Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752796AbaBOX2a (ORCPT ); Sat, 15 Feb 2014 18:28:30 -0500 Received: from aserp1040.oracle.com ([141.146.126.69]:36301 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751992AbaBOX22 (ORCPT ); Sat, 15 Feb 2014 18:28:28 -0500 Message-ID: <52FFF7F8.2070801@oracle.com> Date: Sat, 15 Feb 2014 18:27:52 -0500 From: Sasha Levin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Ingo Molnar , Peter Zijlstra CC: Dave Jones , LKML Subject: sched: fair: NULL ptr deref in check_preempt_wakeup Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: ucsinet21.oracle.com [156.151.31.93] Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi folks, While fuzzing with trinity inside a KVM tools guest running latest -next kernel, I've stumbled on the following: [ 522.645288] BUG: unable to handle kernel NULL pointer dereference at 0000000000000150 [ 522.646271] IP: [] check_preempt_wakeup+0x11f/0x210 [ 522.646976] PGD b0a79067 PUD ae9cf067 PMD 0 [ 522.647494] Oops: 0000 [#1] PREEMPT SMP [ 522.648000] Dumping ftrace buffer: [ 522.648380] (ftrace buffer empty) [ 522.648775] Modules linked in: [ 522.649125] CPU: 0 PID: 11735 Comm: trinity-c50 Not tainted 3.14.0-rc2-next-20140214-sasha-00008-g95d9d16-dirty #85 [ 522.650021] task: ffff8800c00bb000 ti: ffff88007fdb8000 task.ti: ffff88007fdb8000 [ 522.650021] RIP: 0010:[] [] check_preempt_wakeup+0x11f/0x210 [ 522.650021] RSP: 0018:ffff880226e03ba8 EFLAGS: 00010046 [ 522.650021] RAX: 0000000000000000 RBX: ffff880226fd79c0 RCX: 0000000000000008 [ 522.650021] RDX: 0000000000000000 RSI: ffff880211313000 RDI: 000000000000000c [ 522.650021] RBP: ffff880226e03be8 R08: 0000000000000000 R09: 000000000000b4bb [ 522.650021] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 522.650021] R13: ffff880211313068 R14: ffff8800c00bb000 R15: 0000000000000000 [ 522.650021] FS: 00007f435269f700(0000) GS:ffff880226e00000(0000) knlGS:0000000000000000 [ 522.650021] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 522.650021] CR2: 0000000000000150 CR3: 00000000abd2c000 CR4: 00000000000006f0 [ 522.650021] DR0: 0000000000995750 DR1: 0000000000000000 DR2: 0000000000000000 [ 522.650021] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000600 [ 522.650021] Stack: [ 522.650021] ffff880211313000 01ff880226fd79c0 ffff880211313000 ffff880226fd79c0 [ 522.650021] ffff880226fd79c0 ffff880211313000 0000000000000000 ffff880226e00000 [ 522.650021] ffff880226e03c08 ffffffff8117361d ffff880226fd79c0 ffff880226fd79c0 [ 522.650021] Call Trace: [ 522.650021] [ 522.650021] [] check_preempt_curr+0x3d/0xb0 [ 522.650021] [] ttwu_do_wakeup+0x18/0x130 [ 522.650021] [] T.2248+0x44/0x50 [ 522.650021] [] ttwu_queue+0xae/0xd0 [ 522.650021] [] ? try_to_wake_up+0x34/0x2a0 [ 522.650021] [] try_to_wake_up+0x264/0x2a0 [ 522.650021] [] ? __lock_acquired+0x2a2/0x2e0 [ 522.650021] [] default_wake_function+0xd/0x10 [ 522.650021] [] autoremove_wake_function+0x18/0x40 [ 522.650021] [] __wake_up_common+0x52/0x90 [ 522.650021] [] ? __wake_up+0x2d/0x70 [ 522.650021] [] __wake_up+0x43/0x70 [ 522.650021] [] p9_client_cb+0x43/0x70 [ 522.650021] [] req_done+0x105/0x110 [ 522.650021] [] vring_interrupt+0x86/0xa0 [ 522.650021] [] ? handle_irq_event+0x38/0x70 [ 522.650021] [] handle_irq_event_percpu+0x129/0x3a0 [ 522.650021] [] handle_irq_event+0x43/0x70 [ 522.650021] [] handle_edge_irq+0xe8/0x120 [ 522.650021] [] handle_irq+0x164/0x180 [ 522.650021] [] ? vtime_account_system+0x79/0x90 [ 522.650021] [] ? vtime_common_account_irq_enter+0x55/0x60 [ 522.650021] [] do_IRQ+0x59/0x100 [ 522.650021] [] common_interrupt+0x72/0x72 [ 522.650021] [ 522.650021] [] ? context_tracking_user_exit+0x1a5/0x1c0 [ 522.650021] [] syscall_trace_enter+0x2d/0x280 [ 522.650021] [] tracesys+0x7e/0xe2 [ 522.650021] Code: 0f 1f 40 00 ff c8 4d 8b ad 48 01 00 00 39 d0 7f f3 eb 18 66 0f 1f 84 00 00 00 00 00 4d 8b a4 24 48 01 00 00 4d 8b ad 48 01 00 00 <49> 8b bc 24 50 01 00 00 49 3b bd 50 01 00 00 75 e0 48 85 ff 74 [ 522.650021] RIP [] check_preempt_wakeup+0x11f/0x210 [ 522.650021] RSP [ 522.650021] CR2: 0000000000000150 [ 522.650021] ---[ end trace adce75aec8b1b32f ]--- Since it's pretty inlined, the code points to: check_preempt_wakeup() find_matching_se() find_matching_se() check_preempt_wakeup() static inline struct cfs_rq * is_same_group(struct sched_entity *se, struct sched_entity *pse) { if (se->cfs_rq == pse->cfs_rq) <=== HERE return se->cfs_rq; return NULL; } Thanks, Sasha -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/