From: Johannes Weiner <hannes@cmpxchg.org>
To: Qian Cai <cai@lca.pw>
Cc: Suren Baghdasaryan <surenb@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>,
Juri Lelli <juri.lelli@redhat.com>,
Vincent Guittot <vincent.guittot@linaro.org>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: PSI: use-after-free in collect_percpu_times()
Date: Mon, 18 Nov 2019 17:00:36 -0500 [thread overview]
Message-ID: <20191118220036.GA382712@cmpxchg.org> (raw)
In-Reply-To: <1574113159.5937.148.camel@lca.pw>
Hi Qian,
On Mon, Nov 18, 2019 at 04:39:19PM -0500, Qian Cai wrote:
> Since a few days ago, s390 starts to crash on linux-next while reading some
> sysfs. It is not always reproducible but seems pretty reproducible after running
> the whole MM test suite here,
> https://github.com/cailca/linux-mm/blob/master/test.sh
>
> the config:
> https://raw.githubusercontent.com/cailca/linux-mm/master/s390.config
>
> The stack trace on s390 is not particular helpful as both gdb and faddr2line are
> unable to point out which line causes the issue.
>
> # ./scripts/faddr2line vmlinux collect_percpu_times+0x2d6/0x798
> bad symbol size: base: 0x00000000002076f8 end: 0x00000000002076f8
>
> (gdb) list *(collect_percpu_times+0x2d6)
> 0x2079ce is in collect_percpu_times (./include/linux/compiler.h:199).
> 194 })
> 195
> 196 static __always_inline
> 197 void __read_once_size(const volatile void *p, void *res, int size)
> 198 {
> 199 __READ_ONCE_SIZE;
> 200 }
> 201
> 202 #ifdef CONFIG_KASAN
> 203 /*
>
> Could it be some race conditions in PSI?
psi doesn't do much lifetime management in itself: the psi_group is
embedded in the cgroup and the per-cpu data is freed right before the
cgroup itself is freed. An open file descriptor on the pressure files
will pin the cgroup and prevent it from being deleted.
As it's reproducible, would you be able to bisect this problem?
next prev parent reply other threads:[~2019-11-18 22:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-18 21:39 PSI: use-after-free in collect_percpu_times() Qian Cai
2019-11-18 21:58 ` Qian Cai
2019-11-18 22:00 ` Johannes Weiner [this message]
2019-11-18 22:05 ` Qian Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191118220036.GA382712@cmpxchg.org \
--to=hannes@cmpxchg.org \
--cc=borntraeger@de.ibm.com \
--cc=cai@lca.pw \
--cc=gor@linux.ibm.com \
--cc=heiko.carstens@de.ibm.com \
--cc=juri.lelli@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=surenb@google.com \
--cc=vincent.guittot@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox