sched_ext: Remove redundant css_put() in scx_cgroup_init()

EricccTaiwan · htejun · commit 1336b579f607 · 2026-03-03T06:22:37.000-10:00
The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increment the reference counts on yielded css structs. According to the cgroup documentation, css_put() should only be used to release a reference obtained via css_get() or css_tryget_online(). Since the iterator does not use either of these to acquire a reference, calling css_put() in the error path of scx_cgroup_init() causes a refcount underflow. Remove the unbalanced css_put() to prevent a potential Use-After-Free (UAF) vulnerability. Fixes: 8195136 ("sched_ext: Add cgroup support") Cc: stable@vger.kernel.org # v6.12+ Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com> Reviewed-by: Andrea Righi <arighi@nvidia.com> Signed-off-by: Tejun Heo <tj@kernel.org>
diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
@@ -3589,7 +3589,6 @@ static int scx_cgroup_init(struct scx_sched *sch)
 		ret = SCX_CALL_OP_RET(sch, SCX_KF_UNLOCKED, cgroup_init, NULL,
 				      css->cgroup, &args);
 		if (ret) {
-			css_put(css);
 			scx_error(sch, "ops.cgroup_init() failed (%d)", ret);
 			return ret;
 		}

Original file line number	Diff line number	Diff line change
`@@ -3589,7 +3589,6 @@ static int scx_cgroup_init(struct scx_sched *sch)`
`3589`	`3589`	`ret = SCX_CALL_OP_RET(sch, SCX_KF_UNLOCKED, cgroup_init, NULL,`
`3590`	`3590`	`css->cgroup, &args);`
`3591`	`3591`	`if (ret) {`
`3592`		`- css_put(css);`
`3593`	`3592`	`scx_error(sch, "ops.cgroup_init() failed (%d)", ret);`
`3594`	`3593`	`return ret;`
`3595`	`3594`	`}`