Commit 2008fb25 authored Mar 17, 2026 by Cheng-Yang Chou Committed by Tejun Heo Mar 16, 2026

sched_ext: Fix slab-out-of-bounds in scx_alloc_and_add_sched()



ancestors[] is a flexible array member that needs level + 1 slots to
hold all ancestors including self (indices 0..level), but kzalloc_flex()
only allocates `level` slots:

  sch = kzalloc_flex(*sch, ancestors, level);
  ...
  sch->ancestors[level] = sch;  /* one past the end */

For the root scheduler (level = 0), zero slots are allocated and
ancestors[0] is written immediately past the end of the object.

KASAN reports:

  BUG: KASAN: slab-out-of-bounds in scx_alloc_and_add_sched+0x1c17/0x1d10
  Write of size 8 at addr ffff888066b56538 by task scx_enable_help/667

  The buggy address is located 0 bytes to the right of
   allocated 1336-byte region [ffff888066b56000, ffff888066b56538)

Fix by passing level + 1 to kzalloc_flex().

Tested with vng + scx_lavd, KASAN no longer triggers.

Fixes: ebeca1f9 ("sched_ext: Introduce cgroup sub-sched support")
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>

parent 618a9db0

kernel/sched/ext.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -6365,7 +6365,7 @@ static struct scx_sched scx_alloc_and_add_sched(struct sched_ext_ops ops,
		s32 level = parent ? parent->level + 1 : 0;
		s32 node, cpu, ret, bypass_fail_cpu = nr_cpu_ids;

		sch = kzalloc_flex(*sch, ancestors, level);
		sch = kzalloc_flex(*sch, ancestors, level + 1);
		if (!sch) {
		ret = -ENOMEM;
		goto err_put_cgrp;