Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751840AbdHAIiT (ORCPT <rfc822;w@1wt.eu>);
        Tue, 1 Aug 2017 04:38:19 -0400
Received: from bombadil.infradead.org ([65.50.211.133]:54275 "EHLO
        bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751571AbdHAIiQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 1 Aug 2017 04:38:16 -0400
Date: Tue, 1 Aug 2017 10:38:12 +0200
From: Peter Zijlstra <peterz@infradead.org>
To: Yafang Shao <laoar.shao@gmail.com>
Cc: mingo@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] sched: fix NULL pointer issue in pick_next_entity()
Message-ID: <20170801083812.GH6524@worktop.programming.kicks-ass.net>
References: <1501581716-8608-1-git-send-email-laoar.shao@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1501581716-8608-1-git-send-email-laoar.shao@gmail.com>
User-Agent: Mutt/1.5.22.1 (2013-10-16)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1493
Lines: 43

On Tue, Aug 01, 2017 at 06:01:56PM +0800, Yafang Shao wrote:
> When we select CFQ as the scheduler, in function pick_next_task_fair

CFS, CFQ is a block IO scheduler.

> it will pass NULL as the 2nd argument to pick_next_entity:
>     pick_next_entity(cfs_rq, NULL);
> 
> And once __pick_first_entity() is called, it could return NULL as well.
> 
> So in function pick_next_entity(), the local variable 'left' and 'curr'
> could both be NULL, then this will cause NULL pointer issue.
> 
> In order to fix this issue, we just need return NULL under the condition
> that both 'left' and 'curr' are NULL, meaning that no entity available.

And how would that happen? We only call pick_next_entity(.curr=NULL)
when we _know_ cfs_rq->nr_running.

> Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
> ---
>  kernel/sched/fair.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
> index c95880e..e64c359 100644
> --- a/kernel/sched/fair.c
> +++ b/kernel/sched/fair.c
> @@ -3903,6 +3903,8 @@ static void clear_buddies(struct cfs_rq *cfs_rq, struct sched_entity *se)

You diff is broken, this is very much not the clear_buddies() function.

>  	struct sched_entity *left = __pick_first_entity(cfs_rq);
>  	struct sched_entity *se;
>  
> +	if (!left && !curr)
> +		return NULL;
>  	/*
>  	 * If curr is set we have to see if its left of the leftmost entity
>  	 * still in the tree, provided there was anything in the tree at all.
> -- 
> 1.8.3.1
>