sched_ext: Fix slab-out-of-bounds in scx_alloc_and_add_sched()

ancestors[] is a flexible array member that needs level + 1 slots to
hold all ancestors including self (indices 0..level), but kzalloc_flex()
only allocates `level` slots:

  sch = kzalloc_flex(*sch, ancestors, level);
  ...
  sch->ancestors[level] = sch;  /* one past the end */

For the root scheduler (level = 0), zero slots are allocated and
ancestors[0] is written immediately past the end of the object.

KASAN reports:

  BUG: KASAN: slab-out-of-bounds in scx_alloc_and_add_sched+0x1c17/0x1d10
  Write of size 8 at addr ffff888066b56538 by task scx_enable_help/667

  The buggy address is located 0 bytes to the right of
   allocated 1336-byte region [ffff888066b56000, ffff888066b56538)

Fix by passing level + 1 to kzalloc_flex().

Tested with vng + scx_lavd, KASAN no longer triggers.

Fixes: ebeca1f930ea ("sched_ext: Introduce cgroup sub-sched support")
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>

diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
index b942918fa3641db3e85d0e6d12e6886597c39bf0..ab8150b8de575d7ba1a6f8ab056d5dfcfc0d03ad 100644 (file)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -6365,7 +6365,7 @@ static struct scx_sched *scx_alloc_and_add_sched(struct sched_ext_ops *ops,
        s32 level = parent ? parent->level + 1 : 0;
        s32 node, cpu, ret, bypass_fail_cpu = nr_cpu_ids;
 
-       sch = kzalloc_flex(*sch, ancestors, level);
+       sch = kzalloc_flex(*sch, ancestors, level + 1);
        if (!sch) {
                ret = -ENOMEM;
                goto err_put_cgrp;