Re: [PATCH 0/4] sched: Various reweight_entity() fixes

[K Prateek Nayak]

Hello Shubhang,

On 2/14/2026 12:50 PM, Shubhang Kaushik wrote:
> Hi Peter,
> 
> On Fri, 30 Jan 2026, Peter Zijlstra wrote:
> 
>> Two issues related to reweight_entity() were raised; poking at all that got me
>> these patches.
>>
>> They're in queue.git/sched/core and I spend most of yesterday staring at traces
>> trying to find anything wrong. So far, so good.
>>
>> Please test.
>>
>>
> 
> I’m seeing a consistent NULL pointer dereference in pick_task_fair() when running hackbench on an Ampere Altra (80 cores arm64). This is happening after applying the complete patchset on the latest 6.19.0+ kernel with PREEMPT_DYNAMIC (full), CONFIG_SCHED_CLUSTER and NOHZ_FULL enabled.

Can you confirm you using the latest changes from:

  git.kernel.org/pub/scm/linux/kernel/git/peterz/queue.git sched/core

at commit bdba3187771c ("sched/fair: Use full weight to __calc_delta()")
since this series has undergone some churn throughout the week?

> 
> The system triggers a level 2 translation fault because pick_eevdf() returns NULL despite the runqueue having active tasks (cfs_rq->nr_running
>> 0). When pick_next_task_fair() attempts to dereference this NULL pointer 
> to access the task structure, the kernel Oopses at pick_task_fair+0x48/0x148.
> 
> pick_task_fair <- pick_eevdf() <- [active tasks]
> 
> The root cause is an underflow in reweight_entity():
> se->vprot -= avruntime;

But how does it cause failure to pick? All vrpot does at pick is:

    /* curr needs to be queued and eligible first. */
    if (curr && (!curr->on_rq || !entity_eligible(cfs_rq, curr)))
        curr = NULL;

    /* vprot only helps for early return below. */
    if (curr && protect && protect_slice(curr))
        return curr;


Worst case "curr" runs till it loses eligibility even if vprot wraps
and becomes a large value and moreover, wouldn't vruntime_cmp() in
protect_slice() which compares the signed difference catch it?

-- 
Thanks and Regards,
Prateek