* 3.12.0-rc5+ reproducible crash at kernel/timer.c:1117
@ 2013-10-15 6:42 Janne Karhunen
2013-10-15 7:41 ` Janne Karhunen
0 siblings, 1 reply; 3+ messages in thread
From: Janne Karhunen @ 2013-10-15 6:42 UTC (permalink / raw)
To: Linux Kernel Mailing List
[-- Attachment #1: Type: text/plain, Size: 496 bytes --]
Hi,
Attached config seems to yield following crash ~5 seconds from kernel
init on Lenovo X201. Any pointers? Sorry for horrible output, its
manually copied from console.
call_timer_fn 0x73/0x160 <--- EIP hits 0
usleep_range 0x40/0x40
run_timer_softirq 0x1d5/0x220
..
call_timer_fn:
..
0xc1060348 <+104>: lea %ds:0x0(%esi,%eiz,1),%esi
0xc106034d <+109>: mov -0x2c(%ebp),%eax
0xc1060350 <+112>: call *-0x28(%ebp)
0xc1060353 <+115>: lea %ds:0x0(%esi,%eiz,1),%esi
--
Janne
[-- Attachment #2: config.gz --]
[-- Type: application/x-gzip, Size: 37535 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 3.12.0-rc5+ reproducible crash at kernel/timer.c:1117
2013-10-15 6:42 3.12.0-rc5+ reproducible crash at kernel/timer.c:1117 Janne Karhunen
@ 2013-10-15 7:41 ` Janne Karhunen
2013-10-17 12:20 ` Janne Karhunen
0 siblings, 1 reply; 3+ messages in thread
From: Janne Karhunen @ 2013-10-15 7:41 UTC (permalink / raw)
To: Linux Kernel Mailing List
> call_timer_fn 0x73/0x160 <--- EIP hits 0
Use after free.. with CONFIG_DEBUG_PAGEALLOC &&
CONFIG_DEBUG_OBJECTS_TIMERS we get :
call_timer_fn 0x73/0x160
destroy_timer_on_stack 0x20/0x20
ftrace_raw_event_hrtimer_expire_entry 0x3b/0xc0
run_timer_softirq 0x1f2/0x230
--
Janne
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 3.12.0-rc5+ reproducible crash at kernel/timer.c:1117
2013-10-15 7:41 ` Janne Karhunen
@ 2013-10-17 12:20 ` Janne Karhunen
0 siblings, 0 replies; 3+ messages in thread
From: Janne Karhunen @ 2013-10-17 12:20 UTC (permalink / raw)
To: Linux Kernel Mailing List
On Tue, Oct 15, 2013 at 10:41 AM, Janne Karhunen
<janne.karhunen@gmail.com> wrote:
>> call_timer_fn 0x73/0x160 <--- EIP hits 0
>
> Use after free.. with CONFIG_DEBUG_PAGEALLOC &&
> CONFIG_DEBUG_OBJECTS_TIMERS we get :
>
> call_timer_fn 0x73/0x160
> destroy_timer_on_stack 0x20/0x20
> ftrace_raw_event_hrtimer_expire_entry 0x3b/0xc0
> run_timer_softirq 0x1f2/0x230
Sadly no time to hunt the free at the moment, so working around temporarily by
diff --git a/kernel/timer.c b/kernel/timer.c
index 4296d13..fc7ef44 100644
--- a/kernel/timer.c
+++ b/kernel/timer.c
@@ -1094,6 +1094,9 @@ static void call_timer_fn(struct timer_list
*timer, void (*fn)(unsigned long),
{
int preempt_count = preempt_count();
+ if (fn == NULL)
+ return;
+
Hoping someone wiser catches the real fix at some point.
--
Janne
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-10-17 12:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-10-15 6:42 3.12.0-rc5+ reproducible crash at kernel/timer.c:1117 Janne Karhunen
2013-10-15 7:41 ` Janne Karhunen
2013-10-17 12:20 ` Janne Karhunen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).