From nobody Mon May 25 00:08:58 2026 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 55CEF3D904B; Wed, 20 May 2026 08:34:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779266075; cv=none; b=UARjcEOMTjjN2CFgGRw0aSHazimRLa0qrui6NyrDiAB82MIIwdbw+KC4kNp/NoifgjqpaXuof5k60cGxetbO59SravegiNfHQ7ULGPH0FtJUbZXlEs21gOV9dBOEOk47LzOtA02cp6BIrUmoSUVv4zEMM0YZoSDaFCwAwtqOaCE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779266075; c=relaxed/simple; bh=W3wF9JBtQeLU5+y3V8K7AwkQqJOnLNhowvarXTU3awo=; h=Date:From:To:Subject:Cc:In-Reply-To:References:MIME-Version: Message-ID:Content-Type; b=hx14kWwhmhiurMVGzI6csrFSk0wuomfqUrtcLgvd1/pkVXPPqJjawlYrR98PMvWukQqVTJ1sbkyyRB2p2cxkmXeRiRLC3R5GrQZ6bamddShQdtVdklqrjMCkkpRjjwflYTQt4d0EjphrWC9q5UZWwoYOs2N5W3Wp6Llt58gNXxE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=hP6mJ39N; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=j6Zikhfh; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="hP6mJ39N"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="j6Zikhfh" Date: Wed, 20 May 2026 08:34:31 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1779266072; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EEKjbfWDEovLC6FRCbyVN5iz6zMmJ1GjWH3qk26/VqI=; b=hP6mJ39NCqxjQXx1RRnNI6Cj1rxnKF+2ENMlD1haPn0tyARxx8A2rbgcV7h2aiyVT+iBJa 5fSidzviUbf1HWwQBDx3pjgIcakFoLrgZFB7FU3+BpSrxdKx8Ke+mP9Xg8lDb7XkrzMCLU yZ0YYvdu9A6cZpeqDePC6CKcqq9wm9Ubq82X5NXXftu7M1ZGyfMeK1NskXLBg6WCxr3XZi /FpngaecEGEJaN2Xh9PM+oazv5NMOFPPrv7krrJzpM9hOThpoLv4qMJHWucM2NTJXnCSae 0ZQrI4hEMki3NPyhSwmLwZkx2r2VIFbE4uTqbvIDd7Cca7u2eu0/lmBOZfNapQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1779266072; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EEKjbfWDEovLC6FRCbyVN5iz6zMmJ1GjWH3qk26/VqI=; b=j6ZikhfhQVJP/0HSn1DRgx930Oi2EVLNVZLCa+qJke09xkCvy1NgpdjTCmtVV2rJ69r4fW sakB/vfLMZSslrAA== From: "tip-bot2 for Chen Yu" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: sched/core] sched/cache: Fix potential NULL mm pointer access Cc: Vern Hao , Chen Yu , Tim Chen , "Peter Zijlstra (Intel)" , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: =?utf-8?q?=3C066d8cfa45d4822bf4367e788c50377c66bbcc82=2E1778703?= =?utf-8?q?694=2Egit=2Etim=2Ec=2Echen=40linux=2Eintel=2Ecom=3E?= References: =?utf-8?q?=3C066d8cfa45d4822bf4367e788c50377c66bbcc82=2E17787036?= =?utf-8?q?94=2Egit=2Etim=2Ec=2Echen=40linux=2Eintel=2Ecom=3E?= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <177926607140.711.6252011028868986736.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Precedence: bulk Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable The following commit has been merged into the sched/core branch of tip: Commit-ID: 9f23469401b04cfd9a5d0a8b61760a48cce35dc1 Gitweb: https://git.kernel.org/tip/9f23469401b04cfd9a5d0a8b61760a48c= ce35dc1 Author: Chen Yu AuthorDate: Wed, 13 May 2026 13:39:19 -07:00 Committer: Peter Zijlstra CommitterDate: Mon, 18 May 2026 21:33:16 +02:00 sched/cache: Fix potential NULL mm pointer access A concurrent task exit might cause a NULL pointer dereference in account_mm_sched(). Use the locally cached mm pointer instead, since the active_mm reference guarantees the structure remains allocated. Meanwhile, skip the kernel thread because it has nothing to do with cache aware scheduling. This bug was reported by sashiko and Vern. Fixes: df0d98475954 ("sched/cache: Introduce infrastructure for cache-aware= load balancing") Reported-by: Vern Hao Signed-off-by: Chen Yu Co-developed-by: Tim Chen Signed-off-by: Tim Chen Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/all/09cf7ee3-6e27-4505-9692-4b4a4707c8b2@gmai= l.com/ Link: https://patch.msgid.link/066d8cfa45d4822bf4367e788c50377c66bbcc82.177= 8703694.git.tim.c.chen@linux.intel.com --- kernel/sched/fair.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index c549ad4..663968b 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -1649,7 +1649,7 @@ void account_mm_sched(struct rq *rq, struct task_stru= ct *p, s64 delta_exec) if (!mm || !mm->sc_stat.pcpu_sched) return; =20 - pcpu_sched =3D per_cpu_ptr(p->mm->sc_stat.pcpu_sched, cpu_of(rq)); + pcpu_sched =3D per_cpu_ptr(mm->sc_stat.pcpu_sched, cpu_of(rq)); =20 scoped_guard (raw_spinlock, &rq->cpu_epoch_lock) { __update_mm_sched(rq, pcpu_sched); @@ -1689,7 +1689,8 @@ static void task_tick_cache(struct rq *rq, struct tas= k_struct *p) if (!sched_cache_enabled()) return; =20 - if (!mm || !mm->sc_stat.pcpu_sched) + if (!mm || p->flags & PF_KTHREAD || + !mm->sc_stat.pcpu_sched) return; =20 epoch =3D rq->cpu_epoch;