From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
To: Davidlohr Bueso <dave@stgolabs.net>
Cc: mingo@kernel.org, wangkefeng.wang@huawei.com,
peterz@infradead.org, josh@joshtriplett.org,
guohanjun@huawei.com, linux-kernel@vger.kernel.org,
Davidlohr Bueso <dbueso@suse.de>
Subject: Re: [PATCH 1/2] locktorture: Fix deboosting nil ptr dereferencing
Date: Wed, 9 Mar 2016 04:18:22 -0800 [thread overview]
Message-ID: <20160309121822.GM3577@linux.vnet.ibm.com> (raw)
In-Reply-To: <1457507286-653-2-git-send-email-dave@stgolabs.net>
On Tue, Mar 08, 2016 at 11:08:05PM -0800, Davidlohr Bueso wrote:
> For the case of rtmutex torturing we will randomly call into the
> boost() handler, including upon module exiting when the tasks are
> deboosted before stopping. In such cases the task may or may not have
> already been boosted, and therefore the NULL being explicitly passed
> can occur anywhere. Currently we only assume that the task will is
> at a higher prio, and in consequence, dereference a nil pointer.
>
> This patch fixes the case of a rmmod locktorture exploding while
> pounding on the rtmutex lock (partial trace):
>
> [83317.452251] task: ffff88081026cf80 ti: ffff880816120000 task.ti: ffff880816120000
> [83317.452258] RIP: 0010:[<ffffffffa05c6185>] [<ffffffffa05c6185>] torture_random+0x5/0x60 [torture]
> [83317.452261] RSP: 0018:ffff880816123eb0 EFLAGS: 00010206
> [83317.452264] RAX: ffff88081026cf80 RBX: ffff880816bfa630 RCX: 0000000000160d1b
> [83317.452267] RDX: 0000000000000000 RSI: 0000000000000202 RDI: 0000000000000000
> [83317.452269] RBP: ffff88081026cf80 R08: 000000000000001f R09: ffff88017c20ca80
> [83317.452271] R10: 0000000000000000 R11: 000000000048c316 R12: ffffffffa05d1840
> [83317.452273] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> [83317.452275] FS: 0000000000000000(0000) GS:ffff88203f880000(0000) knlGS:0000000000000000
> [83317.452277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [83317.452279] CR2: 0000000000000008 CR3: 0000000001c0a000 CR4: 00000000000406e0
> [83317.452281] Stack:
> [83317.452288] ffffffffa05d141d ffff880816bfa630 ffffffffa05d1922 ffff88081e70c2c0
> [83317.452295] ffff880816bfa630 ffffffff81095fed 0000000000000000 ffffffff8107bf60
> [83317.452297] ffff880816bfa630 ffffffff00000000 ffff880800000000 ffff880816123f08
> [83317.452297] Call Trace:
> [83317.452309] [<ffffffffa05d141d>] torture_rtmutex_boost+0x1d/0x90 [locktorture]
> [83317.452315] [<ffffffffa05d1922>] lock_torture_writer+0xe2/0x170 [locktorture]
> [83317.452321] [<ffffffff81095fed>] kthread+0xbd/0xe0
> [83317.452325] [<ffffffff815cf40f>] ret_from_fork+0x3f/0x70
>
> This patch ensures that if the random state pointer is not nil and current
> is not boosted, then do nothing.
>
> Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Queued for 4.7, thank you!!!
(If you need it earlier, please let me know.)
Thanx, Paul
> ---
> kernel/locking/locktorture.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/locking/locktorture.c b/kernel/locking/locktorture.c
> index 8ef1919d63b2..9e9c5f454f5c 100644
> --- a/kernel/locking/locktorture.c
> +++ b/kernel/locking/locktorture.c
> @@ -394,12 +394,12 @@ static void torture_rtmutex_boost(struct torture_random_state *trsp)
>
> if (!rt_task(current)) {
> /*
> - * (1) Boost priority once every ~50k operations. When the
> + * Boost priority once every ~50k operations. When the
> * task tries to take the lock, the rtmutex it will account
> * for the new priority, and do any corresponding pi-dance.
> */
> - if (!(torture_random(trsp) %
> - (cxt.nrealwriters_stress * factor))) {
> + if (trsp && !(torture_random(trsp) %
> + (cxt.nrealwriters_stress * factor))) {
> policy = SCHED_FIFO;
> param.sched_priority = MAX_RT_PRIO - 1;
> } else /* common case, do nothing */
> --
> 2.1.4
>
next prev parent reply other threads:[~2016-03-09 17:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-09 7:08 [PATCH -rcu 0/2] locktorture fixes Davidlohr Bueso
2016-03-09 7:08 ` [PATCH 1/2] locktorture: Fix deboosting nil ptr dereferencing Davidlohr Bueso
2016-03-09 12:18 ` Paul E. McKenney [this message]
2016-03-09 19:05 ` Davidlohr Bueso
2016-03-10 2:24 ` Paul E. McKenney
2016-03-09 7:08 ` [PATCH 2/2] locktorture: Fix nil pointer dereferencing for cleanup paths Davidlohr Bueso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160309121822.GM3577@linux.vnet.ibm.com \
--to=paulmck@linux.vnet.ibm.com \
--cc=dave@stgolabs.net \
--cc=dbueso@suse.de \
--cc=guohanjun@huawei.com \
--cc=josh@joshtriplett.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.