| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aBKomkWrLtPvnnB9@slm.duckdns.org>
Date: Wed, 30 Apr 2025 12:47:54 -1000
From: Tejun Heo <tj@...nel.org>
To: Andrea Righi <arighi@...dia.com>
Cc: David Vernet <void@...ifault.com>, Changwoo Min <changwoo@...lia.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH sched_ext/for-6.16] sched_ext: Avoid NULL scx_root deref
in __scx_exit()
On Wed, Apr 30, 2025 at 10:40:21AM +0200, Andrea Righi wrote:
> A sched_ext scheduler may trigger __scx_exit() from a BPF timer
> callback, where scx_root may not be safely dereferenced.
>
> This can lead to a NULL pointer dereference as shown below (triggered by
> scx_tickless):
>
> BUG: kernel NULL pointer dereference, address: 0000000000000330
> ...
> CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.14.0-virtme #1 PREEMPT(full)
> RIP: 0010:__scx_exit+0x2b/0x190
> ...
> Call Trace:
> <IRQ>
> scx_bpf_get_idle_smtmask+0x59/0x80
> bpf_prog_8320d4217989178c_dispatch_all_cpus+0x35/0x1b6
> ...
> bpf_prog_97f847d871513f95_sched_timerfn+0x4c/0x264
> bpf_timer_cb+0x7a/0x140
> __hrtimer_run_queues+0x1f9/0x3a0
> hrtimer_run_softirq+0x8c/0xd0
> handle_softirqs+0xd3/0x3d0
> __irq_exit_rcu+0x9a/0xc0
> irq_exit_rcu+0xe/0x20
>
> Fix this by checking for a valid scx_root and adding proper RCU
> protection.
>
> Fixes: 48e1267773866 ("sched_ext: Introduce scx_sched")
> Signed-off-by: Andrea Righi <arighi@...dia.com>
Applied to sched_ext/for-6.16.
Thanks.
--
tejun
Powered by blists - more mailing lists