From: Oleg Nesterov <oleg@redhat.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Eric Sesterhenn <snakebyte@gmx.de>, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [BUG] Null pointer deref with hrtimer_try_to_cancel()
Date: Sat, 20 Dec 2008 17:14:57 +0100 [thread overview]
Message-ID: <20081220161457.GA26499@redhat.com> (raw)
In-Reply-To: <alpine.LFD.2.00.0812192243350.3376@localhost.localdomain>
On 12/19, Thomas Gleixner wrote:
>
> On Fri, 19 Dec 2008, Eric Sesterhenn wrote:
>
> > I was running the strace-test from ltp 20081130 with 2.6.28-rc9, when i got the following bug
> > (I can reproduce the bug by simply running the testcase timer_create04)
Thanks a lot Eric (and thanks for .s files you sent me privately).
At first glance this all is very strange.
> > [ 2460.444044] [<c0141070>] ? hrtimer_try_to_cancel+0x20/0x90
> > [ 2460.444044] [<c013cf94>] ? exit_itimers+0x94/0xf0
> > [ 2460.444044] [<c012cab2>] ? do_exit+0x602/0x810
So, when the task exits its has a timer in ->posix_timers.
However, this means sys_timer_create() must return 0, the code
is very simple
spin_lock_irq(¤t->sighand->siglock);
new_timer->it_process = process;
list_add(&new_timer->list, ¤t->signal->posix_timers);
spin_unlock_irq(¤t->sighand->siglock);
return 0;
and nobody else adds the timer to ->posix_timers.
But,
> > root@computer-desktop:~/testing/ltp-full-20081130/tools/strace_test#
> > ./timer_create04
> > timer_create04 1 FAIL : timer_create(2) failed to produce expected
> > error; 22 , errno : EINVAL and got 0
> > timer_create04 2 PASS : timer_create(2) expected failure; Got
> > errno - EINVAL : Invalid parameter
> > timer_create04 3 PASS : timer_create(2) expected failure; Got
> > errno - EFAULT : Bad address
> > timer_create04 4 PASS : timer_create(2) expected failure; Got
> > errno - EFAULT : Bad address
> > timer_create04 5 PASS : timer_create(2) expected failure; Got
> > errno - EFAULT : Bad address
> > timer_create04 6 PASS : timer_create(2) expected failure; Got
> > errno - EFAULT : Bad address
according to above, timer_create() always returns -EXXX ?
I'll try to re-produce and investigate tomorrow.
Oleg.
next prev parent reply other threads:[~2008-12-20 16:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-19 17:25 [BUG] Null pointer deref with hrtimer_try_to_cancel() Eric Sesterhenn
2008-12-19 21:48 ` Thomas Gleixner
2008-12-20 16:14 ` Oleg Nesterov [this message]
2008-12-20 16:30 ` Oleg Nesterov
2008-12-20 17:48 ` [PATCH] posix-timers: CLOCK_MONOTONIC_RAW: fix the usage of ->it_clock Oleg Nesterov
2008-12-20 20:10 ` Thomas Gleixner
2008-12-20 20:24 ` Oleg Nesterov
2008-12-20 20:37 ` Thomas Gleixner
2008-12-20 20:27 ` [BUG] Null pointer deref with hrtimer_try_to_cancel() Thomas Gleixner
2008-12-20 21:04 ` Oleg Nesterov
2008-12-21 8:53 ` Thomas Gleixner
2008-12-20 21:38 ` Eric Sesterhenn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081220161457.GA26499@redhat.com \
--to=oleg@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=snakebyte@gmx.de \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.