diff options
| author | Cheng-Yang Chou <yphbchou0911@gmail.com> | 2026-03-17 01:49:27 +0800 |
|---|---|---|
| committer | Tejun Heo <tj@kernel.org> | 2026-03-16 07:55:50 -1000 |
| commit | 2008fb257323cdb0870d070f1c599bc3fed4be9b (patch) | |
| tree | 90f1198cfea1c9835c4b9c6df1b969520c6c6f7f /kernel | |
| parent | 618a9db0158b1c51fd33822cf804f5a09f829837 (diff) | |
sched_ext: Fix slab-out-of-bounds in scx_alloc_and_add_sched()
ancestors[] is a flexible array member that needs level + 1 slots to
hold all ancestors including self (indices 0..level), but kzalloc_flex()
only allocates `level` slots:
sch = kzalloc_flex(*sch, ancestors, level);
...
sch->ancestors[level] = sch; /* one past the end */
For the root scheduler (level = 0), zero slots are allocated and
ancestors[0] is written immediately past the end of the object.
KASAN reports:
BUG: KASAN: slab-out-of-bounds in scx_alloc_and_add_sched+0x1c17/0x1d10
Write of size 8 at addr ffff888066b56538 by task scx_enable_help/667
The buggy address is located 0 bytes to the right of
allocated 1336-byte region [ffff888066b56000, ffff888066b56538)
Fix by passing level + 1 to kzalloc_flex().
Tested with vng + scx_lavd, KASAN no longer triggers.
Fixes: ebeca1f930ea ("sched_ext: Introduce cgroup sub-sched support")
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/sched/ext.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c index b942918fa364..ab8150b8de57 100644 --- a/kernel/sched/ext.c +++ b/kernel/sched/ext.c @@ -6365,7 +6365,7 @@ static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops, s32 level = parent ? parent->level + 1 : 0; s32 node, cpu, ret, bypass_fail_cpu = nr_cpu_ids; - sch = kzalloc_flex(*sch, ancestors, level); + sch = kzalloc_flex(*sch, ancestors, level + 1); if (!sch) { ret = -ENOMEM; goto err_put_cgrp; |