From: Andrea Righi <arighi@nvidia.com>
To: Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Juri Lelli <juri.lelli@redhat.com>,
Vincent Guittot <vincent.guittot@linaro.org>,
Dietmar Eggemann <dietmar.eggemann@arm.com>,
Steven Rostedt <rostedt@goodmis.org>,
Ben Segall <bsegall@google.com>, Mel Gorman <mgorman@suse.de>,
Valentin Schneider <vschneid@redhat.com>,
Joel Fernandes <joelagnelf@nvidia.com>, Tejun Heo <tj@kernel.org>,
David Vernet <void@manifault.com>,
Changwoo Min <changwoo@igalia.com>, Shuah Khan <shuah@kernel.org>
Cc: sched-ext@lists.linux.dev, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 11/14] sched/deadline: Fix DL server crash in inactive_timer callback
Date: Fri, 17 Oct 2025 11:25:58 +0200 [thread overview]
Message-ID: <20251017093214.70029-12-arighi@nvidia.com> (raw)
In-Reply-To: <20251017093214.70029-1-arighi@nvidia.com>
From: Joel Fernandes <joelagnelf@nvidia.com>
When sched_ext is rapidly disabled/enabled (the reload_loop selftest),
the following crash is observed. This happens because the timer handler
could not be cancelled and still fires even though the dl_server
bandwidth may have been removed via dl_server_remove_params().
hrtimer_try_to_cancel() does not guarantee timer cancellation. This
results in a NULL pointer dereference as 'p' is bogus for a dl_se.
This happens because the timer may be about to run, but its softirq has
not executed yet. Because of that hrtimer_try_to_cancel() cannot prevent
the timer from being canceled, however dl_server is still set to NULL by
dl_server_apply_params(). When the timer handler eventually runs, it
crashes.
[ 24.771835] BUG: kernel NULL pointer dereference, address: 000000000000006c
[ 24.772097] #PF: supervisor read access in kernel mode
[ 24.772248] #PF: error_code(0x0000) - not-present page
[ 24.772404] PGD 0 P4D 0
[ 24.772499] Oops: Oops: 0000 [#1] SMP PTI
[ 24.772614] CPU: 9 UID: 0 PID: 0 Comm: swapper/9 [..] #74 PREEMPT(voluntary)
[ 24.772932] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), [...]
[ 24.773149] Sched_ext: maximal (disabling)
[ 24.773944] RSP: 0018:ffffb162c0348ee0 EFLAGS: 00010046
[ 24.774100] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88d4412f1800
[ 24.774302] RDX: 0000000000000001 RSI: 0000000000000010 RDI: ffffffffac939240
[ 24.774498] RBP: ffff88d47e65b940 R08: 0000000000000010 R09: 00000008bad3370a
[ 24.774742] R10: 0000000000000000 R11: ffffffffa9f159d0 R12: ffff88d47e65b900
[ 24.774962] R13: ffff88d47e65b960 R14: ffff88d47e66a340 R15: ffff88d47e66aed0
[ 24.775182] FS: 0000000000000000(0000) GS:ffff88d4d1d56000(0000) knlGS:[...]
[ 24.775392] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 24.775579] CR2: 000000000000006c CR3: 0000000002bb0003 CR4: 0000000000770ef0
[ 24.775810] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 24.776023] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 24.776225] PKRU: 55555554
[ 24.776292] Call Trace:
[ 24.776373] <IRQ>
[ 24.776453] ? __pfx_inactive_task_timer+0x10/0x10
[ 24.776591] __hrtimer_run_queues+0xf1/0x270
[ 24.776744] hrtimer_interrupt+0xfa/0x220
[ 24.776847] __sysvec_apic_timer_interrupt+0x4d/0x190
[ 24.776988] sysvec_apic_timer_interrupt+0x69/0x80
[ 24.777132] </IRQ>
[ 24.777194] <TASK>
[ 24.777256] asm_sysvec_apic_timer_interrupt+0x1a/0x20
Fix by also checking the DL server's pick_task pointer which only exists
for server tasks. This avoids dereferencing invalid task pointers when
the timer fires after the DL server has been disabled.
[ arighi: replace ->server_has_tasks with ->server_pick_task ]
Co-developed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
---
kernel/sched/deadline.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index 16e229180bf46..7889e95d3309c 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -1784,7 +1784,16 @@ static enum hrtimer_restart inactive_task_timer(struct hrtimer *timer)
struct rq_flags rf;
struct rq *rq;
- if (!dl_server(dl_se)) {
+ /*
+ * It is possible that after dl_server_apply_params(), the
+ * dl_se->dl_server == NULL, but the inactive timer is still queued
+ * and could not get canceled.
+ *
+ * Double check by looking at ->server_pick_tasks to make sure
+ * we're dealing with a non-server entity. Otherwise p may be bogus
+ * and we'll crash.
