sched/fair: Clear rel_deadline when initializing forked entities

Summary

CVE	CVE-2026-52980
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-24 17:17:08 UTC
Updated	2026-06-24 17:17:08 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: sched/fair: Clear rel_deadline when initializing forked entities A yield-triggered crash can happen when a newly forked sched_entity enters the fair class with se->rel_deadline unexpectedly set. The failing sequence is: 1. A task is forked while se->rel_deadline is still set. 2. __sched_fork() initializes vruntime, vlag and other sched_entity state, but does not clear rel_deadline. 3. On the first enqueue, enqueue_entity() calls place_entity(). 4. Because se->rel_deadline is set, place_entity() treats se->deadline as a relative deadline and converts it to an absolute deadline by adding the current vruntime. 5. However, the forked entity's deadline is not a valid inherited relative deadline for this new scheduling instance, so the conversion produces an abnormally large deadline. 6. If the task later calls sched_yield(), yield_task_fair() advances se->vruntime to se->deadline. 7. The inflated vruntime is then used by the following enqueue path, where the vruntime-derived key can overflow when multiplied by the entity weight. 8. This corrupts cfs_rq->sum_w_vruntime, breaks EEVDF eligibility calculation, and can eventually make all entities appear ineligible. pick_next_entity() may then return NULL unexpectedly, leading to a later NULL dereference. A captured trace shows the effect clearly. Before yield, the entity's vruntime was around: 9834017729983308 After yield_task_fair() executed: se->vruntime = se->deadline the vruntime jumped to: 19668035460670230 and the deadline was later advanced further to: 19668035463470230 This shows that the deadline had already become abnormally large before yield_task_fair() copied it into vruntime. rel_deadline is only meaningful when se->deadline really carries a relative deadline that still needs to be placed against vruntime. A freshly forked sched_entity should not inherit or retain this state. Clear se->rel_deadline in __sched_fork(), together with the other sched_entity runtime state, so that the first enqueue does not interpret the new entity's deadline as a stale relative deadline.

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 82e9d0456e06cebe2c89f3c73cdbc9e3805e9437 c71bf35caba12bfd9bc23e32b0bcd9e02d1cf1ac git	Not specified
CNA	Linux	Linux	affected 82e9d0456e06cebe2c89f3c73cdbc9e3805e9437 f3c16e1f4a314a20717ab90a41885f8111a242ab git	Not specified
CNA	Linux	Linux	affected 82e9d0456e06cebe2c89f3c73cdbc9e3805e9437 8f4a16200785f49cf02c5b71bdfe7a9dab63f23a git	Not specified
CNA	Linux	Linux	affected 82e9d0456e06cebe2c89f3c73cdbc9e3805e9437 3da56dc063cd77b9c0b40add930767fab4e389f3 git	Not specified
CNA	Linux	Linux	affected 6.12	Not specified
CNA	Linux	Linux	unaffected 6.12 semver	Not specified
CNA	Linux	Linux	unaffected 6.12.91 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.33 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.10 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/c71bf35caba12bfd9bc23e32b0bcd9e02d1cf1ac	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/8f4a16200785f49cf02c5b71bdfe7a9dab63f23a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/3da56dc063cd77b9c0b40add930767fab4e389f3	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/f3c16e1f4a314a20717ab90a41885f8111a242ab	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.