yang Chou wrote:
> scx_bpf_task_set_dsq_vtime() allows modifying a task's dsq_vtime without
> checking if it is already enqueued on SCX_DSQ_PRIQ. Since dsq_vtime is
> the rb-tree sorting key, mutating it in-place violates the BST invariant
> and corrupts the tree structure.
>
> In ops.dispatch():
> p = scx_bpf_dsq_peek(PRIO_DSQ); // Get a task already in the DSQ
> if (p) {
> // This illegally returns %true
> scx_bpf_task_set_dsq_vtime(p, 0xFFFFFFFFFFFFFFFF);
> }
>
> Fix this by adding a check for the SCX_TASK_DSQ_ON_PRIQ flag. Disallow
> vtime modification and trigger scx_error() if the task is already queued
> on a priority DSQ.
If the user updates the vtime after inserting, the tree looks wrong but it
won't cause crashes or anything. Later insertions might get confused in
terms of ordering but it's a rather obvious user-shotting-their-own-foot, so
I'm more inclined to leave it as-is.
Thanks.
--
tejun
next prev parent reply other threads:[~2026-04-16 17:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 19:32 [PATCH] sched_ext: Prevent RB-tree corruption in scx_bpf_task_set_dsq_vtime() Cheng-Yang Chou
2026-04-16 1:49 ` Zhao Mengmeng
2026-04-16 5:02 ` Cheng-Yang Chou
2026-04-16 17:56 ` Tejun Heo [this message]
2026-04-16 18:00 ` Andrea Righi
2026-04-16 18:09 ` Cheng-Yang Chou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aeEi0X4Fn70bUgva@slm.duckdns.org \
--to=tj@kernel.org \
--cc=arighi@nvidia.com \
--cc=changwoo@igalia.com \
--cc=chia7712@gmail.com \
--cc=jserv@ccns.ncku.edu.tw \
--cc=sched-ext@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=void@manifault.com \
--cc=yphbchou0911@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox