Re: [PATCH 1/2] sched_ext: Use rcu_dereference() for scx_root in dump paths

Next message: Felix Busch: "Fwd: Re: [PATCH v2 1/2] [PATCH] cdrom: extra upper bound check for logical block address."
Previous message: Geert Uytterhoeven: "Re: [PATCH v5 01/20] clk: renesas: rzv2h: Add PLLDSI clk mux support"
In reply to: David CARLIER: "Re: [PATCH 2/2] sched_ext: Fix TOCTOU on p-&gt;scx.dsq in scx_dump_task()"
Next in thread: David CARLIER: "Re: [PATCH 1/2] sched_ext: Use rcu_dereference() for scx_root in dump paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tejun Heo

Date: Fri Feb 27 2026 - 13:31:20 EST

Hello,

On Thu, Feb 26, 2026 at 05:26:39AM +0000, David Carlier wrote:
> scx_dump_task() and scx_dump_state() read scx_root directly without
> rcu_dereference() or NULL check. If the BPF scheduler is torn down
> concurrently, scx_root can become NULL between the read and the
> dereference in SCX_HAS_OP(), causing a NULL pointer dereference.

scx_dump_state() is called from scx_error_irq_workfn() and
sysrq_handle_sched_ext_dump(). SCX can't turn off before dump is complete in
the former case. In the latter, scx_enabled() gates the call and it's in the
irq context. When scx_enabled() turns off, there's synchronize_rcu() call
afterwards before anything happens to scx_root. ie. It cannot go away in
flight. This is the same synchronization that protect other in-flight sched
ops.

Thanks.

--
tejun