From nobody Sun Feb  8 06:04:17 2026
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com
 [209.85.210.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81DEB21D3CD
	for <linux-kernel@vger.kernel.org>; Tue, 30 Dec 2025 14:34:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767105269; cv=none;
 b=ialPUeZkcxPBAP8pHUzm8C28KifXLH30SKjJ/q1VmU5rnNuJ6h1+KJeOt61F4w0sTY0ewUXSts4x8SKCvCGUebis7xpIRhYZOB9VFAD6GYOPAjX6I2TT/f+waf3sOF6kE8w/Hnn+V3Cz9e5HeNgbRqCY+u+oYutrU3kmhGpJucA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767105269; c=relaxed/simple;
	bh=0v2q4pezYzvJtfoi0847Dtr+pfftbugI6B7GVfPegA0=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc;
 b=MQjZnVHufQKecStMSHBgvgyxlSB//xD6+r6+iSXhaZKK+7iOEil7NOSSuVMBgLXOEelCih3U4jNf7tSIgcL3FTLn4URQSfl7bVdzk1eDKGSuEEWavbo4IVzDr6zO45WUYm5WvGm+1XuVhLeEFTQ4OkJsQQg9kfxkn2XedBrR464=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=debian.org;
 spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.210.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=debian.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Received: by mail-ot1-f42.google.com with SMTP id
 46e09a7af769-7ce0ef9d4eeso173022a34.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 30 Dec 2025 06:34:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767105266; x=1767710066;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=bqhypewvPuLW4ApUTHY65JJbPdSB5rURV9tY3pTH6pw=;
        b=LbRtYKxTsqnPPCx+tGhwN2Z6HKSdfOCWx8pvnKQxya5qGrDg6MRz5Fu3o6rMI3G8cd
         6LAdXDn2D/cqk3cSSh7tWh9LsQyGrYF27v2/yZWntvy3vEtWR/zVdPisg3JFK5VHr7H6
         h0N5M/Ac2uv6UDrdMv0BFeSmv8GSiom/3tkt31ZL2wY2VxzugNpPEaZNKEGgoLIwgkaw
         NVqtNui6UQxTMwFljGE10z8C2G/H7aild6Ncci4+omvww87ZKFasx+BSsVsuZR0f+2IN
         7SQet7ZegHF05KHbF1daQfmjK+dNnli1310bCTsDO7uQZAefeln81w0akbHVclfuqeiS
         nDzQ==
X-Gm-Message-State: AOJu0YwjpYDHKknaaMuY7I2jZE2wHl0BvPUaV1XPGlTOXsoDWMcuG14n
	kyE697lPJfs5HFQgU0wpv5ksOUEEGjUk4Ba6V+3nEEuqrUhpL1PV3f/d
X-Gm-Gg: AY/fxX6vXMon+xrZfQB3vINsH3AVsUHRu/1S2OtzntvKOVzsAU/UnVp6pprOmrpz+mi
	6ucPBfPIxXD8dE5dePtiAEJb/7ZYAiOKtxyItmfZ0X+sNTk04xhumb7Q4ar4gjubevMNnMUuxTp
	sqLvAh8W5Q+I5TuDXd4ptsYhvekxW8OUwLGxkl3rOx/WOTmaxCMNIKzIcqEYzWimPcd20FUDwYD
	l33Di3DJRJRHfH+Y+JTTtnOeQ3yacGsdwLg0dlZPl7d9U0OKa6tClU1xnm0svYwjAdGa2cVF09W
	kHFee5c9o5S7F17u3HOtZVyFwCE0sIZKw5kTLlXgcF3tVehGayOEl+U4zs5G9ibcvwyJdxPtWmR
	/pgvTSCF25TBuZyVdSJ6xzrRqB9BewITnh3H0b0Z3H8lnLxxgYUhnSDkrSEBUG7diBW1RK+YmTg
	2a8up2mhq5hbYSbg==
X-Google-Smtp-Source: 
 AGHT+IF/7yLbjEN8pcCwfgaQ14S8AP1OPYS5toLtRg+y0CP4tThrsfm3Jc213Sm1qWkOkRPKZ48boQ==
X-Received: by 2002:a05:6830:4492:b0:7ca:c842:fe0 with SMTP id
 46e09a7af769-7cc668e94b4mr21654587a34.8.1767105266053;
        Tue, 30 Dec 2025 06:34:26 -0800 (PST)
Received: from localhost ([2a03:2880:10ff:74::])
        by smtp.gmail.com with ESMTPSA id
 46e09a7af769-7cc6673bdabsm22404061a34.10.2025.12.30.06.34.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 30 Dec 2025 06:34:25 -0800 (PST)
From: Breno Leitao <leitao@debian.org>
Date: Tue, 30 Dec 2025 06:34:07 -0800
Subject: [PATCH] sched: Fix NULL pointer dereference in sched_mm_cid_fork()
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20251230-sched-v1-1-dd4b2a21cef4@debian.org>
X-B4-Tracking: v=1; b=H4sIAN7iU2kC/yXMywqDMBBG4VcZ/rUBE6/kVcSFjRMdFyqZVgriu
 5fq8iy+c0I5CSs8nUh8iMq2wpPNCGEe1omNjPAEl7vKuiI3GmYeTVm6oo61bdohIiPsiaN870/
 XP62f18Lh/ce4rh+UZ42JaQAAAA==
X-Change-ID: 20251230-sched-44236f6178af
To: Ingo Molnar <mingo@redhat.com>, Peter Zijlstra <peterz@infradead.org>,
 Juri Lelli <juri.lelli@redhat.com>,
 Vincent Guittot <vincent.guittot@linaro.org>,
 Dietmar Eggemann <dietmar.eggemann@arm.com>,
 Steven Rostedt <rostedt@goodmis.org>, Ben Segall <bsegall@google.com>,
 Mel Gorman <mgorman@suse.de>, Valentin Schneider <vschneid@redhat.com>
Cc: linux-kernel@vger.kernel.org, tj@kernel.org, kernel-team@meta.com,
 Breno Leitao <leitao@debian.org>
X-Mailer: b4 0.15-dev-47773
X-Developer-Signature: v=1; a=openpgp-sha256; l=2096; i=leitao@debian.org;
 h=from:subject:message-id; bh=0v2q4pezYzvJtfoi0847Dtr+pfftbugI6B7GVfPegA0=;
 b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBpU+Lx7QgmC6j1+cF4a4ZNnPFnb5l7J3aSe40B7
 mZh4jstdR6JAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCaVPi8QAKCRA1o5Of/Hh3
 bTpbD/0R19cj88lThyDVdEovhox88IoFVLApSeX/QfQ+MtNNf+Fm0sBOvW6M5iovhj2iXTLJmPf
 WDCnaW6Injqskp/BZd3OP4PJo9BliBpZsKSvhGynmOstfmzT4bIBeejpdwNjAOm++1rN1Uttycl
 jXKYi+RdG4ddWWBrfnYW8Kk+AdfNZbVOcNnWpqsxBBO/PYNrZTHr6H1ghCZx6zLuyJcZhHF7hCm
 Wx2tR5GQplWg+qmuSxKlI8lJCIyen7UbYiS9hCoLOjGf7dt7SSo/TsQVQACOY3GWoWBBPOwbjHz
 HiXqA4dHn1W7uW7QygJHlCZ0xbJvJO8v8rARZeMgt5KKlBmxWyS9sqO6or9jRHoMPcVUJzEGuEV
 4n9ZVQLJ2GcZQstd75VHuR/VOG7TQUQkTyq/GHiN6oVGcVlrK5nUjagElvFrFrlNmHYvdQCNXgH
 ub5lGI/pz1NmQUgvYs7awql8kfBFeUkklWJ4GLA9OoX7e+6E5AN60Bn9T61BVsx+FcURWtJiM68
 Y3yoHdh5ZpJIgIXGZ8Tjalkchq7lZE7KdiebwAmvkmgjfSQHCrjCCgb3eQgo/LBH3NPqAp3ACf3
 yqDUDSe4fp4mcX6WJ7R7FktWJGTPIx+YdzAUG0mIejbBPgFobFhUv81C98u62N0v4A6hwqSMfLi
 RQU/8htXFXv3ixg==
X-Developer-Key: i=leitao@debian.org; a=openpgp;
 fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D

Function sched_mm_cid_fork() contains a WARN_ON_ONCE() check that
triggers when mm is NULL, but execution continues regardless, leading to
a NULL pointer dereference when attempting to lock &mm->mm_cid.mutex.

	Unable to handle kernel NULL pointer dereference at virtual address 000000=
00000001e0
	[00000000000001e0] user address but active_mm is swapper
	Internal error: Oops: 0000000096000005 [#1]  SMP
	Modules linked in:
	CPU: 9 UID: 0 PID: 1 Comm: swapper/0 Tainted:
	pc : __mutex_lock_common
	Call trace:
	  __mutex_lock_common
	  mutex_lock_nested
	  sched_mm_cid_fork
	  sched_mm_cid_after_execve
	  bprm_execve

This crash can occur during execve() failure paths where
sched_mm_cid_after_execve() is called with a task that has a NULL mm.

Fix this by making the function return early if the WARN_ON_ONCE()
condition is true, preventing the NULL pointer dereference.

Signed-off-by: Breno Leitao <leitao@debian.org>
---
I've inadvertently reproduced this bug by booting the kernel with an
init binary from a different architecture.

Specifically, I cross-compiled the kernel, but the init binary was built
for an architecture that didn't match the kernel.

With the applied fix, I now see the following line instead of
experiencing a crash.

   Kernel panic - not syncing: Requested init mybinary failed (error -8)
---
 kernel/sched/core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 41ba0be16911..eee5181fcc00 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -10566,7 +10566,8 @@ void sched_mm_cid_fork(struct task_struct *t)
 	struct mm_struct *mm =3D t->mm;
 	bool percpu;
=20
-	WARN_ON_ONCE(!mm || t->mm_cid.cid !=3D MM_CID_UNSET);
+	if (WARN_ON_ONCE(!mm || t->mm_cid.cid !=3D MM_CID_UNSET))
+		return;
=20
 	guard(mutex)(&mm->mm_cid.mutex);
 	scoped_guard(raw_spinlock_irq, &mm->mm_cid.lock) {

---
base-commit: 8640b74557fc8b4c300030f6ccb8cd078f665ec8
change-id: 20251230-sched-44236f6178af

Best regards,
-- =20
Breno Leitao <leitao@debian.org>