Re: [BUG] sched: leaf_cfs_rq_list use after free

From: Kazuki Yamaguchi
Date: Sat Mar 12 2016 - 04:50:45 EST

Next message: christophe leroy: "Re: [v8, 08/23] powerpc/8xx: Map IMMR area with 512k page at a fixed address"
Previous message: Kent Overstreet: "Re: e827091cb1 "block: merge: get the 1st and last bvec via helpers" broken"
In reply to: Tejun Heo: "Re: [BUG] sched: leaf_cfs_rq_list use after free"
Next in thread: Peter Zijlstra: "Re: [BUG] sched: leaf_cfs_rq_list use after free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I got similar kernel crashes after the patch, which went to 4.4:

2e91fa7 cgroup: keep zombies associated with their original cgroups

I was just about to report, but maybe this is related?

^^^^^^^[ 0.761718] BUG: unable to handle kernel NULL pointer dereference at 00000000000008b0
[ 0.762860] IP: [<ffffffff81052630>] update_blocked_averages+0x80/0x600
[ 0.764020] PGD 3fc067 PUD 3a9067 PMD 0
[ 0.764020] Oops: 0000 [#1] SMP
[ 0.764020] CPU: 0 PID: 56 Comm: test Not tainted 4.5.0-rc7 #25
[ 0.764020] task: ffff8800003d2700 ti: ffff8800003e8000 task.ti: ffff8800003e8000
[ 0.764020] RIP: 0010:[<ffffffff81052630>] [<ffffffff81052630>] update_blocked_averages+0x80/0x600
[ 0.764020] RSP: 0000:ffff880007c03e50 EFLAGS: 00000016
[ 0.764020] RAX: 0000000000000000 RBX: 00000000ffff165e RCX: 000000002d5096e1
[ 0.764020] RDX: 00000000000d281c RSI: ffff880000138200 RDI: 00000000000d281c
[ 0.764020] RBP: ffff880007c03eb0 R08: ffffffff811567e0 R09: 0000000000000100
[ 0.764020] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880007c11920
[ 0.764020] R13: 00000000000110c0 R14: afb504000afb5041 R15: ffff880007c110c0
[ 0.764020] FS: 0000000001b69880(0063) GS:ffff880007c00000(0000) knlGS:0000000000000000
[ 0.764020] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 0.764020] CR2: 00000000000008b0 CR3: 00000000003a4000 CR4: 00000000000006b0
[ 0.764020] Stack:
[ 0.764020] 0000000080000100 0000000000000286 ffff880007c0c7f8 0000000000000006
[ 0.764020] 0000000007c0c5c0 ffff880000138200 ffffffff8104ce00 00000000ffff165e
[ 0.764020] ffff880007c110c0 00000000000110c0 0000000000000007 0000000000000000
[ 0.764020] Call Trace:
[ 0.764020] <IRQ>
[ 0.764020] [<ffffffff8104ce00>] ? wake_up_process+0x10/0x20
[ 0.764020] [<ffffffff8105978d>] run_rebalance_domains+0x6d/0x290
[ 0.764020] [<ffffffff81072cab>] ? run_timer_softirq+0x19b/0x220
[ 0.764020] [<ffffffff810318ee>] __do_softirq+0xde/0x1e0
[ 0.764020] [<ffffffff81031aef>] irq_exit+0x5f/0x70
[ 0.764020] [<ffffffff81020238>] smp_trace_apic_timer_interrupt+0x68/0x90
[ 0.764020] [<ffffffff81020269>] smp_apic_timer_interrupt+0x9/0x10
[ 0.764020] [<ffffffff8114dd4c>] apic_timer_interrupt+0x7c/0x90
[ 0.764020] <EOI>
[ 0.764020] [<ffffffff810b76f6>] ? find_vma+0x16/0x70
[ 0.764020] [<ffffffff81026d18>] __do_page_fault+0xe8/0x360
[ 0.764020] [<ffffffff81026fcc>] do_page_fault+0xc/0x10
[ 0.764020] [<ffffffff8114e5cf>] page_fault+0x1f/0x30
[ 0.764020] Code: 00 48 8d b0 28 ff ff ff 49 be 41 50 fb 0a 00 04 b5 af 48 89 74 24 28 48 8b 74 24 28 c7 44 24 24 00 00 00 00 48 8b 86 c8 00 00 00 <48> 8b 90 b0 08 00 00 48 8b 86 a0 00 00 00 48 85 c0 74 46 31 c0
[ 0.764020] RIP [<ffffffff81052630>] update_blocked_averages+0x80/0x600
[ 0.764020] RSP <ffff880007c03e50>
[ 0.764020] CR2: 00000000000008b0
[ 0.764020] ---[ end trace 754fbc727003a126 ]---
[ 0.764020] Kernel panic - not syncing: Fatal exception in interrupt
[ 0.764020] Shutting down cpus with NMI
[ 0.764020] Kernel Offset: disabled
[ 0.764020] ---[ end Kernel panic - not syncing: Fatal exception in interrupt

I can reproduce it on QEMU (qemu-system-x86_64 -smp 2).

enabled config:
CONFIG_PID_NS=y
CONFIG_FAIR_GROUP_SCHED=y
CONFIG_SMP=y

init.sh:
#!/bin/sh
mkdir /testg
mount -t cgroup -o cpu cgroup /testg
echo /agent.sh > /testg/release_agent
echo 1 > /testg/notify_on_release

mkdir /temp-mnt
while :; do
echo -n ^
./test
done

agent.sh:
#!/bin/sh
rmdir /testg$1

test.c:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sched.h>
#include <sys/wait.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/ptrace.h>

int
main(void)
{
mount("none", "/temp-mnt", "tmpfs", 0, "");
unshare(CLONE_NEWPID);
pid_t pid = fork();
if (pid == 0) {
fork();
} else {
ptrace(PTRACE_SEIZE, pid, 0, PTRACE_O_TRACEFORK);
char template[128] = "/testg/XXXXXX";
if (!mkdtemp(template)) abort();
FILE *f = fopen(strcat(template, "/cgroup.procs"), "w");
fprintf(f, "%d\n", pid);
fclose(f);
wait(NULL); // stopped at fork()
kill(pid, SIGKILL);
umount("/temp-mnt");
}
return 0;
}

--
Kazuki Yamaguchi <k@xxxxxx>

Next message: christophe leroy: "Re: [v8, 08/23] powerpc/8xx: Map IMMR area with 512k page at a fixed address"
Previous message: Kent Overstreet: "Re: e827091cb1 "block: merge: get the 1st and last bvec via helpers" broken"
In reply to: Tejun Heo: "Re: [BUG] sched: leaf_cfs_rq_list use after free"
Next in thread: Peter Zijlstra: "Re: [BUG] sched: leaf_cfs_rq_list use after free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]