lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <576944C1.7080509@yandex-team.ru>
Date:	Tue, 21 Jun 2016 16:44:33 +0300
From:	Konstantin Khlebnikov <khlebnikov@...dex-team.ru>
To:	Peter Zijlstra <peterz@...radead.org>,
	Ingo Molnar <mingo@...hat.com>, linux-kernel@...r.kernel.org
Cc:	stable@...r.kernel.org
Subject: Re: [PATCH] sched/fair: do not announce throttled next buddy in
 dequeue_task_fair

On 16.06.2016 15:57, Konstantin Khlebnikov wrote:
> Hierarchy could be already throttled at this point. Throttled next
> buddy could trigger null pointer dereference in pick_next_task_fair().

trivial debug in set_next_buddy

@@ -4755,8 +4758,11 @@ static void set_next_buddy(struct sched_entity *se)
         if (entity_is_task(se) && unlikely(task_of(se)->policy == SCHED_IDLE))
                 return;

-       for_each_sched_entity(se)
+       for_each_sched_entity(se) {
+               if (WARN_ON_ONCE(!se->on_rq))
+                       return;
                 cfs_rq_of(se)->next = se;
+       }
  }

catched this

<4>[32815.274642] ------------[ cut here ]------------
<4>[32815.274651] WARNING: CPU: 6 PID: 92082 at kernel/sched/fair.c:4819 set_next_buddy+0x61/0x70()
<4>[32815.274652] Modules linked in: macvlan overlay ip6t_REJECT nf_reject_ipv6 ip6table_filter xt_multiport ip6_tables x_tables tcp_diag 
inet_diag bridge cls_cgroup sch_htb netconsole configfs 8021q mrp garp stp llc x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm 
crc32_pclmul aesni_intel ablk_helper cryptd lrw gf128mul ast ttm drm_kms_helper drm glue_helper aes_x86_64 sb_edac edac_core microcode 
sysimgblt sysfillrect syscopyarea lpc_ich mlx4_en mlx4_core vxlan udp_tunnel ip6_udp_tunnel tcp_htcp igb i2c_algo_bit ixgbe i2c_core dca 
ahci ptp libahci pps_core mdio raid10 raid456 async_pq async_xor xor async_memcpy async_raid6_recov raid6_pq async_tx raid1 raid0 multipath 
linear [last unloaded: ipmi_msghandler]
<4>[32815.274691] CPU: 6 PID: 92082 Comm: mlauncher.pl Not tainted 3.18.25-28.debug.7 #1
<4>[32815.274692] Hardware name: GIGABYTE T17I-234/GA-7PTSH, BIOS R22 07/21/2015
<4>[32815.274694]  00000000000012d3 ffff8827a6623b08 ffffffff816d0ec3 0000000000000007
<4>[32815.274695]  0000000000000000 ffff8827a6623b48 ffffffff8106bb2c ffff8827a6623b78
<4>[32815.274697]  ffff8800795eca80 ffff880079622480 ffff8800795eca80 ffff88326fb9dc20
<4>[32815.274699] Call Trace:
<4>[32815.274704]  [<ffffffff816d0ec3>] dump_stack+0x4e/0x68
<4>[32815.274707]  [<ffffffff8106bb2c>] warn_slowpath_common+0x8c/0xc0
<4>[32815.274709]  [<ffffffff8106bb7a>] warn_slowpath_null+0x1a/0x20
<4>[32815.274710]  [<ffffffff8109af81>] set_next_buddy+0x61/0x70
<4>[32815.274712]  [<ffffffff8109ea98>] check_preempt_wakeup+0x208/0x280
<4>[32815.274717]  [<ffffffff81092abf>] check_preempt_curr+0x8f/0xa0
<4>[32815.274718]  [<ffffffff8109b9e1>] attach_task+0x51/0x60
<4>[32815.274721]  [<ffffffff810a1c55>] load_balance+0x605/0x970
<4>[32815.274723]  [<ffffffff810a247a>] pick_next_task_fair+0x4ba/0x730
<4>[32815.274725]  [<ffffffff8109e625>] ? dequeue_task_fair+0x315/0x580
<4>[32815.274729]  [<ffffffff816d4143>] __schedule+0x103/0x800
<4>[32815.274731]  [<ffffffff816d4919>] schedule+0x29/0x70
<4>[32815.274733]  [<ffffffff816d7a5c>] do_nanosleep+0xac/0x130
<4>[32815.274736]  [<ffffffff810c358d>] hrtimer_nanosleep+0xad/0x160
<4>[32815.274738]  [<ffffffff810c1f70>] ? update_rmtp+0x70/0x70
<4>[32815.274740]  [<ffffffff810c36b6>] SyS_nanosleep+0x76/0x90
<4>[32815.274741]  [<ffffffff816d8f09>] system_call_fastpath+0x12/0x17
<4>[32815.274743] ---[ end trace 656c1001c069cc10 ]---

>
> Signed-off-by: Konstantin Khlebnikov <khlebnikov@...dex-team.ru>
> Cc: Stable <stable@...r.kernel.org> # v3.2+
> ---
>   kernel/sched/fair.c |    9 ++++-----
>   1 file changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
> index fe809fe169d2..3c6b038cb734 100644
> --- a/kernel/sched/fair.c
> +++ b/kernel/sched/fair.c
> @@ -4519,15 +4519,14 @@ static void dequeue_task_fair(struct rq *rq, struct task_struct *p, int flags)
>
>   		/* Don't dequeue parent if it has other entities besides us */
>   		if (cfs_rq->load.weight) {
> +			/* avoid re-evaluating load for this entity */
> +			se = parent_entity(se);
>   			/*
>   			 * Bias pick_next to pick a task from this cfs_rq, as
>   			 * p is sleeping when it is within its sched_slice.
>   			 */
> -			if (task_sleep && parent_entity(se))
> -				set_next_buddy(parent_entity(se));
> -
> -			/* avoid re-evaluating load for this entity */
> -			se = parent_entity(se);
> +			if (task_sleep && se && !throttled_hierarchy(cfs_rq))
> +				set_next_buddy(se);
>   			break;
>   		}
>   		flags |= DEQUEUE_SLEEP;
>


-- 
Konstantin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