github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
010b7723c0
linux/kernel/sched
History
Zicheng Qu 3da56dc063 sched/fair: Clear rel_deadline when initializing forked entities 
A yield-triggered crash can happen when a newly forked sched_entity
enters the fair class with se->rel_deadline unexpectedly set.

The failing sequence is:

  1. A task is forked while se->rel_deadline is still set.
  2. __sched_fork() initializes vruntime, vlag and other sched_entity
     state, but does not clear rel_deadline.
  3. On the first enqueue, enqueue_entity() calls place_entity().
  4. Because se->rel_deadline is set, place_entity() treats se->deadline
     as a relative deadline and converts it to an absolute deadline by
     adding the current vruntime.
  5. However, the forked entity's deadline is not a valid inherited
     relative deadline for this new scheduling instance, so the conversion
     produces an abnormally large deadline.
  6. If the task later calls sched_yield(), yield_task_fair() advances
     se->vruntime to se->deadline.
  7. The inflated vruntime is then used by the following enqueue path,
     where the vruntime-derived key can overflow when multiplied by the
     entity weight.
  8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility
     calculation, and can eventually make all entities appear ineligible.
     pick_next_entity() may then return NULL unexpectedly, leading to a
     later NULL dereference.

A captured trace shows the effect clearly. Before yield, the entity's
vruntime was around:

  9834017729983308

After yield_task_fair() executed:

  se->vruntime = se->deadline

the vruntime jumped to:

  19668035460670230

and the deadline was later advanced further to:

  19668035463470230

This shows that the deadline had already become abnormally large before
yield_task_fair() copied it into vruntime.

rel_deadline is only meaningful when se->deadline really carries a
relative deadline that still needs to be placed against vruntime. A
freshly forked sched_entity should not inherit or retain this state.
Clear se->rel_deadline in __sched_fork(), together with the other
sched_entity runtime state, so that the first enqueue does not interpret
the new entity's deadline as a stale relative deadline.

Fixes: 82e9d0456e ("sched/fair: Avoid re-setting virtual deadline on 'migrations'")
Analyzed-by: Hui Tang <tanghui20@huawei.com>
Analyzed-by: Zhang Qiao <zhangqiao22@huawei.com>
Signed-off-by: Zicheng Qu <quzicheng@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20260424071113.1199600-1-quzicheng@huawei.com
2026-04-28 09:19:54 +02:00
..
autogroup.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
autogroup.h
build_policy.c sched_ext: Move internal type and accessor definitions to ext_internal.h 2025-09-03 11:33:28 -10:00
build_utility.c
clock.c sched/clock: Avoid false sharing for sched_clock_irqtime 2026-02-03 12:04:19 +01:00
completion.c
core_sched.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
core.c sched/fair: Clear rel_deadline when initializing forked entities 2026-04-28 09:19:54 +02:00
cpuacct.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
cpudeadline.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
cpudeadline.h sched/deadline: only set free_cpus for online runqueues 2025-10-16 11:13:49 +02:00
cpufreq_schedutil.c cpufreq: Pass the policy to cpufreq_driver->adjust_perf() 2026-04-02 11:30:24 -05:00
cpufreq.c
cpupri.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
cpupri.h
cputime.c - A nice cleanup to the paravirt code containing a unification of the paravirt 2026-02-10 19:01:45 -08:00
deadline.c Runtime Verification updates for 7.1: 2026-04-15 17:15:18 -07:00
debug.c Merge branch 'sched/urgent' into sched/core, to resolve conflicts 2026-04-02 15:04:09 +02:00
ext_idle.c sched_ext: Remove runtime kfunc mask enforcement 2026-04-10 07:54:06 -10:00
ext_idle.h sched_ext: Add verifier-time kfunc context filter 2026-04-10 07:54:06 -10:00
ext_internal.h sched_ext: Add verifier-time kfunc context filter 2026-04-10 07:54:06 -10:00
ext.c tracing updates for v7.1: 2026-04-17 09:43:12 -07:00
ext.h sched_ext: Add @kargs to scx_fork() 2026-03-06 07:58:02 -10:00
fair.c sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue 2026-04-28 09:19:54 +02:00
features.h Scheduler changes for v7.1: 2026-04-14 13:33:36 -07:00
idle.c sched: idle: Consolidate the handling of two special cases 2026-03-16 20:29:47 +01:00
isolation.c cgroup/cpuset: Call housekeeping_update() without holding cpus_read_lock 2026-02-23 10:46:49 -10:00
loadavg.c
Makefile sched: Enable context analysis for core.c and fair.c 2026-01-05 16:43:36 +01:00
membarrier.c rseq: Simplify the event notification 2025-11-04 08:30:09 +01:00
pelt.c treewide: Update email address 2026-01-11 06:09:11 -10:00
pelt.h sched/fair: Switch to task based throttle model 2025-09-03 10:03:14 +02:00
psi.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
rq-offsets.c sched: Make migrate_{en,dis}able() inline 2025-09-25 09:57:16 +02:00
rt.c sched/rt: Cleanup global RT bandwidth functions 2026-04-08 13:11:44 +02:00
sched-pelt.h
sched.h sched_ext: Changes for v7.1 2026-04-15 10:54:24 -07:00
smp.h
stats.c
stats.h delayacct: add timestamp of delay max 2026-01-31 16:16:06 -08:00
stop_task.c sched/core: Rework sched_class::wakeup_preempt() and rq_modified_*() 2025-12-17 10:53:25 +01:00
swait.c
syscalls.c Linux 7.0-rc4 2026-03-17 07:14:42 +01:00
topology.c sched/fair: Use sched_energy_enabled() 2026-04-03 14:23:41 +02:00
wait_bit.c
wait.c