+ */
+ if (!dl_server(dl_se) && !dl_se->server_pick_task) {
p = dl_task_of(dl_se);
rq = task_rq_lock(p, &rf);
} else {
@@ -1795,7 +1804,7 @@ static enum hrtimer_restart inactive_task_timer(struct hrtimer *timer)
sched_clock_tick();
update_rq_clock(rq);
- if (dl_server(dl_se))
+ if (dl_server(dl_se) || dl_se->server_pick_task)
goto no_task;
if (!dl_task(p) || READ_ONCE(p->__state) == TASK_DEAD) {
@@ -1823,7 +1832,7 @@ static enum hrtimer_restart inactive_task_timer(struct hrtimer *timer)
dl_se->dl_non_contending = 0;
unlock:
- if (!dl_server(dl_se)) {
+ if (!dl_server(dl_se) && !dl_se->server_pick_task) {
task_rq_unlock(rq, p, &rf);
put_task_struct(p);
} else {
--
2.51.0
next prev parent reply other threads:[~2025-10-17 9:34 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-17 9:25 [PATCHSET v9 sched_ext/for-6.19] Add a deadline server for sched_ext tasks Andrea Righi
2025-10-17 9:25 ` [PATCH 01/14] sched/debug: Fix updating of ppos on server write ops Andrea Righi
2025-10-20 8:36 ` Juri Lelli
2025-10-17 9:25 ` [PATCH 02/14] sched/debug: Stop and start server based on if it was active Andrea Righi
2025-10-20 9:12 ` Juri Lelli
2025-10-20 9:27 ` Juri Lelli
2025-10-17 9:25 ` [PATCH 03/14] sched/deadline: Clear the defer params Andrea Righi
2025-10-17 9:25 ` [PATCH 04/14] sched/deadline: Return EBUSY if dl_bw_cpus is zero Andrea Righi
2025-10-20 9:49 ` Juri Lelli
2025-10-20 13:38 ` Andrea Righi
2025-10-20 14:03 ` Andrea Righi
2025-10-20 14:12 ` Juri Lelli
2025-10-17 9:25 ` [PATCH 05/14] sched: Add a server arg to dl_server_update_idle_time() Andrea Righi
2025-10-20 9:54 ` Juri Lelli
2025-10-20 12:49 ` Peter Zijlstra
2025-10-17 9:25 ` [PATCH 06/14] sched_ext: Add a DL server for sched_ext tasks Andrea Righi
2025-10-17 15:40 ` Tejun Heo
2025-10-17 19:00 ` Andrea Righi
2025-10-17 15:47 ` Tejun Heo
2025-10-17 18:58 ` Andrea Righi
2025-10-17 19:04 ` Tejun Heo
2025-10-17 19:06 ` Andrea Righi
2025-10-20 11:58 ` Juri Lelli
2025-10-20 13:50 ` Andrea Righi
2025-10-20 14:09 ` Juri Lelli
2025-10-17 9:25 ` [PATCH 07/14] sched/debug: Add support to change sched_ext server params Andrea Righi
2025-10-20 12:45 ` Juri Lelli
2025-10-21 6:23 ` Andrea Righi
2025-10-17 9:25 ` [PATCH 08/14] sched/deadline: Add support to remove DL server's bandwidth contribution Andrea Righi
2025-10-20 13:46 ` Juri Lelli
2025-10-17 9:25 ` [PATCH 09/14] sched/deadline: Account ext server bandwidth Andrea Righi
2025-10-17 9:25 ` [PATCH 10/14] sched/deadline: Allow to initialize DL server when needed Andrea Righi
2025-10-17 9:25 ` Andrea Righi [this message]
2025-10-17 9:25 ` [PATCH 12/14] sched_ext: Selectively enable ext and fair DL servers Andrea Righi
2025-10-17 9:26 ` [PATCH 13/14] selftests/sched_ext: Add test for sched_ext dl_server Andrea Righi
2025-10-19 19:04 ` Emil Tsalapatis
2025-10-20 13:22 ` Andrea Righi
2025-10-20 13:44 ` Andrea Righi
2025-10-20 13:26 ` Christian Loehle
2025-10-20 13:55 ` Andrea Righi
2025-10-20 14:00 ` Andrea Righi
2025-10-20 14:21 ` Christian Loehle
2025-10-23 15:01 ` Christian Loehle
2025-10-23 15:11 ` Andrea Righi
2025-10-17 9:26 ` [PATCH 14/14] selftests/sched_ext: Add test for DL server total_bw consistency Andrea Righi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251017093214.70029-12-arighi@nvidia.com \
--to=arighi@nvidia.com \
--cc=bpf@vger.kernel.org \
--cc=bsegall@google.com \
--cc=changwoo@igalia.com \
--cc=dietmar.eggemann@arm.com \
--cc=joelagnelf@nvidia.com \
--cc=juri.lelli@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mgorman@suse.de \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=sched-ext@lists.linux.dev \
--cc=shuah@kernel.org \
--cc=tj@kernel.org \
--cc=vincent.guittot@linaro.org \
--cc=void@manifault.com \
--cc=vschneid@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox