From nobody Sun Feb  8 20:23:49 2026
Received: from outboundhk.mxmail.xiaomi.com (outboundhk.mxmail.xiaomi.com
 [118.143.206.90])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 8B04F331A6E
	for <linux-kernel@vger.kernel.org>; Tue,  6 Jan 2026 11:35:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=118.143.206.90
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767699348; cv=none;
 b=lfm81XPC0e5Fg/lrNEi7PnEnFSzqMYCdkczrxrS4i//wvDm4OiGERA69X0jLKtvMjmARReSGcCYPngSE3eyzUPy6SgVfU7R+cK+1kNX5hE4n469YoFqdJqyMtVkI+8nRqim0ZVOgraUL9s2LGq4QodmZVPf9FJDwlxib/Wv5goM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767699348; c=relaxed/simple;
	bh=BNtQQs+62ezee2Rj0Hyo2w1QAFgn8k4oRallqRYrDgs=;
	h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type;
 b=B/07EPfLXXRVusq/qhSz8/JGGhWzVPwBcM4q/3ET5jsbBByid5G85KSN/hYjRVTw6Ffqi3Wh2pr4N144U3NFOEJtNJMaZRTXIAzjxLZwG202YaOw7OAU2Gw2yeKnGqfvFvAf5s6VQZw/VYQ9rE4S4gD252DkrXYi1FxMvUFsT8U=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=xiaomi.com;
 spf=pass smtp.mailfrom=xiaomi.com; arc=none smtp.client-ip=118.143.206.90
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=xiaomi.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=xiaomi.com
X-CSE-ConnectionGUID: zbJtdC7cTteimpZWvoGCaA==
X-CSE-MsgGUID: +hY5XZzOQda5F792+SzwHg==
X-IronPort-AV: E=Sophos;i="6.21,204,1763395200";
   d="scan'208";a="137450622"
From: Fang Xiang <fangxiang3@xiaomi.com>
To: <mingo@redhat.com>, <peterz@infradead.org>, <vincent.guittot@linaro.org>,
	<linux-kernel@vger.kernel.org>
CC: <dietmar.eggemann@arm.com>, <fangxiang3@xiaomi.com>
Subject: [PATCH] sched/fair: Fix overflow in vruntime_eligible() causing NULL
 return
Date: Tue, 6 Jan 2026 19:34:27 +0800
Message-ID: <20260106113427.20809-1-fangxiang3@xiaomi.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: BJ-MBX02.mioffice.cn (10.237.8.122) To BJ-MBX15.mioffice.cn
 (10.237.8.135)
Content-Type: text/plain; charset="utf-8"

In the vruntime_eligible() function, the original comparison:
	return avg >=3D (s64)(vruntime - cfs_rq->min_vruntime) * load;
could produce incorrect results due to integer overflow in the 'avg' or
s64 part.

This overflow causes the comparison to return false even when the
mathematical result should be true, leading all tasks to be falsely
deemed ineligible. Consequently, pick_eevdf() returns NULL, triggering a
kernel crash. This issue was discovered on kernel 6.6.76, it may be incorre=
ct
to simply spot a potentially overflowing integer type and directly use
the >=3D sign for comparison.

The following are the relevant attributes that cause the return of NULL:
cfs_rq:
my_q =3D 0xFFFFFF8019BF2600 -> (
      load =3D (weight =3D 3609742336, inv_weight =3D 0),
      nr_running =3D 647,
      h_nr_running =3D 647,
      idle_nr_running =3D 0,
      idle_h_nr_running =3D 0,
      avg_vruntime =3D -13338730231239499,
      avg_load =3D 3525139,
      exec_clock =3D 598416298647,
      min_vruntime =3D 1918334512120,
      tasks_timeline =3D (
        rb_root =3D (rb_node =3D 0xFFFFFF811B63A850),
        rb_leftmost =3D 0xFFFFFF810C5B2850),
      )
)

root node:
 (struct sched_entity *)(0xFFFFFF811B63A850- 0x10) =3D 0xFFFFFF811B63A840 -=
> (
    load =3D (weight =3D 2561024, inv_weight =3D 1717300),
    run_node =3D (__rb_parent_color =3D 1, rb_right =3D 0xFFFFFF8054864FD0,=
 rb_left =3D 0xFFFFFF8104916390),
    deadline =3D 1918337366679,
    min_vruntime =3D 18446741380279378713,
    on_rq =3D 1,
    sum_exec_runtime =3D 349968442385,
    prev_sum_exec_runtime =3D 349967120379,
    vruntime =3D 1918336679648,
 )

leftmost node:
(struct sched_entity *)(0xFFFFFF810C5B2850- 0x10) =3D 0xFFFFFF810C5B2840 ->=
 (
    load =3D (weight =3D 1048576, inv_weight =3D 4194304),
    deadline =3D 18446741380282378713,
    min_vruntime =3D 18446741380279378713,
    on_rq =3D 1,
    sum_exec_runtime =3D 17431358323,
    prev_sum_exec_runtime =3D 307584686,
    vruntime =3D 18446741380279378713,
    vlag =3D 4607980805462,
 )

Signed-off-by: Fang Xiang <fangxiang3@xiaomi.com>
---
 kernel/sched/fair.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 726fa69c4d88..f597f8869b37 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -746,6 +746,8 @@ int entity_eligible(struct cfs_rq *cfs_rq, struct sched=
_entity *se)
 	struct sched_entity *curr =3D cfs_rq->curr;
 	s64 avg =3D cfs_rq->avg_vruntime;
 	long load =3D cfs_rq->avg_load;
+	s64 a =3D entity_key(cfs_rq, se);
+	s64 b, d;
=20
 	if (curr && curr->on_rq) {
 		unsigned long weight =3D scale_load_down(curr->load.weight);
@@ -754,7 +756,11 @@ int entity_eligible(struct cfs_rq *cfs_rq, struct sche=
d_entity *se)
 		load +=3D weight;
 	}
=20
-	return avg >=3D entity_key(cfs_rq, se) * load;
+	b =3D (s64)load;
+	if (check_mul_overflow(a, b, &d))
+		return 1;
+
+	return avg - d >=3D 0;
 }
=20
 static u64 __update_min_vruntime(struct cfs_rq *cfs_rq, u64 vruntime)
--=20
2.34.1