CVE-2025-40260

In the Linux kernel, the following vulnerability has been resolved:

schedext: Fix scxenable() crash on helper kthread creation failure

A crash was observed when the sched_ext selftests runner was terminated with Ctrl+\ while test 15 was running:

NIP [c00000000028fa58] scxenable.constprop.0+0x358/0x12b0 LR [c00000000028fa2c] scxenable.constprop.0+0x32c/0x12b0 Call Trace: scxenable.constprop.0+0x32c/0x12b0 (unreliable) bpfstructopslinkcreate+0x18c/0x22c _sysbpf+0x23f8/0x3044 sysbpf+0x2c/0x6c systemcallexception+0x124/0x320 systemcallvectored_common+0x15c/0x2ec

kthreadrunworker() returns an ERRPTR() on failure rather than NULL, but the current code in scxallocandaddsched() only checks for a NULL helper. Incase of failure on SIGQUIT, the error is not handled in scxallocandaddsched() and scxenable() ends up dereferencing an error pointer.

Error handling is fixed in scxallocandaddsched() to propagate PTRERR() into ret, so that scxenable() jumps to the existing error path, avoiding random dereference on failure.