Re: 2.6.24-rc1-gb4f5550 oops

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Oleg Nesterov

Date: Wednesday, November 14, 2007 - 8:17 am

Grant Wilson wrote:
quoted text>
> [18073.371126] Unable to handle kernel NULL pointer dereference at 0000000000000120 RIP:
> [18073.371134]  [<ffffffff8023572e>] check_preempt_wakeup+0x6e/0x110
> [18073.371144] PGD 81f9067 PUD 81c8067 PMD 0
> [18073.371151] Oops: 0000 [1] PREEMPT SMP
> [18073.371157] CPU 2
> [18073.371161] Modules linked in: vfat fat
> [18073.371168] Pid: 4639, comm: kwin Not tainted 2.6.24-rc1 #1
> [18073.371171] RIP: 0010:[<ffffffff8023572e>]  [<ffffffff8023572e>] check_preempt_wakeup+0x6e/0x110
> [18073.371177] RSP: 0018:ffff810008531a78  EFLAGS: 00010006
> [18073.371179] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> [18073.371183] RDX: ffff810004441bf0 RSI: ffff81000801e860 RDI: ffff81000444ab80
> [18073.371186] RBP: ffff810008531aa8 R08: 000000d0d47a4a90 R09: 0000000000000000
> [18073.371188] R10: ffff810004441bf0 R11: 0000000000000001 R12: ffff810006520400
> [18073.371190] R13: ffff81000801e860 R14: ffff81000a63a000 R15: ffff81000443d8e0
> [18073.371193] FS:  00002b7d646a86f0(0000) GS:ffff810004c11780(0000) knlGS:0000000000000000
> [18073.371196] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [18073.371199] CR2: 0000000000000120 CR3: 0000000008495000 CR4: 00000000000006e0
> [18073.371202] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [18073.371211] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [18073.371214] Process kwin (pid: 4639, threadinfo ffff810008530000, task ffff81000840a860)
> [18073.371216] Stack:  ffff81000444ab80 0000000000000001 ffff81000801e860 ffff81000444ab80
> [18073.371231]  0000000000000002 ffff81000443d8e0 ffff810008531b38 ffffffff8023061e
> [18073.371238]  0000000000000000 ffff810004441b80 0000000000000002 0000000100000000
> [18073.371245] Call Trace:
> [18073.371250]  [<ffffffff8023061e>] try_to_wake_up+0x2fe/0x3a0

I suspect I see the bug in that area, but I am not sure it can explain this
trace completely.

Suppose that the SCHED_FIFO task does

	switch_uid(new_user);

Now, p->se.cfs_rq and p->se.parent both point into the old user_struct->tg
because sched_move_task() doesn't call set_task_cfs_rq() for !fair_sched_class
case.

Suppose that old user_struct/task_group is freed/reused, and the task does

	sched_setscheduler(SCHED_NORMAL);

__setscheduler() sets fair_sched_class, but doesn't update ->se.cfs_rq/parent
which point to the freed memory.

This means that check_preempt_wakeup() doing

		while (!is_same_group(se, pse)) {
			se = parent_entity(se);
			pse = parent_entity(pse);
		}

may OOPS in a similar way if rq->curr or p did something like above.

Perhaps we need something like the patch below, note that __setscheduler()
can't do set_task_cfs_rq().

Oleg.

--- kernel/sched.c	2007-11-14 17:32:21.000000000 +0300
+++ -	2007-11-14 18:14:00.245492756 +0300
@@ -7068,8 +7068,10 @@ void sched_move_task(struct task_struct 
 
 	rq = task_rq_lock(tsk, &flags);
 
-	if (tsk->sched_class != &fair_sched_class)
+	if (tsk->sched_class != &fair_sched_class) {
+		set_task_cfs_rq(tsk);
 		goto done;
+	}
 
 	update_rq_clock(rq);
 

-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: 2.6.24-rc1-gb4f5550 oops, Oleg Nesterov, (Wed Nov 14, 8:17 am)

Re: 2.6.24-rc1-gb4f5550 oops, Ingo Molnar, (Wed Nov 14, 8:29 am)

Re: 2.6.24-rc1-gb4f5550 oops, Oleg Nesterov, (Wed Nov 14, 8:50 am)

Re: 2.6.24-rc1-gb4f5550 oops, Ingo Molnar, (Wed Nov 14, 8:59 am)

Re: 2.6.24-rc1-gb4f5550 oops, Ingo Molnar, (Wed Nov 14, 9:02 am)

Re: 2.6.24-rc1-gb4f5550 oops, Srivatsa Vaddagiri, (Wed Nov 14, 9:37 am)

Re: 2.6.24-rc1-gb4f5550 oops, Oleg Nesterov, (Wed Nov 14, 10:48 am)

Navigation

Popular discussions


linux-kernel:
Jesse Barnes	Re: [stable] [BUG][PATCH] cpqphp: fix kernel NULL pointer dereference
Greg KH	[003/136] p54usb: add Zcomax XG-705A usbid
Magnus Damm	[PATCH 03/07] ARM: Use shared GIC entry macros on Realview
Oliver Neukum	Re: [Bug #13682] The webcam stopped working when upgrading from 2.6.29 to 2.6.30
Martin Schwidefsky	Re: [PATCH] optimized ktime_get[_ts] for GENERIC_TIME=y
git:
Junio C Hamano	Re: Some advanced index playing
Jeff King	Re: confusion over the new branch and merge config
Robin Rosenberg	Re: cvs2svn conversion directly to git ready for experimentation
Linus Torvalds	git binary size...
Ævar Arnfjörð Bjarmason	Re: Challenge with Git-Bash
git-commits-head:
Linux Kernel Mailing List	md: move allocation of ->queue from mddev_find to md_probe
Linux Kernel Mailing List	md: raid0: Represent zone->zone_offset in sectors.
Linux Kernel Mailing List	[ARM] S3C24XX: Add gpio_to_irq() facility
Linux Kernel Mailing List	md: raid0_make_request(): Replace local variable block by sector.
Linux Kernel Mailing List	md: Allow md devices to be created by name.
linux-netdev:
kaber	[PATCH 07/12] netfilter: xtables: change hotdrop pointer to direct modification
Gerrit Renker	[PATCH 3/5] dccp ccid-2: Remove redundant sanity tests
David Miller	Re: [PATCH net-next-2.6] pcnet32: Remove redundant set of skb->dev
Gerrit Renker	[PATCH 4/5] dccp ccid-2: Simplify dec_pipe and rearming of RTO timer
Saikiran Madugula	[PATCH] Allow fragmentation of VLAN packets traversing a bridge.
freebsd-current:
Ryan Stone	Re: Re[3]: [Call For Testing] VirtualBox for FreeBSD! take2
Alexey Shuvaev	Re: Ruby w/clang (Was: Re: [CFT]: ClangBSD is selfhosting, we need testers now)
Cristian KLEIN	Re: small purposal for change in installworld
FreeBSD Tinderbox	[head tinderbox] failure on sparc64/sparc64
Mark Martinec	Support for newer Ethernet chips in RE(4) driver?

Colocation donated by:

Syndicate