From: Quentin Perret <qperret@google.com>
To: linux-kernel@vger.kernel.org
Cc: peterz@infradead.org, aaron.lwe@gmail.com,
valentin.schneider@arm.com, mingo@kernel.org, pauld@redhat.com,
jdesfossez@digitalocean.com, naravamudan@digitalocean.com,
vincent.guittot@linaro.org, dietmar.eggemann@arm.com,
juri.lelli@redhat.com, rostedt@goodmis.org, bsegall@google.com,
mgorman@suse.de, kernel-team@android.com, john.stultz@linaro.org
Subject: NULL pointer dereference in pick_next_task_fair
Date: Mon, 28 Oct 2019 17:46:03 +0000 [thread overview]
Message-ID: <20191028174603.GA246917@google.com> (raw)
Hi all,
The following issue has been observed with 5.4-rc*-based android
kernels both on an x86 VM and native arm64:
---8<---
[ 222.515957] BUG: kernel NULL pointer dereference, address: 0000000000000040
[ 222.518871] #PF: supervisor read access in kernel mode
[ 222.518871] #PF: error_code(0x0000) - not-present page
[ 222.518871] PGD 800000007cdf7067 P4D 800000007cdf7067 PUD 7c868067 PMD 0
[ 222.518871] Oops: 0000 [#1] PREEMPT SMP PTI
[ 222.518871] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.4.0-rc4-mainline-g6a9b34166c05 #1
[ 222.518871] Hardware name: ChromiumOS crosvm, BIOS 0
[ 222.518871] RIP: 0010:set_next_entity+0xf/0xf0
[ 222.518871] Code: 42 0b e5 85 31 c0 e8 90 1a fc ff 0f 0b eb 9b 66 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 53 48 89 f3 49 89 fe <83> 7e 40 00 74 3d 4c 89 f7 48 89 de e8 80 f9 ff ff 4c 8d 7b 18 4d
[ 222.518871] RSP: 0018:ffffb95040073de8 EFLAGS: 00010046
[ 222.518871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff85ec0c30
[ 222.518871] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ec44c728500
[ 222.518871] RBP: ffffb95040073e00 R08: 0000000000000000 R09: 0000000000000000
[ 222.518871] R10: 0000000000000000 R11: ffffffff84ef0a30 R12: 0000000000000000
[ 222.518871] R13: 0000000000000000 R14: ffff9ec44c728500 R15: ffffb95040073e60
[ 222.518871] FS: 0000000000000000(0000) GS:ffff9ec44c700000(0000) knlGS:0000000000000000
[ 222.518871] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 222.518871] CR2: 0000000000000040 CR3: 000000007c87a002 CR4: 00000000003606e0
[ 222.518871] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 222.518871] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 222.518871] Call Trace:
[ 222.518871] pick_next_task_fair+0xe8/0x410
[ 222.518871] ? rcu_note_context_switch+0x3ef/0x520
[ 222.518871] ? finish_task_switch+0x10d/0x250
[ 222.518871] __schedule+0x1f8/0x6e0
[ 222.518871] schedule_idle+0x27/0x40
[ 222.518871] do_idle+0x21c/0x240
[ 222.518871] cpu_startup_entry+0x25/0x30
[ 222.518871] start_secondary+0x18d/0x1b0
[ 222.518871] secondary_startup_64+0xa4/0xb0
[ 222.518871] Modules linked in: vmw_vsock_virtio_transport vmw_vsock_virtio_transport_common vsock_diag vsock can_raw can snd_intel8x0 snd_ac97_codec ac97_bus virtio_input virtio_pci virtio_mmio virtio_crypto mmc_block mmc_core dummy_cpufreq rtc_test dummy_hcd can_dev vcan virtio_net net_failover failover virt_wifi virtio_blk virtio_gpu ttm virtio_rng virtio_ring virtio 8250_of crypto_engine
[ 222.518871] CR2: 0000000000000040
[ 222.518871] ---[ end trace ae741809965b22f2 ]---
[ 222.518871] RIP: 0010:set_next_entity+0xf/0xf0
[ 222.518871] Code: 42 0b e5 85 31 c0 e8 90 1a fc ff 0f 0b eb 9b 66 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 53 48 89 f3 49 89 fe <83> 7e 40 00 74 3d 4c 89 f7 48 89 de e8 80 f9 ff ff 4c 8d 7b 18 4d
[ 222.518871] RSP: 0018:ffffb95040073de8 EFLAGS: 00010046
[ 222.518871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff85ec0c30
[ 222.518871] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ec44c728500
[ 222.518871] RBP: ffffb95040073e00 R08: 0000000000000000 R09: 0000000000000000
[ 222.518871] R10: 0000000000000000 R11: ffffffff84ef0a30 R12: 0000000000000000
[ 222.518871] R13: 0000000000000000 R14: ffff9ec44c728500 R15: ffffb95040073e60
[ 222.518871] FS: 0000000000000000(0000) GS:ffff9ec44c700000(0000) knlGS:0000000000000000
[ 222.518871] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 222.518871] CR2: 0000000000000040 CR3: 000000007c87a002 CR4: 00000000003606e0
[ 222.518871] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 222.518871] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 222.518871] Kernel panic - not syncing: Fatal exception
[ 222.518871] Kernel Offset: 0x3e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
--->8---
The issue is very transient and relatively hard to reproduce.
