CVE-2022-48921

In the Linux kernel, the following vulnerability has been resolved:

sched/fair: Fix fault in reweight_entity

Syzbot found a GPF in reweightentity. This has been bisected to commit 4ef0c5c6b5ba ("kernel/sched: Fix schedfork() access an invalid schedtaskgroup")

There is a race between schedpostfork() and setpriority(PRIOPGRP) within a thread group that causes a null-ptr-deref in reweightentity() in CFS. The scenario is that the main process spawns number of new threads, which then call setpriority(PRIOPGRP, 0, -20), wait, and exit. For each of the new threads the copyprocess() gets invoked, which adds the new taskstruct and calls schedpost_fork() for it.

In the above scenario there is a possibility that setpriority(PRIOPGRP) and setoneprio() will be called for a thread in the group that is just being created by copyprocess(), and for which the schedpostfork() has not been executed yet. This will trigger a null pointer dereference in reweight_entity(), as it will try to access the run queue pointer, which hasn't been set.

Before the mentioned change the cfsrq pointer for the task has been set in schedfork(), which is called much earlier in copyprocess(), before the new task is added to the threadgroup. Now it is done in the schedpostfork(), which is called after that. To fix the issue the remove the updateload param from the updateload param() function and call reweighttask() only if the task flag doesn't have the TASKNEW flag set.