From nobody Fri Apr  3 00:00:48 2026
Received: from mail-pg1-f177.google.com (mail-pg1-f177.google.com
 [209.85.215.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1622232AAA8
	for <linux-kernel@vger.kernel.org>; Wed, 25 Mar 2026 23:43:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774482199; cv=none;
 b=VBKFM59iHznKoTFNV4IPrh9R2M++v4qZH0XhyVKqaSvG+fW/PYFGki16nsP331vILu/CGx1HO14MW3CPYRq+qVgG5lx+ADALjsqGrkfCTjwvrsFZSJ3tBFI2CkhtNJ+8/l7US1zEG471XQQCeu0vw1lSG/vSra8hLpC00Fa4W5E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774482199; c=relaxed/simple;
	bh=JVSJA95XSNzWk7VNTlsiBX5wLy3Z/V8V18VoSC6FQnE=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=bwX1yVXIuX4pQ9AB+vzU+3fnHQjCuBle19Gq0XVdJaXLchoOjfaPdTafWpTBazI+qjagK+1vvenrdirjE7vx4jS+k3iJ2iaRpiqmGONEAiH45qIFZtazFSpxjB676GLk3xfGj2Vpgr15UNrwNvziyiQ6q35WLIJ3lLWn3byzMbA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=brthR8kS; arc=none smtp.client-ip=209.85.215.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="brthR8kS"
Received: by mail-pg1-f177.google.com with SMTP id
 41be03b00d2f7-c2af7d09533so357153a12.1
        for <linux-kernel@vger.kernel.org>;
 Wed, 25 Mar 2026 16:43:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1774482197; x=1775086997;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=0e5DC58r0Jexfc/OwoQOpmCJSQcCUiUEwsRF0lcEEb4=;
        b=brthR8kSBOxqWKSD+2q6ud3KASndxBzsbI/IvThWd/m0lYmxXohGJ0P39PGToJSVb/
         HMESMntoKVcs8PWNBK4/Lm+10lUM/Lx8/i2uHiD6S7WEqxAxYoz3GAJJs4L8skJwuhEO
         eayyygfXMKh5xx4iKgsz1OdDiYhbi6X5keUTeeEHl1RDP98xsjZxyxU2XdEa6iVVZXzW
         A82b4JE7IGxRYGb8cHpraYesSnDAOwdwP1N606fwhJIsa5puYrd4CVxHRIIHt2pTvW5J
         stIIh775Dh1mwCY4YRWUwiP5JnOOZj0gX9nM+7aJXr54aT4eMv1Hzt3DGgqjBbCNi5jS
         GQ5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774482197; x=1775086997;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=0e5DC58r0Jexfc/OwoQOpmCJSQcCUiUEwsRF0lcEEb4=;
        b=bO71TPEQG8ftJa1SmfSBZSzWIgUgNIm2Mfi/5tawzZiFdrRuyzxDFtsaZ+QzcSVJxc
         4Jj30mnXq78zqi1OnhVb4ySTvy0mCI0P1I5aa+M9XjduOQZ9FNnkzrHnMVNpMYha83Ds
         Jna3DFZ2xI4qJJtMeRgDOI4Vel9S8jpKI5O7e8qSL1ooIJjkBvo0R7pXxPL5rhjQLsZa
         vcpkx723rGqjtD1T12AFudqFt7XCbr4IvqYEX565DLP6IzRcOdv9iUl1LIVvSKfO4LFp
         8Na7hUvchQkjLvtjhbgPZYYhVXsttuO3MrK9miBoLvlDXnSLvoyHXD61IXMZXROx6A65
         ZfOg==
X-Gm-Message-State: AOJu0YzWZ3+YxVpjHHZw9TlVjEvAadw+VrqMgrXWMKaUojCdkf6PWMiv
	cbQhhU1ay3yxQDNyZ+eFzDque/354DGSWexDNItjWATYIqJ8BLZxah9z
X-Gm-Gg: ATEYQzyi5xfxGXziV2Oqf/o5zx55cP/2ynErxarzWa2TT1KMzucq79L/xcLWDif0t6b
	kXyZ70fzl6X9hH31PesMUIt3R+UR6MWb4+SIH2c4sHqS4X3e7B6nzUtp6yLZi+BaH5mJ1YvYBx1
	E+68jqgba1s2OOVWtp8LwLEzXu542X3SseMTEdtWKR1sVSXhIwG2SVp3H9tUTOfJjWnnAcr3g0h
	N8D3XL+rR82nUB954RPp0cKsVfiYAypp8MATlGDBNYVLI77ap9NABwyy4s4cTFef7SU1VqRXJVU
	Rb/2Be9ZaQZw+5gYVGeINQ0LNcJsbLbuUuCrbtq/bWzczrM+iIXZme8pu/8TSPBvU2s2Mrikdsh
	xDCo7o7/W9IcxFnMnUkM2VgJaI505F5dUk09n0IEiBb+f3dor4czxFtXFhwQQPwre5XVEpdM/AU
	Db4JqJmboMKSJ6/6zdYGUEUpQF1JxjrSraKiNuGqdO2zyp4E4ecDrRyrhwo+dpVE0R19QK/bv1k
	n0=
X-Received: by 2002:a05:6a20:244d:b0:398:b16f:7045 with SMTP id
 adf61e73a8af0-39c4aceecd7mr5671802637.29.1774482197404;
        Wed, 25 Mar 2026 16:43:17 -0700 (PDT)
Received: from mi-HP-ProDesk-680-G6-PCI-Microtower-PC.mioffice.cn
 ([43.224.245.226])
        by smtp.gmail.com with ESMTPSA id
 41be03b00d2f7-c767382bcecsm511785a12.13.2026.03.25.16.43.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 25 Mar 2026 16:43:17 -0700 (PDT)
From: zhidao su <soolaugust@gmail.com>
X-Google-Original-From: zhidao su <suzhidao@xiaomi.com>
To: sched-ext@lists.linux.dev
Cc: linux-kernel@vger.kernel.org,
	tj@kernel.org,
	void@manifault.com,
	arighi@nvidia.com,
	changwoo@igalia.com,
	peterz@infradead.org,
	mingo@redhat.com,
	zhidao su <suzhidao@xiaomi.com>
Subject: [PATCH] sched_ext: fix NULL deref in bpf_scx_unreg() due to ops->priv
 race
Date: Thu, 26 Mar 2026 07:43:11 +0800
Message-ID: <20260325234311.3614764-1-suzhidao@xiaomi.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The reload_loop selftest triggers a KASAN null-ptr-deref at
scx_claim_exit+0x83 when two threads concurrently attach and
destroy BPF schedulers using the same ops map.

