From: Cheng-Yang Chou <yphbchou0911@gmail.com>
Date: Sat, 14 Mar 2026 01:39:34 +0000 (+0800)
Subject: sched_ext: Fix uninitialized ret in scx_alloc_and_add_sched()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e36bc38ebfac95ecd088d4bc0ceb3ffcef2ebdfa;p=thirdparty%2Flinux.git

sched_ext: Fix uninitialized ret in scx_alloc_and_add_sched()

Under CONFIG_EXT_SUB_SCHED, the kzalloc() and kstrdup() failure
paths jump to err_stop_helper without first setting ret. The
function then returns ERR_PTR(ret) with ret uninitialized, which
can produce ERR_PTR(0) (NULL), causing the caller's IS_ERR() check
to pass and leading to a NULL pointer dereference.

Set ret = -ENOMEM before each goto to fix the error path.

Fixes: ebeca1f930ea ("sched_ext: Introduce cgroup sub-sched support")
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
---

diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index a234e57a45555..9202c6d7a7713 100644
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -6444,13 +6444,17 @@ static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops,
 
 #ifdef CONFIG_EXT_SUB_SCHED
 	char *buf = kzalloc(PATH_MAX, GFP_KERNEL);
-	if (!buf)
+	if (!buf) {
+		ret = -ENOMEM;
 		goto err_stop_helper;
+	}
 	cgroup_path(cgrp, buf, PATH_MAX);
 	sch->cgrp_path = kstrdup(buf, GFP_KERNEL);
 	kfree(buf);
-	if (!sch->cgrp_path)
+	if (!sch->cgrp_path) {
+		ret = -ENOMEM;
 		goto err_stop_helper;
+	}
 
 	sch->cgrp = cgrp;
 	INIT_LIST_HEAD(&sch->children);