diff options
| author | Cheng-Yang Chou <yphbchou0911@gmail.com> | 2026-04-20 12:28:47 +0300 |
|---|---|---|
| committer | Tejun Heo <tj@kernel.org> | 2026-04-20 20:57:29 +0300 |
| commit | 2d2b026c3ea792a0c91d4acf4430d8b65bedf271 (patch) | |
| tree | 0b6c78268f1913a0dcaccb6fbf5c08974ec3818b /include | |
| parent | 87019cb6c26178cef8fb9f9265b6ab7c4bda5262 (diff) | |
| download | linux-2d2b026c3ea792a0c91d4acf4430d8b65bedf271.tar.xz | |
sched_ext: Deny SCX kfuncs to non-SCX struct_ops programs
scx_kfunc_context_filter() currently allows non-SCX struct_ops programs
(e.g. tcp_congestion_ops) to call SCX unlocked kfuncs. This is wrong
for two reasons:
- It is semantically incorrect: a TCP congestion control program has no
business calling SCX kfuncs such as scx_bpf_kick_cpu().
- With CONFIG_EXT_SUB_SCHED=y, kfuncs like scx_bpf_kick_cpu() call
scx_prog_sched(aux), which invokes bpf_prog_get_assoc_struct_ops(aux)
and casts the result to struct sched_ext_ops * before reading ops->priv.
For a non-SCX struct_ops program the returned pointer is the kdata of
that struct_ops type, which is far smaller than sched_ext_ops, making
the read an out-of-bounds access (confirmed with KASAN).
Extend the filter to cover scx_kfunc_set_any and scx_kfunc_set_idle as
well, and deny all SCX kfuncs for any struct_ops program that is not the
SCX struct_ops. This addresses both issues: the semantic contract is
enforced at the verifier level, and the runtime out-of-bounds access
becomes unreachable.
Fixes: d1d3c1c6ae36 ("sched_ext: Add verifier-time kfunc context filter")
Suggested-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions