From: Peter Zijlstra <peterz@infradead.org>
To: Yong Zhang <yong.zhang0@gmail.com>
Cc: Miklos Vajna <vmiklos@frugalware.org>,
Mike Galbraith <efault@gmx.de>,
shenghui <crosslonelyover@gmail.com>,
kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org,
mingo@elte.hu, Greg KH <greg@kroah.com>,
Paul Turner <pjt@google.com>
Subject: Re: [PATCH] avoid race condition in pick_next_task_fair in
Date: Thu, 23 Dec 2010 12:12:10 +0000 [thread overview]
Message-ID: <1293106330.2170.618.camel@laptop> (raw)
In-Reply-To: <AANLkTi=1GMKF4emms0Qpx31=xk-FZXOTaeONmCohzWb2@mail.gmail.com>
On Thu, 2010-12-23 at 10:08 +0800, Yong Zhang wrote:
> > systemd--1251 0d..5. 2015398us : enqueue_task_fair <-enqueue_task
> > systemd--1251 0d..5. 2015398us : print_runqueue <-enqueue_task_fair
> > systemd--1251 0d..5. 2015399us : __print_runqueue: cfs_rq: c2407c34, nr: 3, load: 3072
> > systemd--1251 0d..5. 2015400us : __print_runqueue: curr: f6a8de5c, comm: systemd-cgroups/1251, load: 1024
> > systemd--1251 0d..5. 2015401us : __print_runqueue: se: f69e6300, load: 1024,
> > systemd--1251 0d..5. 2015401us : __print_runqueue: cfs_rq: f69e6540, nr: 2, load: 2048
> > systemd--1251 0d..5. 2015402us : __print_runqueue: curr: (null)
> > systemd--1251 0d..5. 2015402us : __print_runqueue: se: f69e65a0, load: 4137574976,
>
> the load = f69e65a0 = address of se, odd
This appears to be consistently true, I've also found that in between
these two prints, there is a free_sched_group() freeing that exact
entry. So post-print is a use-after-free artifact.
What's interesting is that its freeing a cfs_rq struct with
nr_running=1, that should not be possible...
/me goes stare at the whole cgroup task attach vs cgroup destruction
muck.
WARNING: multiple messages have this Message-ID (diff)
From: Peter Zijlstra <peterz@infradead.org>
To: Yong Zhang <yong.zhang0@gmail.com>
Cc: Miklos Vajna <vmiklos@frugalware.org>,
Mike Galbraith <efault@gmx.de>,
shenghui <crosslonelyover@gmail.com>,
kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org,
mingo@elte.hu, Greg KH <greg@kroah.com>,
Paul Turner <pjt@google.com>
Subject: Re: [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c
Date: Thu, 23 Dec 2010 13:12:10 +0100 [thread overview]
Message-ID: <1293106330.2170.618.camel@laptop> (raw)
In-Reply-To: <AANLkTi=1GMKF4emms0Qpx31=xk-FZXOTaeONmCohzWb2@mail.gmail.com>
On Thu, 2010-12-23 at 10:08 +0800, Yong Zhang wrote:
> > systemd--1251 0d..5. 2015398us : enqueue_task_fair <-enqueue_task
> > systemd--1251 0d..5. 2015398us : print_runqueue <-enqueue_task_fair
> > systemd--1251 0d..5. 2015399us : __print_runqueue: cfs_rq: c2407c34, nr: 3, load: 3072
> > systemd--1251 0d..5. 2015400us : __print_runqueue: curr: f6a8de5c, comm: systemd-cgroups/1251, load: 1024
> > systemd--1251 0d..5. 2015401us : __print_runqueue: se: f69e6300, load: 1024,
> > systemd--1251 0d..5. 2015401us : __print_runqueue: cfs_rq: f69e6540, nr: 2, load: 2048
> > systemd--1251 0d..5. 2015402us : __print_runqueue: curr: (null)
> > systemd--1251 0d..5. 2015402us : __print_runqueue: se: f69e65a0, load: 4137574976,
>
> the load == f69e65a0 == address of se, odd
This appears to be consistently true, I've also found that in between
these two prints, there is a free_sched_group() freeing that exact
entry. So post-print is a use-after-free artifact.
What's interesting is that its freeing a cfs_rq struct with
nr_running=1, that should not be possible...
