From: Cheng-Yang Chou Date: Mon, 16 Mar 2026 17:49:27 +0000 (+0800) Subject: sched_ext: Fix slab-out-of-bounds in scx_alloc_and_add_sched() X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2008fb257323cdb0870d070f1c599bc3fed4be9b;p=thirdparty%2Flinux.git sched_ext: Fix slab-out-of-bounds in scx_alloc_and_add_sched() ancestors[] is a flexible array member that needs level + 1 slots to hold all ancestors including self (indices 0..level), but kzalloc_flex() only allocates `level` slots: sch = kzalloc_flex(*sch, ancestors, level); ... sch->ancestors[level] = sch; /* one past the end */ For the root scheduler (level = 0), zero slots are allocated and ancestors[0] is written immediately past the end of the object. KASAN reports: BUG: KASAN: slab-out-of-bounds in scx_alloc_and_add_sched+0x1c17/0x1d10 Write of size 8 at addr ffff888066b56538 by task scx_enable_help/667 The buggy address is located 0 bytes to the right of allocated 1336-byte region [ffff888066b56000, ffff888066b56538) Fix by passing level + 1 to kzalloc_flex(). Tested with vng + scx_lavd, KASAN no longer triggers. Fixes: ebeca1f930ea ("sched_ext: Introduce cgroup sub-sched support") Signed-off-by: Cheng-Yang Chou Signed-off-by: Tejun Heo --- diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c index b942918fa3641..ab8150b8de575 100644 --- a/kernel/sched/ext.c +++ b/kernel/sched/ext.c @@ -6365,7 +6365,7 @@ static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops, s32 level = parent ? parent->level + 1 : 0; s32 node, cpu, ret, bypass_fail_cpu = nr_cpu_ids; - sch = kzalloc_flex(*sch, ancestors, level); + sch = kzalloc_flex(*sch, ancestors, level + 1); if (!sch) { ret = -ENOMEM; goto err_put_cgrp;