In the Linux kernel, the following vulnerability has been resolved:
sched/fair: Fix fault in reweight_entity
Syzbot found a GPF in reweightentity. This has been bisected to commit 4ef0c5c6b5ba ("kernel/sched: Fix schedfork() access an invalid schedtaskgroup")
There is a race between schedpostfork() and setpriority(PRIOPGRP) within a thread group that causes a null-ptr-deref in reweightentity() in CFS. The scenario is that the main process spawns number of new threads, which then call setpriority(PRIOPGRP, 0, -20), wait, and exit. For each of the new threads the copyprocess() gets invoked, which adds the new taskstruct and calls schedpost_fork() for it.
In the above scenario there is a possibility that setpriority(PRIOPGRP) and setoneprio() will be called for a thread in the group that is just being created by copyprocess(), and for which the schedpostfork() has not been executed yet. This will trigger a null pointer dereference in reweight_entity(), as it will try to access the run queue pointer, which hasn't been set.
Before the mentioned change the cfsrq pointer for the task has been set in schedfork(), which is called much earlier in copyprocess(), before the new task is added to the threadgroup. Now it is done in the schedpostfork(), which is called after that. To fix the issue the remove the updateload param from the updateload param() function and call reweighttask() only if the task flag doesn't have the TASKNEW flag set.
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f317cd888059c59e2fa924bf4b0957cfa53f78e", "target": { "function": "__setscheduler_params", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-009fc9c1", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "204221697879458104833341813352897673224", "length": 431.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f317cd888059c59e2fa924bf4b0957cfa53f78e", "target": { "function": "sched_fork", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-106a1b95", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "300242143406321297013864515135647254949", "length": 1161.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@589a954daab5e18399860b6c8ffaeaf79844eb20", "target": { "function": "__setscheduler_params", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-162d02d5", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "204221697879458104833341813352897673224", "length": 431.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13765de8148f71fa795e0a6607de37c49ea5915a", "target": { "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-29d04d6b", "deprecated": false, "signature_type": "Line", "signature_version": "v1", "digest": { "line_hashes": [ "324429023472115763021179798501994413250", "292860414945661908346794906508711243549", "63411825295646365376457974912209200154", "306869868351184274859433909702977602892", "302120646672681247245098009398307357575", "338756194016822780167370365220447001332", "310226192313928691489572548598239027428", "241964884150735985496222665692929943492", "298888919013218750535111146287095823435", "223103883999367824615526707386423218453", "5726743029594806914246543121121402792", "327472738836410362724175832448944123750", "63451209224093659749931789882737558578", "141242433885608526374091941646302234016", "56763381532741435964305094043930788030", "133957432636099090098722707950559432601", "246311717518633793412977242231203614794", "145751256031985242614014857792990009437", "105951233702065981093363444250208111577", "314851721335970070883116288611227839282", "161010411198477194426842986134342226994" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@589a954daab5e18399860b6c8ffaeaf79844eb20", "target": { "function": "set_load_weight", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-2b9534b3", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "207765625382743354111567342468889605118", "length": 474.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e0bcd6b5779352aed88f2e538a82a39f1a7715bb", "target": { "function": "set_user_nice", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-346e7d26", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "94755059769248831966039782082525671410", "length": 879.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13765de8148f71fa795e0a6607de37c49ea5915a", "target": { "function": "set_user_nice", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-3d58179a", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "94755059769248831966039782082525671410", "length": 879.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e0bcd6b5779352aed88f2e538a82a39f1a7715bb", "target": { "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-52c73d99", "deprecated": false, "signature_type": "Line", "signature_version": "v1", "digest": { "line_hashes": [ "324429023472115763021179798501994413250", "292860414945661908346794906508711243549", "63411825295646365376457974912209200154", "306869868351184274859433909702977602892", "302120646672681247245098009398307357575", "338756194016822780167370365220447001332", "310226192313928691489572548598239027428", "241964884150735985496222665692929943492", "298888919013218750535111146287095823435", "223103883999367824615526707386423218453", "5726743029594806914246543121121402792", "327472738836410362724175832448944123750", "63451209224093659749931789882737558578", "141242433885608526374091941646302234016", "56763381532741435964305094043930788030", "133957432636099090098722707950559432601", "246311717518633793412977242231203614794", "145751256031985242614014857792990009437", "105951233702065981093363444250208111577", "314851721335970070883116288611227839282", "237482209311966155514782310193271503719" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13765de8148f71fa795e0a6607de37c49ea5915a", "target": { "function": "__setscheduler_params", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-5fd5388b", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "204221697879458104833341813352897673224", "length": 431.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@589a954daab5e18399860b6c8ffaeaf79844eb20", "target": { "function": "set_user_nice", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-6240227c", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "94755059769248831966039782082525671410", "length": 879.