Re: [RFC][PATCH] sched/ext: Avoid null ptr traversal when ->put_prev_task() is called with NULL next
From: Andrea Righi
Date: Sun Dec 07 2025 - 08:54:15 EST
On Sat, Dec 06, 2025 at 02:22:03AM +0000, John Stultz wrote:
> Early when trying to get sched_ext and proxy-exe working together,
> I kept tripping over NULL ptr in put_prev_task_scx() on the line:
> if (sched_class_above(&ext_sched_class, next->sched_class)) {
>
> Which was due to put_prev_task() passes a NULL next, calling:
> prev->sched_class->put_prev_task(rq, prev, NULL);
>
> put_prev_task_scx() already guards for a NULL next in the
> switch_class case, but doesn't seem to have a guard for
> sched_class_above() check.
>
> I can't say I understand why this doesn't trip usually without
> proxy-exec. And in newer kernels there are way fewer
> put_prev_task(), and I can't easily reproduce the issue now
> even with proxy-exec.
>
> But we still have one put_prev_task() call left in core.c that
> seems like it could trip this, so I wanted to send this out for
> consideration.
>
> Signed-off-by: John Stultz <jstultz@xxxxxxxxxx>
This looks like a valid fix to me. If the task changes any sched property
while it's running, we go through sched_change_begin() which calls
put_prev_task() that always passes NULL as the next parameter:
static inline void put_prev_task(struct rq *rq, struct task_struct *prev)
{
WARN_ON_ONCE(rq->donor != prev);
prev->sched_class->put_prev_task(rq, prev, NULL);
}
This should be the code path(s) to trigger the bug:
sys_setpriority() / sched_setaffinity() / sched_setscheduler()
- set_user_nice() / __sched_setaffinity() / __sched_setscheduler()
- scoped_guard(sched_change, p, DEQUEUE_SAVE)
- sched_change_begin(p, DEQUEUE_SAVE)
- if (ctx->running)
put_prev_task(rq, p)
- prev->sched_class->put_prev_task(rq, prev, NULL)
- put_prev_task_scx(rq, prev, NULL)
- if (sched_class_above(&ext_sched_class, next->sched_class))
^^^^
NULL dereference
Reviewed-by: Andrea Righi <arighi@xxxxxxxxxx>
Thanks,
-Andrea
> ---
> Cc: Joel Fernandes <joelagnelf@xxxxxxxxxx>
> Cc: Qais Yousef <qyousef@xxxxxxxxxxx>
> Cc: Ingo Molnar <mingo@xxxxxxxxxx>
> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> Cc: Juri Lelli <juri.lelli@xxxxxxxxxx>
> Cc: Vincent Guittot <vincent.guittot@xxxxxxxxxx>
> Cc: Dietmar Eggemann <dietmar.eggemann@xxxxxxx>
> Cc: Valentin Schneider <vschneid@xxxxxxxxxx>
> Cc: Steven Rostedt <rostedt@xxxxxxxxxxx>
> Cc: Ben Segall <bsegall@xxxxxxxxxx>
> Cc: Zimuzo Ezeozue <zezeozue@xxxxxxxxxx>
> Cc: Mel Gorman <mgorman@xxxxxxx>
> Cc: Will Deacon <will@xxxxxxxxxx>
> Cc: Waiman Long <longman@xxxxxxxxxx>
> Cc: Boqun Feng <boqun.feng@xxxxxxxxx>
> Cc: "Paul E. McKenney" <paulmck@xxxxxxxxxx>
> Cc: Metin Kaya <Metin.Kaya@xxxxxxx>
> Cc: Xuewen Yan <xuewen.yan94@xxxxxxxxx>
> Cc: K Prateek Nayak <kprateek.nayak@xxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Cc: Daniel Lezcano <daniel.lezcano@xxxxxxxxxx>
> Cc: Suleiman Souhlal <suleiman@xxxxxxxxxx>
> Cc: kuyo chang <kuyo.chang@xxxxxxxxxxxx>
> Cc: hupu <hupu.gm@xxxxxxxxx>
> Cc: Tejun Heo <tj@xxxxxxxxxx>
> Cc: David Vernet <void@xxxxxxxxxxxxx>
> Cc: Andrea Righi <arighi@xxxxxxxxxx>
> Cc: Changwoo Min <changwoo@xxxxxxxxxx>
> Cc: sched-ext@xxxxxxxxxxxxxxx
> Cc: kernel-team@xxxxxxxxxxx
> ---
> kernel/sched/ext.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
> index 446091cba4429..598552f58f5ec 100644
> --- a/kernel/sched/ext.c
> +++ b/kernel/sched/ext.c
> @@ -2402,7 +2402,7 @@ static void put_prev_task_scx(struct rq *rq, struct task_struct *p,
> * ops.enqueue() that @p is the only one available for this cpu,
> * which should trigger an explicit follow-up scheduling event.
> */
> - if (sched_class_above(&ext_sched_class, next->sched_class)) {
> + if (next && sched_class_above(&ext_sched_class, next->sched_class)) {
> WARN_ON_ONCE(!(sch->ops.flags & SCX_OPS_ENQ_LAST));
> do_enqueue_task(rq, p, SCX_ENQ_LAST, -1);
> } else {
> --
> 2.52.0.223.gf5cc29aaa4-goog
>