After digging a bit, the offending commit seems to be:
67692435c411 ("sched: Rework pick_next_task() slow-path")
By 'offending' I mean that reverting it makes the issue go away. The
issue comes from the fact that pick_next_entity() returns a NULL se in
the 'simple' path of pick_next_task_fair(), which causes obvious
problems in the subsequent call to set_next_entity().
I'll dig more, but if anybody understands the issue in the meatime feel
free to send me a patch to try out :)
Thanks,
Quentin
next reply other threads:[~2019-10-28 17:46 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-28 17:46 Quentin Perret [this message]
2019-10-28 21:49 ` NULL pointer dereference in pick_next_task_fair Peter Zijlstra
2019-10-29 11:34 ` Peter Zijlstra
2019-10-29 11:50 ` Quentin Perret
2019-10-30 22:50 ` Ram Muthiah
2019-10-31 1:33 ` Valentin Schneider
2019-10-31 10:54 ` Valentin Schneider
2019-10-31 14:24 ` Valentin Schneider
2019-10-31 22:15 ` Valentin Schneider
2019-11-06 12:05 ` Peter Zijlstra
2019-11-06 13:08 ` Peter Zijlstra
2019-11-06 15:04 ` Qais Yousef
2019-11-06 16:57 ` Peter Zijlstra
2019-11-06 17:26 ` Qais Yousef
2019-11-06 15:51 ` Kirill Tkhai
2019-11-06 16:54 ` Peter Zijlstra
2019-11-06 17:27 ` Peter Zijlstra
2019-11-07 8:36 ` Kirill Tkhai
2019-11-07 13:26 ` Peter Zijlstra
2019-11-07 15:12 ` Kirill Tkhai
2019-11-07 15:42 ` Peter Zijlstra
2019-11-07 15:53 ` Kirill Tkhai
2019-11-07 15:38 ` Quentin Perret
2019-11-07 18:43 ` Peter Zijlstra
2019-11-07 19:27 ` Quentin Perret
2019-11-07 19:31 ` Peter Zijlstra
2019-11-07 19:42 ` Quentin Perret
2019-11-07 19:29 ` Peter Zijlstra
2019-11-08 11:02 ` Quentin Perret
2019-11-08 11:47 ` Valentin Schneider
2019-11-08 11:58 ` Quentin Perret
2019-11-08 12:00 ` Peter Zijlstra
2019-11-08 12:15 ` Quentin Perret
2019-11-08 12:35 ` Peter Zijlstra
2019-11-08 12:24 ` Peter Zijlstra
2019-11-08 11:55 ` Peter Zijlstra
2019-11-08 12:52 ` Peter Zijlstra
2019-11-07 16:09 ` Qais Yousef
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191028174603.GA246917@google.com \
--to=qperret@google.com \
--cc=aaron.lwe@gmail.com \
--cc=bsegall@google.com \
--cc=dietmar.eggemann@arm.com \
--cc=jdesfossez@digitalocean.com \
--cc=john.stultz@linaro.org \
--cc=juri.lelli@redhat.com \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mgorman@suse.de \
--cc=mingo@kernel.org \
--cc=naravamudan@digitalocean.com \
--cc=pauld@redhat.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=valentin.schneider@arm.com \
--cc=vincent.guittot@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).