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e0bcd6b5779352aed88f2e538a82a39f1a7715bb", "target": { "function": "set_load_weight", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-80bdfc7b", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "207765625382743354111567342468889605118", "length": 474.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f317cd888059c59e2fa924bf4b0957cfa53f78e", "target": { "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-8c03428f", "deprecated": false, "signature_type": "Line", "signature_version": "v1", "digest": { "line_hashes": [ "324429023472115763021179798501994413250", "292860414945661908346794906508711243549", "63411825295646365376457974912209200154", "306869868351184274859433909702977602892", "302120646672681247245098009398307357575", "338756194016822780167370365220447001332", "310226192313928691489572548598239027428", "241964884150735985496222665692929943492", "298888919013218750535111146287095823435", "223103883999367824615526707386423218453", "5726743029594806914246543121121402792", "327472738836410362724175832448944123750", "63451209224093659749931789882737558578", "141242433885608526374091941646302234016", "56763381532741435964305094043930788030", "133957432636099090098722707950559432601", "246311717518633793412977242231203614794", "87391849075728530083556858581511820385", "144354922887794081848632958146303843446", "314851721335970070883116288611227839282", "237482209311966155514782310193271503719" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@589a954daab5e18399860b6c8ffaeaf79844eb20", "target": { "function": "sched_fork", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-932be601", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "154869077057168932725146440048001287940", "length": 1163.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13765de8148f71fa795e0a6607de37c49ea5915a", "target": { "function": "sched_fork", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-94b3dd68", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "154869077057168932725146440048001287940", "length": 1163.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@589a954daab5e18399860b6c8ffaeaf79844eb20", "target": { "function": "sched_init", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-9e48f66c", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "115003508178112798092307967314357909025", "length": 4194.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e0bcd6b5779352aed88f2e538a82a39f1a7715bb", "target": { "function": "__setscheduler_params", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-a5e1b004", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "204221697879458104833341813352897673224", "length": 431.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f317cd888059c59e2fa924bf4b0957cfa53f78e", "target": { "function": "set_user_nice", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-a6445812", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "94755059769248831966039782082525671410", "length": 879.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e0bcd6b5779352aed88f2e538a82a39f1a7715bb", "target": { "function": "sched_init", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-a6bd8d88", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "89181166015754016862551112264017240681", "length": 4179.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@589a954daab5e18399860b6c8ffaeaf79844eb20", "target": { "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-abd19092", "deprecated": false, "signature_type": "Line", "signature_version": "v1", "digest": { "line_hashes": [ "324429023472115763021179798501994413250", "292860414945661908346794906508711243549", "63411825295646365376457974912209200154", "306869868351184274859433909702977602892", "302120646672681247245098009398307357575", "338756194016822780167370365220447001332", "310226192313928691489572548598239027428", "241964884150735985496222665692929943492", "298888919013218750535111146287095823435", "223103883999367824615526707386423218453", "5726743029594806914246543121121402792", "327472738836410362724175832448944123750", "63451209224093659749931789882737558578", "141242433885608526374091941646302234016", "56763381532741435964305094043930788030", "133957432636099090098722707950559432601", "246311717518633793412977242231203614794", "145751256031985242614014857792990009437", "105951233702065981093363444250208111577", "314851721335970070883116288611227839282", "237482209311966155514782310193271503719" ], "threshold": 0.9 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13765de8148f71fa795e0a6607de37c49ea5915a", "target": { "function": "set_load_weight", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-bbca0346", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "207765625382743354111567342468889605118", "length": 474.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e0bcd6b5779352aed88f2e538a82a39f1a7715bb", "target": { "function": "sched_fork", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-d46b0493", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "154869077057168932725146440048001287940", "length": 1163.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f317cd888059c59e2fa924bf4b0957cfa53f78e", "target": { "function": "sched_init", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-d6a2f205", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "106359179332555816308731256827960120642", "length": 3800.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@13765de8148f71fa795e0a6607de37c49ea5915a", "target": { "function": "sched_init", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-de948839", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "305909308462310464654085077389030242616", "length": 4307.0 } }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f317cd888059c59e2fa924bf4b0957cfa53f78e", "target": { "function": "set_load_weight", "file": "kernel/sched/core.c" }, "id": "CVE-2022-48921-e34f1e73", "deprecated": false, "signature_type": "Function", "signature_version": "v1", "digest": { "function_hash": "207765625382743354111567342468889605118", "length": 474.0 } } ]