Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752796AbaBOX2a (ORCPT <rfc822;w@1wt.eu>);
	Sat, 15 Feb 2014 18:28:30 -0500
Received: from aserp1040.oracle.com ([141.146.126.69]:36301 "EHLO
	aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751992AbaBOX22 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sat, 15 Feb 2014 18:28:28 -0500
Message-ID: <52FFF7F8.2070801@oracle.com>
Date: Sat, 15 Feb 2014 18:27:52 -0500
From: Sasha Levin <sasha.levin@oracle.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Ingo Molnar <mingo@kernel.org>, Peter Zijlstra <peterz@infradead.org>
CC: Dave Jones <davej@redhat.com>, LKML <linux-kernel@vger.kernel.org>
Subject: sched: fair: NULL ptr deref in check_preempt_wakeup
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi folks,

While fuzzing with trinity inside a KVM tools guest running latest -next kernel, I've
stumbled on the following:

[  522.645288] BUG: unable to handle kernel NULL pointer dereference at 0000000000000150
[  522.646271] IP: [<ffffffff81186c6f>] check_preempt_wakeup+0x11f/0x210
[  522.646976] PGD b0a79067 PUD ae9cf067 PMD 0
[  522.647494] Oops: 0000 [#1] PREEMPT SMP
[  522.648000] Dumping ftrace buffer:
[  522.648380]    (ftrace buffer empty)
[  522.648775] Modules linked in:
[  522.649125] CPU: 0 PID: 11735 Comm: trinity-c50 Not tainted 
3.14.0-rc2-next-20140214-sasha-00008-g95d9d16-dirty #85
[  522.650021] task: ffff8800c00bb000 ti: ffff88007fdb8000 task.ti: ffff88007fdb8000
[  522.650021] RIP: 0010:[<ffffffff81186c6f>]  [<ffffffff81186c6f>] check_preempt_wakeup+0x11f/0x210
[  522.650021] RSP: 0018:ffff880226e03ba8  EFLAGS: 00010046
[  522.650021] RAX: 0000000000000000 RBX: ffff880226fd79c0 RCX: 0000000000000008
[  522.650021] RDX: 0000000000000000 RSI: ffff880211313000 RDI: 000000000000000c
[  522.650021] RBP: ffff880226e03be8 R08: 0000000000000000 R09: 000000000000b4bb
[  522.650021] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  522.650021] R13: ffff880211313068 R14: ffff8800c00bb000 R15: 0000000000000000
[  522.650021] FS:  00007f435269f700(0000) GS:ffff880226e00000(0000) knlGS:0000000000000000
[  522.650021] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  522.650021] CR2: 0000000000000150 CR3: 00000000abd2c000 CR4: 00000000000006f0
[  522.650021] DR0: 0000000000995750 DR1: 0000000000000000 DR2: 0000000000000000
[  522.650021] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000600
[  522.650021] Stack:
[  522.650021]  ffff880211313000 01ff880226fd79c0 ffff880211313000 ffff880226fd79c0
[  522.650021]  ffff880226fd79c0 ffff880211313000 0000000000000000 ffff880226e00000
[  522.650021]  ffff880226e03c08 ffffffff8117361d ffff880226fd79c0 ffff880226fd79c0
[  522.650021] Call Trace:
[  522.650021]  <IRQ>
[  522.650021]  [<ffffffff8117361d>] check_preempt_curr+0x3d/0xb0
[  522.650021]  [<ffffffff81175d88>] ttwu_do_wakeup+0x18/0x130
[  522.650021]  [<ffffffff81175ee4>] T.2248+0x44/0x50
[  522.650021]  [<ffffffff81175f9e>] ttwu_queue+0xae/0xd0
[  522.650021]  [<ffffffff81180224>] ? try_to_wake_up+0x34/0x2a0
[  522.650021]  [<ffffffff81180454>] try_to_wake_up+0x264/0x2a0
[  522.650021]  [<ffffffff811a1672>] ? __lock_acquired+0x2a2/0x2e0
[  522.650021]  [<ffffffff8118049d>] default_wake_function+0xd/0x10
[  522.650021]  [<ffffffff811952f8>] autoremove_wake_function+0x18/0x40
[  522.650021]  [<ffffffff811951b2>] __wake_up_common+0x52/0x90
[  522.650021]  [<ffffffff8119550d>] ? __wake_up+0x2d/0x70
[  522.650021]  [<ffffffff81195523>] __wake_up+0x43/0x70
[  522.650021]  [<ffffffff843119a3>] p9_client_cb+0x43/0x70
[  522.650021]  [<ffffffff84319d05>] req_done+0x105/0x110
[  522.650021]  [<ffffffff81cafca6>] vring_interrupt+0x86/0xa0
[  522.650021]  [<ffffffff811b9a28>] ? handle_irq_event+0x38/0x70
[  522.650021]  [<ffffffff811b9779>] handle_irq_event_percpu+0x129/0x3a0
[  522.650021]  [<ffffffff811b9a33>] handle_irq_event+0x43/0x70
[  522.650021]  [<ffffffff811bd1e8>] handle_edge_irq+0xe8/0x120
[  522.650021]  [<ffffffff81070a34>] handle_irq+0x164/0x180
[  522.650021]  [<ffffffff811833c9>] ? vtime_account_system+0x79/0x90
[  522.650021]  [<ffffffff81183435>] ? vtime_common_account_irq_enter+0x55/0x60
[  522.650021]  [<ffffffff8106f629>] do_IRQ+0x59/0x100
[  522.650021]  [<ffffffff84395e72>] common_interrupt+0x72/0x72
[  522.650021]  <EOI>
[  522.650021]  [<ffffffff812510d5>] ? context_tracking_user_exit+0x1a5/0x1c0
[  522.650021]  [<ffffffff8107cfdd>] syscall_trace_enter+0x2d/0x280
[  522.650021]  [<ffffffff8439f081>] tracesys+0x7e/0xe2
[  522.650021] Code: 0f 1f 40 00 ff c8 4d 8b ad 48 01 00 00 39 d0 7f f3 eb 18 66 0f 1f 84 00 00 00 
00 00 4d 8b a4 24 48 01 00 00 4d 8b ad 48 01 00 00 <49> 8b bc 24 50 01 00 00 49 3b bd 50 01 00 00 75 
e0 48 85 ff 74
[  522.650021] RIP  [<ffffffff81186c6f>] check_preempt_wakeup+0x11f/0x210
[  522.650021]  RSP <ffff880226e03ba8>
[  522.650021] CR2: 0000000000000150
[  522.650021] ---[ end trace adce75aec8b1b32f ]---

Since it's pretty inlined, the code points to:

	check_preempt_wakeup()
		find_matching_se()
			find_matching_se()
				check_preempt_wakeup()


	static inline struct cfs_rq *
	is_same_group(struct sched_entity *se, struct sched_entity *pse)
	{
	        if (se->cfs_rq == pse->cfs_rq)	<=== HERE
	                return se->cfs_rq;
	
	        return NULL;
	}


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/