git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Cheng-Yang Chou <yphbchou0911@gmail.com>
	Mon, 20 Apr 2026 09:28:47 +0000 (17:28 +0800)
committer	Tejun Heo <tj@kernel.org>
	Mon, 20 Apr 2026 17:57:29 +0000 (07:57 -1000)
commit	2d2b026c3ea792a0c91d4acf4430d8b65bedf271
tree	0b6c78268f1913a0dcaccb6fbf5c08974ec3818b	tree \| snapshot
parent	87019cb6c26178cef8fb9f9265b6ab7c4bda5262	commit \| diff

sched_ext: Deny SCX kfuncs to non-SCX struct_ops programs

scx_kfunc_context_filter() currently allows non-SCX struct_ops programs
(e.g. tcp_congestion_ops) to call SCX unlocked kfuncs. This is wrong
for two reasons:

- It is semantically incorrect: a TCP congestion control program has no
  business calling SCX kfuncs such as scx_bpf_kick_cpu().

- With CONFIG_EXT_SUB_SCHED=y, kfuncs like scx_bpf_kick_cpu() call
  scx_prog_sched(aux), which invokes bpf_prog_get_assoc_struct_ops(aux)
  and casts the result to struct sched_ext_ops * before reading ops->priv.
  For a non-SCX struct_ops program the returned pointer is the kdata of
  that struct_ops type, which is far smaller than sched_ext_ops, making
  the read an out-of-bounds access (confirmed with KASAN).

Extend the filter to cover scx_kfunc_set_any and scx_kfunc_set_idle as
well, and deny all SCX kfuncs for any struct_ops program that is not the
SCX struct_ops. This addresses both issues: the semantic contract is
enforced at the verifier level, and the runtime out-of-bounds access
becomes unreachable.

Fixes: d1d3c1c6ae36 ("sched_ext: Add verifier-time kfunc context filter")
Suggested-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>

kernel/sched/ext.c		diff \| blob \| blame \| history
kernel/sched/ext_idle.c		diff \| blob \| blame \| history
kernel/sched/ext_idle.h		diff \| blob \| blame \| history