/me goes stare at the whole cgroup task attach vs cgroup destruction
muck.
next prev parent reply other threads:[~2010-12-23 12:12 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-29 7:10 [PATCH] avoid race condition in pick_next_task_fair in shenghui
2010-06-29 7:10 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c shenghui
2010-06-29 10:43 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-06-29 10:43 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-06-29 11:24 ` [PATCH] avoid race condition in pick_next_task_fair in shenghui
2010-06-29 11:24 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c shenghui
2010-06-29 11:35 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-06-29 11:35 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-06-29 12:44 ` [PATCH] avoid race condition in pick_next_task_fair in shenghui
2010-06-29 12:44 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c shenghui
2010-12-19 2:03 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-19 2:03 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
2010-12-22 0:22 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-22 0:22 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
2010-12-22 8:29 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 8:29 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 8:41 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 8:41 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 8:41 ` [PATCH] avoid race condition in pick_next_task_fair in Mike Galbraith
2010-12-22 8:41 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Mike Galbraith
2010-12-22 9:07 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 9:07 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 13:31 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-22 13:31 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
2010-12-22 14:00 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 14:00 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 14:11 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 14:11 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 15:14 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-22 15:14 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
2010-12-22 15:25 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 15:25 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 17:08 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 17:08 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 17:16 ` [PATCH] avoid race condition in pick_next_task_fair in Ingo Molnar
2010-12-22 17:16 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Ingo Molnar
2010-12-22 17:25 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 17:25 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-22 20:36 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-22 20:36 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-23 2:08 ` Yong Zhang
2010-12-23 2:08 ` Yong Zhang
2010-12-23 12:12 ` Peter Zijlstra [this message]
2010-12-23 12:12 ` Peter Zijlstra
2010-12-23 12:33 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-23 12:33 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
2010-12-23 18:24 ` [PATCH] avoid race condition in pick_next_task_fair in Peter Zijlstra
2010-12-23 18:24 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Peter Zijlstra
[not found] ` <1293132304.6798.6.camel@marge.simson.net>
[not found] ` <1293132862.25981.22.camel@laptop>
[not found] ` <1293187425.7138.2.camel@marge.simson.net>
[not found] ` <1293188091.25981.200.camel@laptop>
[not found] ` <1293192999.18035.4.camel@marge.simson.net>
2010-12-24 15:59 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Peter Zijlstra
2010-12-24 15:59 ` Peter Zijlstra
2010-12-24 16:40 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Miklos Vajna
2010-12-24 16:40 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Miklos Vajna
2010-12-24 16:48 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Mike Galbraith
2010-12-24 16:48 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Mike Galbraith
2010-12-24 17:07 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Peter Zijlstra
2010-12-24 17:07 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Peter Zijlstra
2010-12-24 17:24 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Mike Galbraith
2010-12-24 17:24 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Mike Galbraith
2010-12-25 17:55 ` Balbir Singh
2010-12-25 18:07 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Balbir Singh
2010-12-25 20:59 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Paul Menage
2011-01-03 7:06 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Peter Zijlstra
2011-01-03 7:06 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Peter Zijlstra
2010-12-29 15:25 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Ingo Molnar
2010-12-29 15:25 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Ingo Molnar
2010-12-29 23:07 ` Miklos Vajna
2010-12-31 10:04 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Mike Galbraith
2010-12-31 10:04 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Mike Galbraith
2010-12-31 10:46 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free Miklos Vajna
2010-12-31 10:46 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Miklos Vajna
2010-12-31 8:32 ` [PATCH] Re: [PATCH] sched, cgroup: Use exit hook to avoid Mike Galbraith
2010-12-31 8:32 ` [PATCH] Re: [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Mike Galbraith
2011-01-03 8:21 ` [PATCH] Re: [PATCH] sched, cgroup: Use exit hook to avoid Peter Zijlstra
2011-01-03 8:21 ` [PATCH] Re: [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Peter Zijlstra
2011-01-04 14:19 ` [tip:sched/core] sched, autogroup: Fix reference leak tip-bot for Mike Galbraith
2011-01-04 14:57 ` Oleg Nesterov
2011-01-04 19:06 ` Mike Galbraith
2011-01-19 19:04 ` [tip:sched/urgent] sched, cgroup: Use exit hook to avoid use-after-free crash tip-bot for Peter Zijlstra
2010-12-22 21:11 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-22 21:11 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
2010-12-22 23:39 ` [PATCH] avoid race condition in pick_next_task_fair in Miklos Vajna
2010-12-22 23:39 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1293106330.2170.618.camel@laptop \
--to=peterz@infradead.org \
--cc=crosslonelyover@gmail.com \
--cc=efault@gmx.de \
--cc=greg@kroah.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=pjt@google.com \
--cc=vmiklos@frugalware.org \
--cc=yong.zhang0@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.