From: Thomas Gleixner <tglx@linutronix.de>
To: Jiri Slaby <jslaby@suse.cz>
Cc: Petr Mladek <pmladek@suse.com>, Jan Kara <jack@suse.cz>,
Ben Hutchings <ben@decadent.org.uk>, Tejun Heo <tj@kernel.org>,
Sasha Levin <sasha.levin@oracle.com>, Shaohua Li <shli@fb.com>,
LKML <linux-kernel@vger.kernel.org>,
stable@vger.kernel.org, Daniel Bilik <daniel.bilik@neosystem.cz>
Subject: Re: Crashes with 874bbfe600a6 in 3.18.25
Date: Wed, 3 Feb 2016 11:41:26 +0100 (CET) [thread overview]
Message-ID: <alpine.DEB.2.11.1602031133230.25254@nanos> (raw)
In-Reply-To: <56B1C9E4.4020400@suse.cz>
On Wed, 3 Feb 2016, Jiri Slaby wrote:
> On 01/26/2016, 02:09 PM, Thomas Gleixner wrote:
> What happens in later kernels, when the cpu is offlined before the
> delayed_work timer ticks? In stable 3.12, with the patch, this scenario
> results in an oops:
> #5 [ffff8c03fdd63d80] page_fault at ffffffff81523a88
> [exception RIP: __queue_work+121]
> RIP: ffffffff81071989 RSP: ffff8c03fdd63e30 RFLAGS: 00010086
> RAX: ffff88048b96bc00 RBX: ffff8c03e9bcc800 RCX: ffff880473820478
> RDX: 0000000000000400 RSI: 0000000000000004 RDI: ffff880473820458
> RBP: 0000000000000000 R8: ffff8c03fdd71f40 R9: ffff8c03ea4c4002
> R10: 0000000000000000 R11: 0000000000000005 R12: ffff880473820458
> R13: 00000000000000a8 R14: 000000000000e328 R15: 00000000000000a8
> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
> #6 [ffff8c03fdd63e68] call_timer_fn at ffffffff81065611
> #7 [ffff8c03fdd63e98] run_timer_softirq at ffffffff810663b7
> #8 [ffff8c03fdd63f00] __do_softirq at ffffffff8105e2c5
> #9 [ffff8c03fdd63f68] call_softirq at ffffffff8152cf9c
> #10 [ffff8c03fdd63f80] do_softirq at ffffffff81004665
> #11 [ffff8c03fdd63fa0] smp_apic_timer_interrupt at ffffffff8152d835
> #12 [ffff8c03fdd63fb0] apic_timer_interrupt at ffffffff8152c2dd
>
> The CPU was 168, and that one was offlined in the meantime. So
> __queue_work fails at:
> if (!(wq->flags & WQ_UNBOUND))
> pwq = per_cpu_ptr(wq->cpu_pwqs, cpu);
> else
> pwq = unbound_pwq_by_node(wq, cpu_to_node(cpu));
> ^^^ ^^^^ NODE is -1
> \ pwq is NULL
>
> if (last_pool && last_pool != pwq->pool) { <--- BOOM
I don't see how that works on later kernels. If cpu_to_node() returns -1 we
access outside of the array bounds....
Thanks,
tglx
next prev parent reply other threads:[~2016-02-03 10:42 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-20 21:19 Crashes with 874bbfe600a6 in 3.18.25 Jan Kara
2016-01-20 21:39 ` Shaohua Li
2016-01-21 9:52 ` Jan Kara
2016-01-21 13:29 ` Sasha Levin
2016-01-22 1:10 ` Sasha Levin
2016-01-22 16:09 ` Tejun Heo
2016-01-23 2:20 ` Ben Hutchings
2016-01-23 16:11 ` Thomas Gleixner
2016-01-26 9:34 ` Jan Kara
2016-01-26 9:49 ` Thomas Gleixner
2016-01-26 11:14 ` Petr Mladek
2016-01-26 13:09 ` Thomas Gleixner
2016-02-03 9:35 ` Jiri Slaby
2016-02-03 10:41 ` Thomas Gleixner [this message]
2016-02-03 12:28 ` Michal Hocko
2016-02-03 16:24 ` Tejun Heo
2016-02-03 16:48 ` Michal Hocko
2016-02-03 16:59 ` Tejun Heo
2016-02-04 6:37 ` Michal Hocko
2016-02-04 7:40 ` Michal Hocko
2016-02-03 17:01 ` Mike Galbraith
2016-02-03 17:06 ` Tejun Heo
2016-02-03 17:13 ` Mike Galbraith
2016-02-03 17:15 ` Tejun Heo
2016-02-04 2:00 ` Mike Galbraith
2016-02-05 16:49 ` Tejun Heo
2016-02-05 20:47 ` Mike Galbraith
2016-02-05 20:54 ` Tejun Heo
2016-02-05 20:59 ` Mike Galbraith
2016-02-05 21:06 ` Tejun Heo
2016-02-06 13:07 ` Henrique de Moraes Holschuh
2016-02-07 5:19 ` Mike Galbraith
2016-02-07 5:59 ` Mike Galbraith
2016-02-09 15:31 ` Mike Galbraith
2016-02-09 16:39 ` Linus Torvalds
2016-02-09 16:50 ` Tejun Heo
2016-02-09 17:04 ` Mike Galbraith
2016-02-09 17:54 ` Tejun Heo
2016-02-09 17:56 ` Mike Galbraith
2016-02-09 18:02 ` Mike Galbraith
2016-02-09 18:27 ` Tejun Heo
2016-02-09 17:04 ` Linus Torvalds
2016-02-09 17:51 ` Tejun Heo
2016-02-09 18:06 ` Linus Torvalds
2016-02-04 10:04 ` Mike Galbraith
2016-02-04 10:46 ` Thomas Gleixner
2016-02-04 11:07 ` Mike Galbraith
2016-02-04 11:20 ` Jan Kara
2016-02-04 16:39 ` Daniel Bilik
2016-02-05 2:40 ` Mike Galbraith
2016-02-05 8:11 ` Daniel Bilik
2016-02-05 8:33 ` Mike Galbraith
2016-02-03 18:46 ` Thomas Gleixner
2016-02-03 19:01 ` Tejun Heo
2016-02-03 19:05 ` Thomas Gleixner
2016-02-03 19:15 ` Tejun Heo
2016-02-05 5:44 ` Mike Galbraith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.11.1602031133230.25254@nanos \
--to=tglx@linutronix.de \
--cc=ben@decadent.org.uk \
--cc=daniel.bilik@neosystem.cz \
--cc=jack@suse.cz \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=pmladek@suse.com \
--cc=sasha.levin@oracle.com \
--cc=shli@fb.com \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).