sched/core: Fix error pointer dereference

[PATCH] sched/core: Fix error pointer dereference

Posted by Ethan Tidmore 1 month, 2 weeks ago

The function idle_thread_get() can return an error pointer and is not
checked for one. Add check for error pointer.

Detected by Smatch:
kernel/cpu.c:911 finish_cpu() error:
'idle' dereferencing possible ERR_PTR()

Fixes: bf2c59fce4074 ("sched/core: Fix illegal RCU from offline CPUs")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
---
 kernel/cpu.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/kernel/cpu.c b/kernel/cpu.c
index bc4f7a9ba64e..30af888d1bc1 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -908,7 +908,12 @@ static int bringup_cpu(unsigned int cpu)
 static int finish_cpu(unsigned int cpu)
 {
 	struct task_struct *idle = idle_thread_get(cpu);
-	struct mm_struct *mm = idle->active_mm;
+	struct mm_struct *mm;
+
+	if (IS_ERR(idle))
+		return PTR_ERR(idle);
+
+	mm = idle->active_mm;
 
 	/*
 	 * sched_force_init_mm() ensured the use of &init_mm,
-- 
2.53.0

Re: [PATCH] sched/core: Fix error pointer dereference

Posted by Vishal Chourasia 1 month ago

On Tue, Feb 17, 2026 at 12:06:33PM -0600, Ethan Tidmore wrote:
> The function idle_thread_get() can return an error pointer and is not
> checked for one. Add check for error pointer.
> 
> Detected by Smatch:
> kernel/cpu.c:911 finish_cpu() error:
> 'idle' dereferencing possible ERR_PTR()
> 
> Fixes: bf2c59fce4074 ("sched/core: Fix illegal RCU from offline CPUs")
> Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
> ---
>  kernel/cpu.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/cpu.c b/kernel/cpu.c
> index bc4f7a9ba64e..30af888d1bc1 100644
> --- a/kernel/cpu.c
> +++ b/kernel/cpu.c
> @@ -908,7 +908,12 @@ static int bringup_cpu(unsigned int cpu)
>  static int finish_cpu(unsigned int cpu)
>  {
>  	struct task_struct *idle = idle_thread_get(cpu);
> -	struct mm_struct *mm = idle->active_mm;
> +	struct mm_struct *mm;
> +
> +	if (IS_ERR(idle))
> +		return PTR_ERR(idle);
> +
> +	mm = idle->active_mm;
>  
>  	/*
>  	 * sched_force_init_mm() ensured the use of &init_mm,
> -- 
> 2.53.0
> 
Reviewed-by: Vishal Chourasia <vishalc@linux.ibm.com>

Re: [PATCH] sched/core: Fix error pointer dereference

Posted by Peter Zijlstra 1 month, 1 week ago

On Tue, Feb 17, 2026 at 12:06:33PM -0600, Ethan Tidmore wrote:
> The function idle_thread_get() can return an error pointer and is not
> checked for one. Add check for error pointer.
> 
> Detected by Smatch:
> kernel/cpu.c:911 finish_cpu() error:
> 'idle' dereferencing possible ERR_PTR()

How could this possibly happen?

> Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
> ---
>  kernel/cpu.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/cpu.c b/kernel/cpu.c
> index bc4f7a9ba64e..30af888d1bc1 100644
> --- a/kernel/cpu.c
> +++ b/kernel/cpu.c
> @@ -908,7 +908,12 @@ static int bringup_cpu(unsigned int cpu)
>  static int finish_cpu(unsigned int cpu)
>  {
>  	struct task_struct *idle = idle_thread_get(cpu);
> -	struct mm_struct *mm = idle->active_mm;
> +	struct mm_struct *mm;
> +
> +	if (IS_ERR(idle))
> +		return PTR_ERR(idle);
> +
> +	mm = idle->active_mm;
>  
>  	/*
>  	 * sched_force_init_mm() ensured the use of &init_mm,
> -- 
> 2.53.0
>

Re: [PATCH] sched/core: Fix error pointer dereference

Posted by Ethan Tidmore 1 month, 1 week ago

On Fri Feb 20, 2026 at 4:20 AM CST, Peter Zijlstra wrote:
> On Tue, Feb 17, 2026 at 12:06:33PM -0600, Ethan Tidmore wrote:
>> The function idle_thread_get() can return an error pointer and is not
>> checked for one. Add check for error pointer.
>> 
>> Detected by Smatch:
>> kernel/cpu.c:911 finish_cpu() error:
>> 'idle' dereferencing possible ERR_PTR()
>
> How could this possibly happen?
>

Sorry about that, must be a false positive. I'll be more careful next
time.

Thanks,

ET