linux/kernel/sched
Mel Gorman 0e9f02450d sched/fair: Do not re-read ->h_load_next during hierarchical load calculation
A NULL pointer dereference bug was reported on a distribution kernel but
the same issue should be present on mainline kernel. It occured on s390
but should not be arch-specific.  A partial oops looks like:

  Unable to handle kernel pointer dereference in virtual kernel address space
  ...
  Call Trace:
    ...
    try_to_wake_up+0xfc/0x450
    vhost_poll_wakeup+0x3a/0x50 [vhost]
    __wake_up_common+0xbc/0x178
    __wake_up_common_lock+0x9e/0x160
    __wake_up_sync_key+0x4e/0x60
    sock_def_readable+0x5e/0x98

The bug hits any time between 1 hour to 3 days. The dereference occurs
in update_cfs_rq_h_load when accumulating h_load. The problem is that
cfq_rq->h_load_next is not protected by any locking and can be updated
by parallel calls to task_h_load. Depending on the compiler, code may be
generated that re-reads cfq_rq->h_load_next after the check for NULL and
then oops when reading se->avg.load_avg. The dissassembly showed that it
was possible to reread h_load_next after the check for NULL.

While this does not appear to be an issue for later compilers, it's still
an accident if the correct code is generated. Full locking in this path
would have high overhead so this patch uses READ_ONCE to read h_load_next
only once and check for NULL before dereferencing. It was confirmed that
there were no further oops after 10 days of testing.

As Peter pointed out, it is also necessary to use WRITE_ONCE() to avoid any
potential problems with store tearing.

Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Valentin Schneider <valentin.schneider@arm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Fixes: 685207963b ("sched: Move h_load calculation to task_h_load()")
Link: https://lkml.kernel.org/r/20190319123610.nsivgf3mjbjjesxb@techsingularity.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2019-04-03 09:50:22 +02:00
..
Makefile psi: pressure stall information for CPU, memory, and IO 2018-10-26 16:26:32 -07:00
autogroup.c sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] 2018-05-05 08:34:42 +02:00
autogroup.h sched/headers: Simplify and clean up header usage in the scheduler 2018-03-04 12:39:29 +01:00
clock.c sched/clock: Disable interrupts when calling generic_sched_clock_init() 2018-07-30 19:33:35 +02:00
completion.c sched/Documentation: Update wake_up() & co. memory-barrier guarantees 2018-07-17 09:30:34 +02:00
core.c Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-24 11:42:10 -07:00
cpuacct.c sched/headers: Simplify and clean up header usage in the scheduler 2018-03-04 12:39:29 +01:00
cpudeadline.c sched/headers: Simplify and clean up header usage in the scheduler 2018-03-04 12:39:29 +01:00
cpudeadline.h sched/headers: Simplify and clean up header usage in the scheduler 2018-03-04 12:39:29 +01:00
cpufreq.c sched: Replace synchronize_sched() with synchronize_rcu() 2019-01-25 15:28:22 -08:00
cpufreq_schedutil.c Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-24 11:42:10 -07:00
cpupri.c sched/headers: Simplify and clean up header usage in the scheduler 2018-03-04 12:39:29 +01:00
cpupri.h sched/headers: Simplify and clean up header usage in the scheduler 2018-03-04 12:39:29 +01:00
cputime.c sched: Fix various typos in comments 2018-12-03 11:55:42 +01:00
deadline.c sched/fair: Update scale invariance of PELT 2019-02-04 09:13:21 +01:00
debug.c sched/debug: Initialize sd_sysctl_cpus if !CONFIG_CPUMASK_OFFSTACK 2019-02-04 09:13:21 +01:00
fair.c sched/fair: Do not re-read ->h_load_next during hierarchical load calculation 2019-04-03 09:50:22 +02:00
features.h sched/fair: Disable LB_BIAS by default 2018-10-02 09:45:01 +02:00
idle.c x86/stackprotector: Remove the call to boot_init_stack_canary() from cpu_startup_entry() 2018-10-22 04:07:24 +02:00
isolation.c sched/fair: Use non-atomic cpumask_{set,clear}_cpu() 2019-02-13 08:34:13 +01:00
loadavg.c sched: loadavg: make calc_load_n() public 2018-10-26 16:26:32 -07:00
membarrier.c sched/membarrier: synchronize_sched() with synchronize_rcu() 2018-11-27 09:21:43 -08:00
pelt.c sched/fair: Update scale invariance of PELT 2019-02-04 09:13:21 +01:00
pelt.h sched/fair: Update scale invariance of PELT 2019-02-04 09:13:21 +01:00
psi.c psi: avoid divide-by-zero crash inside virtual machines 2019-02-21 09:01:00 -08:00
rt.c sched/fair: Update scale invariance of PELT 2019-02-04 09:13:21 +01:00
sched-pelt.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sched.h Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-06 08:14:05 -08:00
stats.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
stats.h psi: make disabling/enabling easier for vendor kernels 2018-11-30 14:56:14 -08:00
stop_task.c sched: Clean up and harmonize the coding style of the scheduler code base 2018-03-03 15:50:21 +01:00
swait.c kernel/sched/: remove caller signal_pending branch predictions 2019-01-04 13:13:48 -08:00
topology.c Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2019-03-06 08:14:05 -08:00
wait.c kernel/sched/: remove caller signal_pending branch predictions 2019-01-04 13:13:48 -08:00
wait_bit.c sched/wait: Improve __var_waitqueue() code generation 2018-03-20 08:23:25 +01:00