The race occurs between bpf_scx_unreg() and a concurrent reg():

1. Thread A's bpf_scx_unreg() calls scx_disable() then
   kthread_flush_work(), which blocks until disable completes
   and transitions state back to SCX_DISABLED.

2. With state SCX_DISABLED, a concurrent reg() allocates a
   new sch_B and sets ops->priv =3D sch_B under scx_enable_mutex.

3. Thread A's bpf_scx_unreg() then executes
   RCU_INIT_POINTER(ops->priv, NULL), overwriting sch_B.

4. When Thread B's link is destroyed, bpf_scx_unreg() reads
   ops->priv =3D=3D NULL and passes it to scx_disable(), which
   calls scx_claim_exit(NULL), crashing at NULL+0x310.

Fix by adding a NULL guard for the case where ops->priv was
never set, and by acquiring scx_enable_mutex before clearing
ops->priv so that the check-and-clear is atomic with respect
to reg() which also sets ops->priv under scx_enable_mutex.

Signed-off-by: zhidao su <suzhidao@xiaomi.com>
---
 kernel/sched/ext.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index 551bfb99157d..01077cc2eb62 100644
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -7372,9 +7372,22 @@ static void bpf_scx_unreg(void *kdata, struct bpf_li=
nk *link)
 	struct sched_ext_ops *ops =3D kdata;
 	struct scx_sched *sch =3D rcu_dereference_protected(ops->priv, true);
=20
+	if (!sch)
+		return;
+
 	scx_disable(sch, SCX_EXIT_UNREG);
 	kthread_flush_work(&sch->disable_work);
-	RCU_INIT_POINTER(ops->priv, NULL);
+
+	/*
+	 * A concurrent reg() may have already installed a new scheduler into
+	 * ops->priv by the time disable completes. Clear ops->priv only if it
+	 * still holds our sch.
+	 */
+	mutex_lock(&scx_enable_mutex);
+	if (rcu_access_pointer(ops->priv) =3D=3D sch)
+		RCU_INIT_POINTER(ops->priv, NULL);
+	mutex_unlock(&scx_enable_mutex);
+
 	kobject_put(&sch->kobj);
 }
=20
--=20
2.43.0