Commit 9a415cc5 authored May 11, 2026 by Tejun Heo

sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path



In scx_root_enable_workfn(), put_task_struct(p) is called before scx_error()
dereferences p->comm and p->pid. If the iterator's reference is the last
drop, the task is freed synchronously and the deref becomes a UAF.

Move put_task_struct() past scx_error().

Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/all/20260511214031.AF5E9C2BCB0@smtp.kernel.org/


Fixes: f0e1a064 ("sched_ext: Implement BPF extensible scheduler class")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Tejun Heo <tj@kernel.org>

parent 86ecb1c1

kernel/sched/ext.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -6973,10 +6973,10 @@ static void scx_root_enable_workfn(struct kthread_work *work)
		if (scx_get_task_state(p) != SCX_TASK_DEAD)
		scx_set_task_state(p, SCX_TASK_NONE);
		task_rq_unlock(rq, p, &rf);
		put_task_struct(p);
		scx_task_iter_stop(&sti);
		scx_error(sch, "ops.init_task() failed (%d) for %s[%d]",
		ret, p->comm, p->pid);
		put_task_struct(p);
		goto err_disable_unlock_all;
		}