Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751087AbbEYSBF (ORCPT ); Mon, 25 May 2015 14:01:05 -0400 Received: from mail-ig0-f173.google.com ([209.85.213.173]:38385 "EHLO mail-ig0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750802AbbEYSBB (ORCPT ); Mon, 25 May 2015 14:01:01 -0400 From: Mohammed Naser To: linux-kernel@vger.kernel.org Cc: peterz@infradead.org, mingo@redhat.com, Mohammed Naser Subject: [PATCH] sched/fair: Fix null pointer dereference of empty queues Date: Mon, 25 May 2015 14:00:51 -0400 Message-Id: <1432576851-24831-1-git-send-email-mnaser@vexxhost.com> X-Mailer: git-send-email 2.3.2 (Apple Git-55) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1276 Lines: 47 Calling put_prev_task() can result in nr_running being updated to zero, which would then crash the system when the kernel attempts to pick_next_entity() with an empty queue. Signed-off-by: Mohammed Naser --- kernel/sched/fair.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 0d4632f..dd0a74a 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -5374,12 +5374,11 @@ again: simple: cfs_rq = &rq->cfs; #endif + put_prev_task(rq, prev); if (!cfs_rq->nr_running) goto idle; - put_prev_task(rq, prev); - do { se = pick_next_entity(cfs_rq, NULL); set_next_entity(cfs_rq, se); @@ -5415,7 +5414,10 @@ idle: static void put_prev_task_fair(struct rq *rq, struct task_struct *prev) { struct sched_entity *se = &prev->se; - struct cfs_rq *cfs_rq; + struct cfs_rq *cfs_rq = &rq->cfs; + + if (!cfs_rq->nr_running) + return; for_each_sched_entity(se) { cfs_rq = cfs_rq_of(se); -- 2.3.2 (Apple Git-55) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/