All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] locking/rt-mutex: avoid a NULL pointer dereference on deadlock
@ 2015-02-17 15:43 Sebastian Andrzej Siewior
  2015-02-18 17:05 ` [tip:locking/core] locking/rtmutex: Avoid " tip-bot for Sebastian Andrzej Siewior
  0 siblings, 1 reply; 2+ messages in thread
From: Sebastian Andrzej Siewior @ 2015-02-17 15:43 UTC (permalink / raw)
  To: Peter Zijlstra
  Cc: Ingo Molnar, linux-kernel, linux-rt-users, tglx,
	Sebastian Andrzej Siewior

With task_blocks_on_rt_mutex() returning early -EDEADLK we never add the
waiter to the waitqueue. Later, we try to remove it via remove_waiter()
and go boom in rt_mutex_top_waiter() because rb_entry() gives a NULL
pointer.
Tested on v3.18-RT where rtmutex is used for regular mutex and I tried
to get one twice in a row.

Not sure when this started but I guess 397335f00 ("rtmutex: Fix deadlock
detector for real") or commit 3d5c9340 ("rtmutex: Handle deadlock
detection smarter").

Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 kernel/locking/rtmutex.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
index 5906c14a4e64..2f95e56ed33e 100644
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1700,7 +1700,8 @@ rt_mutex_slowlock(struct rt_mutex *lock, int state,
 	set_current_state(TASK_RUNNING);
 
 	if (unlikely(ret)) {
-		remove_waiter(lock, &waiter);
+		if (rt_mutex_has_waiters(lock))
+			remove_waiter(lock, &waiter);
 		rt_mutex_handle_deadlock(ret, chwalk, &waiter);
 	} else if (ww_ctx) {
 		ww_mutex_account_lock(lock, ww_ctx);
-- 
2.1.4


^ permalink raw reply	[flat|nested] 2+ messages in thread

* [tip:locking/core] locking/rtmutex: Avoid a NULL pointer dereference on deadlock
  2015-02-17 15:43 [PATCH] locking/rt-mutex: avoid a NULL pointer dereference on deadlock Sebastian Andrzej Siewior
@ 2015-02-18 17:05 ` tip-bot for Sebastian Andrzej Siewior
  0 siblings, 0 replies; 2+ messages in thread
From: tip-bot for Sebastian Andrzej Siewior @ 2015-02-18 17:05 UTC (permalink / raw)
  To: linux-tip-commits; +Cc: peterz, bigeasy, mingo, hpa, tglx, linux-kernel

Commit-ID:  8d1e5a1a1ccf5ae9d8a5a0ee7960202ccb0c5429
Gitweb:     http://git.kernel.org/tip/8d1e5a1a1ccf5ae9d8a5a0ee7960202ccb0c5429
Author:     Sebastian Andrzej Siewior <bigeasy@linutronix.de>
AuthorDate: Tue, 17 Feb 2015 16:43:43 +0100
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Wed, 18 Feb 2015 10:20:32 +0100

locking/rtmutex: Avoid a NULL pointer dereference on deadlock

With task_blocks_on_rt_mutex() returning early -EDEADLK we never
add the waiter to the waitqueue. Later, we try to remove it via
remove_waiter() and go boom in rt_mutex_top_waiter() because
rb_entry() gives a NULL pointer.

( Tested on v3.18-RT where rtmutex is used for regular mutex and I
  tried to get one twice in a row. )

Not sure when this started but I guess 397335f004f4 ("rtmutex: Fix
deadlock detector for real") or commit 3d5c9340d194 ("rtmutex:
Handle deadlock detection smarter").

Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org> # for v3.16 and later kernels
Link: http://lkml.kernel.org/r/1424187823-19600-1-git-send-email-bigeasy@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 kernel/locking/rtmutex.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
index 3059bc2f..e16e554 100644
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1193,7 +1193,8 @@ rt_mutex_slowlock(struct rt_mutex *lock, int state,
 		ret = __rt_mutex_slowlock(lock, state, timeout, &waiter);
 
 	if (unlikely(ret)) {
-		remove_waiter(lock, &waiter);
+		if (rt_mutex_has_waiters(lock))
+			remove_waiter(lock, &waiter);
 		rt_mutex_handle_deadlock(ret, chwalk, &waiter);
 	}
 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-02-18 17:06 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-17 15:43 [PATCH] locking/rt-mutex: avoid a NULL pointer dereference on deadlock Sebastian Andrzej Siewior
2015-02-18 17:05 ` [tip:locking/core] locking/rtmutex: Avoid " tip-bot for Sebastian Andrzej Siewior

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.