CVE-2025-21919

In the Linux kernel, the following vulnerability has been resolved:

sched/fair: Fix potential memory corruption in childcfsrqonlist

childcfsrqonlist attempts to convert a 'prev' pointer to a cfsrq. This 'prev' pointer can originate from struct rq's leafcfsrqlist, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leafcfsrq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data.

The issue arises in listaddleafcfsrq, where both cfsrq->leafcfsrqlist and rq->leafcfsrqlist are added to the same leaf list. Also, rq->tmpalonebranch can be set to rq->leafcfsrqlist.

This adds a check if (prev == &rq->leaf_cfs_rq_list) after the main conditional in childcfsrqonlist. This ensures that the containerof operation will convert a correct cfsrq struct.

This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough.

Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes.