diff options
| author | Cheng-Yang Chou <yphbchou0911@gmail.com> | 2026-03-03 22:35:30 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-03-19 16:14:59 +0100 |
| commit | bf50f3285eda8a0173625fcdb5f183f96e1008cd (patch) | |
| tree | c456e3c368ec369e051b6d0d2cd1100525eab705 /kernel | |
| parent | 9dc76f6fc0d28d2382583715bc4ec22f28104845 (diff) | |
| download | linux-bf50f3285eda8a0173625fcdb5f183f96e1008cd.tar.gz linux-bf50f3285eda8a0173625fcdb5f183f96e1008cd.tar.bz2 linux-bf50f3285eda8a0173625fcdb5f183f96e1008cd.zip | |
sched_ext: Remove redundant css_put() in scx_cgroup_init()
commit 1336b579f6079fb8520be03624fcd9ba443c930b upstream.
The iterator css_for_each_descendant_pre() walks the cgroup hierarchy
under cgroup_lock(). It does not increment the reference counts on
yielded css structs.
According to the cgroup documentation, css_put() should only be used
to release a reference obtained via css_get() or css_tryget_online().
Since the iterator does not use either of these to acquire a reference,
calling css_put() in the error path of scx_cgroup_init() causes a
refcount underflow.
Remove the unbalanced css_put() to prevent a potential Use-After-Free
(UAF) vulnerability.
Fixes: 819513666966 ("sched_ext: Add cgroup support")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/sched/ext.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c index 0bb8fa927e9e..e3e769e85cb6 100644 --- a/kernel/sched/ext.c +++ b/kernel/sched/ext.c @@ -3553,7 +3553,6 @@ static int scx_cgroup_init(struct scx_sched *sch) ret = SCX_CALL_OP_RET(sch, SCX_KF_UNLOCKED, cgroup_init, NULL, css->cgroup, &args); if (ret) { - css_put(css); scx_error(sch, "ops.cgroup_init() failed (%d)", ret); return ret; } |