{"id":"CVE-2025-40260","summary":"sched_ext: Fix scx_enable() crash on helper kthread creation failure","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix scx_enable() crash on helper kthread creation failure\n\nA crash was observed when the sched_ext selftests runner was\nterminated with Ctrl+\\ while test 15 was running:\n\nNIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0\nLR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0\nCall Trace:\nscx_enable.constprop.0+0x32c/0x12b0 (unreliable)\nbpf_struct_ops_link_create+0x18c/0x22c\n__sys_bpf+0x23f8/0x3044\nsys_bpf+0x2c/0x6c\nsystem_call_exception+0x124/0x320\nsystem_call_vectored_common+0x15c/0x2ec\n\nkthread_run_worker() returns an ERR_PTR() on failure rather than NULL,\nbut the current code in scx_alloc_and_add_sched() only checks for a NULL\nhelper. Incase of failure on SIGQUIT, the error is not handled in\nscx_alloc_and_add_sched() and scx_enable() ends up dereferencing an\nerror pointer.\n\nError handling is fixed in scx_alloc_and_add_sched() to propagate\nPTR_ERR() into ret, so that scx_enable() jumps to the existing error\npath, avoiding random dereference on failure.","modified":"2026-04-02T12:48:20.864757Z","published":"2025-12-04T16:08:20.590Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40260.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/625e173e2a59b6cf6cbfb51c0a6bea47f3861eab"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7b6216baae751369195fa3c83d434d23bcda406a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40260.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40260"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bff3b5aec1b727b620adc7c47085592802390125"},{"fixed":"625e173e2a59b6cf6cbfb51c0a6bea47f3861eab"},{"fixed":"7b6216baae751369195fa3c83d434d23bcda406a"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40260.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.16.0"},{"fixed":"6.17.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-40260.json"}}],"schema_version":"1.7.5"}