lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 20 Nov 2020 21:15:28 +1100
From:   "Singh, Balbir" <>
To:     "Joel Fernandes (Google)" <>,
        Nishanth Aravamudan <>,
        Julien Desfossez <>,
        Peter Zijlstra <>,
        Tim Chen <>,
        Vineeth Pillai <>,
        Aaron Lu <>,
        Aubrey Li <>,,
        Phil Auld <>,
        Valentin Schneider <>,
        Mel Gorman <>,
        Pawan Gupta <>,
        Paolo Bonzini <>,,
        Chen Yu <>,
        Christian Brauner <>,
        Agata Gruza <>,
        Antonio Gomez Iglesias <>,,,,,,,,
        Alexandre Chartre <>,,,
        Dhaval Giani <>,
        Junaid Shahid <>,,, Ben Segall <>,
        Josh Don <>, Hao Luo <>,
        Tom Lendacky <>,
        Aubrey Li <>,
        "Paul E. McKenney" <>,
        Tim Chen <>
Subject: Re: [PATCH -tip 03/32] sched/fair: Fix pick_task_fair crashes due to
 empty rbtree

On 18/11/20 10:19 am, Joel Fernandes (Google) wrote:
> From: Peter Zijlstra <>
> pick_next_entity() is passed curr == NULL during core-scheduling. Due to
> this, if the rbtree is empty, the 'left' variable is set to NULL within
> the function. This can cause crashes within the function.
> This is not an issue if put_prev_task() is invoked on the currently
> running task before calling pick_next_entity(). However, in core
> scheduling, it is possible that a sibling CPU picks for another RQ in
> the core, via pick_task_fair(). This remote sibling would not get any
> opportunities to do a put_prev_task().
> Fix it by refactoring pick_task_fair() such that pick_next_entity() is
> called with the cfs_rq->curr. This will prevent pick_next_entity() from
> crashing if its rbtree is empty.
> Also this fixes another possible bug where update_curr() would not be
> called on the cfs_rq hierarchy if the rbtree is empty. This could effect
> cross-cpu comparison of vruntime.

It is not clear from the changelog as to what does put_prev_task() do to prevent
the crash from occuring? Why did we pass NULL as curr in the first place to

The patch looks functionally correct as in, it passes curr as the reference
to pick_next_entity() for left and entity_before comparisons.

Balbir Singh

Powered by blists - more mailing lists