sched_ext: Fix uninitialized ret in scx_alloc_and_add_sched()

Under CONFIG_EXT_SUB_SCHED, the kzalloc() and kstrdup() failure
paths jump to err_stop_helper without first setting ret. The
function then returns ERR_PTR(ret) with ret uninitialized, which
can produce ERR_PTR(0) (NULL), causing the caller's IS_ERR() check
to pass and leading to a NULL pointer dereference.

Set ret = -ENOMEM before each goto to fix the error path.

Fixes: ebeca1f930ea ("sched_ext: Introduce cgroup sub-sched support")
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>

diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index a234e57a45555b4811b1c43795aca9934d573c43..9202c6d7a77130e5dc3e22f4d73f73eca56b18c8 100644 (file)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -6444,13 +6444,17 @@ static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops,
 
 #ifdef CONFIG_EXT_SUB_SCHED
        char *buf = kzalloc(PATH_MAX, GFP_KERNEL);
-       if (!buf)
+       if (!buf) {
+               ret = -ENOMEM;
                goto err_stop_helper;
+       }
        cgroup_path(cgrp, buf, PATH_MAX);
        sch->cgrp_path = kstrdup(buf, GFP_KERNEL);
        kfree(buf);
-       if (!sch->cgrp_path)
+       if (!sch->cgrp_path) {
+               ret = -ENOMEM;
                goto err_stop_helper;
+       }
 
        sch->cgrp = cgrp;
        INIT_LIST_HEAD(&sch->children);