1. Patchew
  2. linux
  3. View series

[PATCH] sched_ext: Use kobject_put() for kobject_init_and_add() failure in scx_alloc_and_add_sched()

David Carlier posted 1 patch 3 weeks, 2 days ago 
kernel/sched/ext.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
[PATCH] sched_ext: Use kobject_put() for kobject_init_and_add() failure in scx_alloc_and_add_sched()
Posted by David Carlier 3 weeks, 2 days ago 
When kobject_init_and_add() fails, the error path jumps to
err_stop_helper which eventually calls kfree(sch) directly. However,
kobject_init_and_add() internally calls kobject_init() which initializes
the refcount and may allocate the name string. As documented in
lib/kobject.c:

  "If this function returns an error, kobject_put() must be called to
   properly clean up the memory associated with the object."

Use kobject_put() which triggers scx_kobj_release() and
scx_sched_free_rcu_work(), handling cleanup of all previously allocated
resources.

Fixes: 17108735b47d ("sched_ext: Use dynamic allocation for scx_sched")
Signed-off-by: David Carlier <devnexen@gmail.com>
---
 kernel/sched/ext.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index 9202c6d7a771..c35c13da5a8f 100644
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -6468,8 +6468,12 @@ static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops,
 		ret = kobject_init_and_add(&sch->kobj, &scx_ktype, NULL, "root");
 
 	if (ret < 0) {
-		kfree(sch->cgrp_path);
-		goto err_stop_helper;
+		/*
+		 * kobject was initialized, kobject_put() needed for cleanup,
+		 * see Documentation/core-api/kobject.rst
+		 */
+		kobject_put(&sch->kobj);
+		return ERR_PTR(ret);
 	}
 
 	if (ops->sub_attach) {
@@ -6482,8 +6486,14 @@ static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops,
 
 #else	/* CONFIG_EXT_SUB_SCHED */
 	ret = kobject_init_and_add(&sch->kobj, &scx_ktype, NULL, "root");
-	if (ret < 0)
-		goto err_stop_helper;
+	if (ret < 0) {
+		/*
+		 * kobject was initialized, kobject_put() needed for cleanup,
+		 * see Documentation/core-api/kobject.rst
+		 */
+		kobject_put(&sch->kobj);
+		return ERR_PTR(ret);
+	}
 #endif	/* CONFIG_EXT_SUB_SCHED */
 	return sch;
 
-- 
2.51.0
Re: [PATCH] sched_ext: Use kobject_put() for kobject_init_and_add() failure in scx_alloc_and_add_sched()
Posted by Tejun Heo 3 weeks, 1 day ago 
Hello,

Thanks for pointing this out. Using kobject_put() is the right approach but
the release callback (scx_sched_free_rcu_work) also calls cgroup_put() on
sch->cgrp, which was already set at that point, leading to a double-put with
the caller.

I posted a patchset fixing this along with a pre-existing cgroup double-put
on the abort path:

  https://lore.kernel.org/r/20260316054328.838304-1-tj@kernel.org

Thanks.
--
tejun
Re: [PATCH] sched_ext: Use kobject_put() for kobject_init_and_add() failure in scx_alloc_and_add_sched()
Posted by David CARLIER 3 weeks ago 
ah yes I ve seen your patchset, it is better indeed.

Cheers.

On Mon, 16 Mar 2026 at 05:43, Tejun Heo <tj@kernel.org> wrote:
>
> Hello,
>
> Thanks for pointing this out. Using kobject_put() is the right approach but
> the release callback (scx_sched_free_rcu_work) also calls cgroup_put() on
> sch->cgrp, which was already set at that point, leading to a double-put with
> the caller.
>
> I posted a patchset fixing this along with a pre-existing cgroup double-put
> on the abort path:
>
>   https://lore.kernel.org/r/20260316054328.838304-1-tj@kernel.org
>
> Thanks.
> --
> tejun

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.