CVE-2026-31733

Source
https://cve.org/CVERecord?id=CVE-2026-31733
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31733.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31733
Downstream
Published
2026-05-01T14:14:31.558Z
Modified
2026-07-15T01:49:20.933809175Z
Summary
sched_ext: Fix stale direct dispatch state in ddsp_dsq_id
Details

In the Linux kernel, the following vulnerability has been resolved:

schedext: Fix stale direct dispatch state in ddspdsq_id

@p->scx.ddspdsqid can be left set (non-SCXDSQINVALID) triggering a spurious warning in markdirectdispatch() when the next wakeup's ops.selectcpu() calls scxbpfdsqinsert(), such as:

WARNING: kernel/sched/ext.c:1273 at scxdsqinsert_commit+0xcd/0x140

The root cause is that ddspdsqid was only cleared in dispatch_enqueue(), which is not reached in all paths that consume or cancel a direct dispatch verdict.

Fix it by clearing it at the right places:

  • directdispatch(): cache the direct dispatch state in local variables and clear it before dispatchenqueue() on the synchronous path. For the deferred path, the direct dispatch state must remain set until processddspdeferred_locals() consumes them.

  • processddspdeferredlocals(): cache the dispatch state in local variables and clear it before calling dispatchtolocaldsq(), which may migrate the task to another rq.

  • doenqueuetask(): clear the dispatch state on the enqueue path (local/global/bypass fallbacks), where the direct dispatch verdict is ignored.

  • dequeuetaskscx(): clear the dispatch state after dispatchdequeue() to handle both the deferred dispatch cancellation and the holdingcpu race, covering all cases where a pending direct dispatch is cancelled.

  • scxdisabletask(): clear the direct dispatch state when transitioning a task out of the current scheduler. Waking tasks may have had the direct dispatch state set by the outgoing scheduler's ops.selectcpu() and then been queued on a wakelist via ttwuqueuewakelist(), when SCXOPSALLOWQUEUEDWAKEUP is set. Such tasks are not on the runqueue and are not iterated by scxbypass(), so their direct dispatch state won't be cleared. Without this clear, any subsequent SCX scheduler that tries to direct dispatch the task will trigger the WARNONONCE() in markdirect_dispatch().

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31733.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5b26f7b920f76b2b9cc398c252a9e35e44bf5bb9
Fixed
ca685511f7afd42cdcbb0feea42e5d332d384251
Fixed
5e7b2cc8fae9ec2a5bc53311191d2faaff75a4b5
Fixed
7ea601daa0153e19cd1c6e6b300348c70c05fe77
Fixed
7e0ffb72de8aa3b25989c2d980e81b829c577010

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31733.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.12.0
Fixed
6.12.82
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31733.json"