1. Patchew
  2. linux
  3. View series

[tip: sched/core] sched/cache: Fix potential NULL mm pointer access

tip-bot2 for Chen Yu posted 1 patch 4 days, 14 hours ago 
kernel/sched/fair.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
[tip: sched/core] sched/cache: Fix potential NULL mm pointer access
Posted by tip-bot2 for Chen Yu 4 days, 14 hours ago 
The following commit has been merged into the sched/core branch of tip:

Commit-ID:     9f23469401b04cfd9a5d0a8b61760a48cce35dc1
Gitweb:        https://git.kernel.org/tip/9f23469401b04cfd9a5d0a8b61760a48cce35dc1
Author:        Chen Yu <yu.c.chen@intel.com>
AuthorDate:    Wed, 13 May 2026 13:39:19 -07:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Mon, 18 May 2026 21:33:16 +02:00

sched/cache: Fix potential NULL mm pointer access

A concurrent task exit might cause a NULL pointer dereference
in account_mm_sched(). Use the locally cached mm pointer instead,
since the active_mm reference guarantees the structure remains
allocated. Meanwhile, skip the kernel thread because it has
nothing to do with cache aware scheduling.

This bug was reported by sashiko and Vern.

Fixes: df0d98475954 ("sched/cache: Introduce infrastructure for cache-aware load balancing")
Reported-by: Vern Hao <haoxing990@gmail.com>
Signed-off-by: Chen Yu <yu.c.chen@intel.com>
Co-developed-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/all/09cf7ee3-6e27-4505-9692-4b4a4707c8b2@gmail.com/
Link: https://patch.msgid.link/066d8cfa45d4822bf4367e788c50377c66bbcc82.1778703694.git.tim.c.chen@linux.intel.com
---
 kernel/sched/fair.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index c549ad4..663968b 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -1649,7 +1649,7 @@ void account_mm_sched(struct rq *rq, struct task_struct *p, s64 delta_exec)
 	if (!mm || !mm->sc_stat.pcpu_sched)
 		return;
 
-	pcpu_sched = per_cpu_ptr(p->mm->sc_stat.pcpu_sched, cpu_of(rq));
+	pcpu_sched = per_cpu_ptr(mm->sc_stat.pcpu_sched, cpu_of(rq));
 
 	scoped_guard (raw_spinlock, &rq->cpu_epoch_lock) {
 		__update_mm_sched(rq, pcpu_sched);
@@ -1689,7 +1689,8 @@ static void task_tick_cache(struct rq *rq, struct task_struct *p)
 	if (!sched_cache_enabled())
 		return;
 
-	if (!mm || !mm->sc_stat.pcpu_sched)
+	if (!mm || p->flags & PF_KTHREAD ||
+	    !mm->sc_stat.pcpu_sched)
 		return;
 
 	epoch = rq->cpu_epoch;

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.