Re: [PATCH v4] sched/numa: fix unsafe get_task_struct() in task_numa_assign()
From: Sasha Levin
Date: Mon Nov 10 2014 - 11:45:19 EST
On 11/10/2014 11:36 AM, Kirill Tkhai wrote:
> I mean task_numa_find_cpu(). If a garbage is in cpumask_of_node(env->dst_nid)
> and cpu is bigger than mask, the check
>
> cpumask_test_cpu(cpu, tsk_cpus_allowed(env->p)
>
> may be true.
>
> So, we dereference wrong rq in task_numa_compare(). It's not rq at all.
> Strange cpu may be from here. It's just a int number in a wrong memory.
But the odds of the spinlock magic and owner pointer matching up are slim
to none in that case. The memory is also likely to be valid since KASAN didn't
complain about the access, so I don't believe it to be an access to freed memory.
>
> A hypothesis that below may help:
>
> diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
> index 826fdf3..a2b4a8a 100644
> --- a/kernel/sched/fair.c
> +++ b/kernel/sched/fair.c
> @@ -1376,6 +1376,9 @@ static void task_numa_find_cpu(struct task_numa_env *env,
> {
> int cpu;
>
> + if (!node_online(env->dst_nid))
> + return;
I've changed that to BUG_ON(!node_online(env->dst_nid)) and will run it for a
bit.
Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/