Hi,
Attached config seems to yield following crash ~5 seconds from kernel
init on Lenovo X201. Any pointers? Sorry for horrible output, its
manually copied from console.
call_timer_fn 0x73/0x160 <--- EIP hits 0
usleep_range 0x40/0x40
run_timer_softirq 0x1d5/0x220
..
call_timer_fn:
..
0xc1060348 <+104>: lea %ds:0x0(%esi,%eiz,1),%esi
0xc106034d <+109>: mov -0x2c(%ebp),%eax
0xc1060350 <+112>: call *-0x28(%ebp)
0xc1060353 <+115>: lea %ds:0x0(%esi,%eiz,1),%esi
--
Janne
> call_timer_fn 0x73/0x160 <--- EIP hits 0
Use after free.. with CONFIG_DEBUG_PAGEALLOC &&
CONFIG_DEBUG_OBJECTS_TIMERS we get :
call_timer_fn 0x73/0x160
destroy_timer_on_stack 0x20/0x20
ftrace_raw_event_hrtimer_expire_entry 0x3b/0xc0
run_timer_softirq 0x1f2/0x230
--
Janne
On Tue, Oct 15, 2013 at 10:41 AM, Janne Karhunen
<[email protected]> wrote:
>> call_timer_fn 0x73/0x160 <--- EIP hits 0
>
> Use after free.. with CONFIG_DEBUG_PAGEALLOC &&
> CONFIG_DEBUG_OBJECTS_TIMERS we get :
>
> call_timer_fn 0x73/0x160
> destroy_timer_on_stack 0x20/0x20
> ftrace_raw_event_hrtimer_expire_entry 0x3b/0xc0
> run_timer_softirq 0x1f2/0x230
Sadly no time to hunt the free at the moment, so working around temporarily by
diff --git a/kernel/timer.c b/kernel/timer.c
index 4296d13..fc7ef44 100644
--- a/kernel/timer.c
+++ b/kernel/timer.c
@@ -1094,6 +1094,9 @@ static void call_timer_fn(struct timer_list
*timer, void (*fn)(unsigned long),
{
int preempt_count = preempt_count();
+ if (fn == NULL)
+ return;
+
Hoping someone wiser catches the real fix at some point.
--
Janne