CVE-2026-43482

An attacker who can trigger an error condition in the sched_ext BPF scheduler (e.g., via a crafted BPF program or by inducing a runtime fault) causes scx_claim_exit() to atomically set exit_kind, disabling further error handling. If the calling task is preempted before it can kick the helper kthread work, and the BPF scheduler fails to schedule it back, the helper work is never queued, bypass mode never activates, tasks stop being dispatched, and the system wedges. No special network path is required; the precondition is local ability to trigger a sched_ext error path.

The vulnerability affects the sched_ext subsystem, specifically the scx_claim_exit() function and its callers scx_disable() and scx_vexit(). The race window exists between the atomic exit_kind set in scx_claim_exit() and the subsequent kick of the helper kthread work that initiates bypass mode and teardown.

The patch series disables preemption across the scx_claim_exit() call and the subsequent helper work kick in both callers (scx_disable() and scx_vexit()). A lockdep_assert_preemption_disabled() is added to scx_claim_exit() to enforce the requirement at build/debug time. This closes the race window where a preempted task could leave the helper work unqueued, preventing bypass mode activation and causing a system hang.