1. Patchew
  2. linux
  3. View series

[PATCH] sched/isolation: avoid reading past string in isolcpus parser

Joseph Salisbury posted 1 patch 1 month ago
There is a newer version of this series
kernel/sched/isolation.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] sched/isolation: avoid reading past string in isolcpus parser
Posted by Joseph Salisbury 1 month ago 
The function housekeeping_isolcpus_setup() advanced the parser pointer
unconditionally after unknown flags.

For an argument like 'isolcpus=unknownflag', with no trailing comma, this can
move the pointer past the terminating NUL, and the next loop test reads
out of bounds.

Advance only when the current character is a comma separator, preserving
existing parsing semantics while avoiding the invalid read.

Fixes: 3662daf02350 ("sched/isolation: Allow "isolcpus=" to skip unknown sub-parameters")
Cc: stable@vger.kernel.org
Assisted-by: Codex:GPT-5.3
Signed-off-by: Joseph Salisbury <joseph.salisbury@oracle.com>
---
 kernel/sched/isolation.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/sched/isolation.c b/kernel/sched/isolation.c
index ef152d401fe2..4cf253fb6d75 100644
--- a/kernel/sched/isolation.c
+++ b/kernel/sched/isolation.c
@@ -355,7 +355,8 @@ static int __init housekeeping_isolcpus_setup(char *str)
 		}
 
 		pr_info("isolcpus: Skipped unknown flag %.*s\n", len, par);
-		str++;
+		if (*str == ',')
+			str++;
 	}
 
 	/* Default behaviour for isolcpus without flags */
-- 
2.47.3
Re: [PATCH] sched/isolation: avoid reading past string in isolcpus parser
Posted by Steven Rostedt 1 month ago 
On Fri,  6 Mar 2026 14:59:08 -0800
Joseph Salisbury <joseph.salisbury@oracle.com> wrote:

> The function housekeeping_isolcpus_setup() advanced the parser pointer
> unconditionally after unknown flags.
> 
> For an argument like 'isolcpus=unknownflag', with no trailing comma, this can
> move the pointer past the terminating NUL, and the next loop test reads
> out of bounds.
> 
> Advance only when the current character is a comma separator, preserving
> existing parsing semantics while avoiding the invalid read.

Nice catch.

> 
> Fixes: 3662daf02350 ("sched/isolation: Allow "isolcpus=" to skip unknown sub-parameters")
> Cc: stable@vger.kernel.org
> Assisted-by: Codex:GPT-5.3
> Signed-off-by: Joseph Salisbury <joseph.salisbury@oracle.com>
> ---
>  kernel/sched/isolation.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/sched/isolation.c b/kernel/sched/isolation.c
> index ef152d401fe2..4cf253fb6d75 100644
> --- a/kernel/sched/isolation.c
> +++ b/kernel/sched/isolation.c
> @@ -355,7 +355,8 @@ static int __init housekeeping_isolcpus_setup(char *str)
>  		}
>  
>  		pr_info("isolcpus: Skipped unknown flag %.*s\n", len, par);
> -		str++;
> +		if (*str == ',')
> +			str++;

Although it should only be a ',' here, I think it's more robust to just
test against non-nul character. As the bug only triggers if str points to
the nul character. No need to make this check depend on the rest of the
algorithm.

		if (*str)
			str++;

-- Steve


>  	}
>  
>  	/* Default behaviour for isolcpus without flags */
Re: [External] : Re: [PATCH] sched/isolation: avoid reading past string in isolcpus parser
Posted by Joseph Salisbury 1 month ago 

On 3/9/26 10:05 AM, Steven Rostedt wrote:
> On Fri,  6 Mar 2026 14:59:08 -0800
> Joseph Salisbury <joseph.salisbury@oracle.com> wrote:
>
>> The function housekeeping_isolcpus_setup() advanced the parser pointer
>> unconditionally after unknown flags.
>>
>> For an argument like 'isolcpus=unknownflag', with no trailing comma, this can
>> move the pointer past the terminating NUL, and the next loop test reads
>> out of bounds.
>>
>> Advance only when the current character is a comma separator, preserving
>> existing parsing semantics while avoiding the invalid read.
> Nice catch.
>
>> Fixes: 3662daf02350 ("sched/isolation: Allow "isolcpus=" to skip unknown sub-parameters")
>> Cc: stable@vger.kernel.org
>> Assisted-by: Codex:GPT-5.3
>> Signed-off-by: Joseph Salisbury <joseph.salisbury@oracle.com>
>> ---
>>   kernel/sched/isolation.c | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/kernel/sched/isolation.c b/kernel/sched/isolation.c
>> index ef152d401fe2..4cf253fb6d75 100644
>> --- a/kernel/sched/isolation.c
>> +++ b/kernel/sched/isolation.c
>> @@ -355,7 +355,8 @@ static int __init housekeeping_isolcpus_setup(char *str)
>>   		}
>>   
>>   		pr_info("isolcpus: Skipped unknown flag %.*s\n", len, par);
>> -		str++;
>> +		if (*str == ',')
>> +			str++;
> Although it should only be a ',' here, I think it's more robust to just
> test against non-nul character. As the bug only triggers if str points to
> the nul character. No need to make this check depend on the rest of the
> algorithm.
>
> 		if (*str)
> 			str++;
>
> -- Steve
Thanks for the feedback and suggestion, Steve!  I'll send a v2 with a 
test for a non-nul character.
>
>
>>   	}
>>   
>>   	/* Default behaviour for isolcpus without flags */

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.