linux/arch/x86/kernel
Suresh Siddha 75118a82e2 x86: fix NULL pointer deref in __switch_to
Patrick McHardy reported a crash:

> > I get this oops once a day, its apparently triggered by something
> > run by cron, but the process is a different one each time.
> >
> > Kernel is -git from yesterday shortly before the -rc6 release
> > (last commit is the usb-2.6 merge, the x86 patches are missing),
> > .config is attached.
> >
> > I'll retry with current -git, but the patches that have gone in
> > since I last updated don't look related.
> >
> > [62060.043009] BUG: unable to handle kernel NULL pointer dereference at
> > 000001ff
> > [62060.043009] IP: [<c0102a9b>] __switch_to+0x2f/0x118
> > [62060.043009] *pde = 00000000
> > [62060.043009] Oops: 0002 [#1] PREEMPT

Vegard Nossum analyzed it:

> This decodes to
>
>    0:   0f ae 00                fxsave (%eax)
>
> so it's related to the floating-point context. This is the exact
> location of the crash:
>
> $ addr2line -e arch/x86/kernel/process_32.o -i ab0
> include/asm/i387.h:232
> include/asm/i387.h:262
> arch/x86/kernel/process_32.c:595
>
> ...so it looks like prev_task->thread.xstate->fxsave has become NULL.
> Or maybe it never had any other value.

Somehow (as described below) TS_USEDFPU is set but the fpu is not
allocated or freed.

Another possible FPU pre-emption issue with the sleazy FPU optimization
which was benign before but not so anymore, with the dynamic FPU allocation
patch.

New task is getting exec'd and it is prempted at the below point.

flush_thread() {
	...
	/*
	* Forget coprocessor state..
	*/
	clear_fpu(tsk);
		<----- Preemption point
	clear_used_math();
	...
}

Now when it context switches in again, as the used_math() is still set
and fpu_counter can be > 5, we will do a math_state_restore() which sets
the task's TS_USEDFPU. After it continues from the above preemption point
it does clear_used_math() and much later free_thread_xstate().

Now, at the next context switch, it is quite possible that xstate is
null, used_math() is not set and TS_USEDFPU is still set. This will
trigger unlazy_fpu() causing kernel oops.

Fix this  by clearing tsk's fpu_counter before clearing task's fpu.

Reported-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-06-19 10:08:45 +02:00
..
acpi x86: fix APIC warning on 32bit v2 2008-06-04 13:11:46 +02:00
cpu [CPUFREQ] Crusoe: longrun cpufreq module reports false min freq 2008-05-19 18:17:28 -04:00
.gitignore
alternative.c x86: harden kernel code patching 2008-04-25 19:54:07 +02:00
aperture_64.c x86: clean up aperture_64.c 2008-04-17 17:41:19 +02:00
apic_32.c x86: cleanup div_sc() usage 2008-04-26 17:35:47 +02:00
apic_64.c x86: don't read maxlvt before checking if APIC is mapped 2008-05-23 14:08:06 +02:00
apm_32.c Merge branches 'release', 'acpica', 'bugzilla-10224', 'bugzilla-9772', 'bugzilla-9916', 'ec', 'eeepc', 'idle', 'misc', 'pm-legacy', 'sysfs-links-2.6.26', 'thermal', 'thinkpad' and 'video' into release 2008-04-30 13:58:00 -04:00
asm-offsets_32.c x86: use kbuild.h 2008-04-29 08:06:29 -07:00
asm-offsets_64.c x86: use kbuild.h 2008-04-29 08:06:29 -07:00
asm-offsets.c
audit_64.c
bootflag.c x86: coding style cleanup for kernel/bootflag.c 2008-01-30 13:32:31 +01:00
bugs_64.c x86: don't use large pages to map the first 2/4MB of memory 2008-04-17 17:41:30 +02:00
cpuid.c PM: Remove destroy_suspended_device() 2008-04-19 19:10:28 -07:00
crash_dump_32.c
crash_dump_64.c
crash.c x86: allow machine_crash_shutdown to be replaced 2008-04-27 12:00:29 +03:00
doublefault_32.c x86: unify tss_struct 2008-01-30 13:31:31 +01:00
ds.c x86: debug Store - call kfree if only we really need it 2008-04-17 17:41:34 +02:00
e820_32.c x86: rename find_max_pfn() to propagate_e820_map() 2008-04-19 19:19:55 +02:00
e820_64.c bootprotocol: cleanup 2008-04-29 13:45:24 +02:00
early_printk.c x86: coding style fixes to x86/kernel/early_printk.c 2008-04-17 17:40:51 +02:00
early-quirks.c x86: fix section mismatch warning in early-quirks.c 2008-01-30 13:33:37 +01:00
efi_32.c x86: sparse error in efi_32.c 2008-02-19 16:18:28 +01:00
efi_64.c x86: EFI_PAGE_SHIFT fix 2008-04-19 19:19:54 +02:00
efi_stub_32.S
efi_stub_64.S x86: EFI runtime service support 2008-01-30 13:31:19 +01:00
efi.c x86: EFI_PAGE_SHIFT fix 2008-04-19 19:19:54 +02:00
entry_32.S x86: fix lockdep warning during suspend-to-ram 2008-06-12 21:27:09 +02:00
entry_64.S x86: ptrace vs -ENOSYS 2008-04-17 17:41:13 +02:00
genapic_64.c fix: x86: support for new UV apic 2008-04-30 23:15:34 +02:00
genapic_flat_64.c x86: use cpumask_of_cpu() 2008-04-17 17:41:36 +02:00
genx2apic_uv_x.c x86: UV startup of slave cpus 2008-04-19 19:19:58 +02:00
geode_32.c x86: GEODE: cache results from geode_has_vsa2() and uninline 2008-05-08 15:43:50 +02:00
head32.c x86: introduce kernel/head32.c 2008-04-17 17:40:49 +02:00
head64.c x86, boot: add linked list of struct setup_data 2008-04-26 21:34:42 +02:00
head_32.S x86: fix asm warning in head_32.S 2008-06-12 21:26:12 +02:00
head_64.S x86: move suspend wakeup code to C 2008-04-17 17:41:37 +02:00
hpet.c hpet: fix 2008-04-30 23:15:34 +02:00
i386_ksyms_32.c Generic semaphore implementation 2008-04-17 10:42:34 -04:00
i387.c x86: fix broken math-emu with lazy allocation of fpu area 2008-06-04 13:11:46 +02:00
i8237.c
i8253.c x86: cleanup div_sc() usage 2008-04-26 17:35:47 +02:00
i8259_32.c x86: i8259A: remove redundant irq_descinitialization 2008-02-19 16:18:34 +01:00
i8259_64.c x86: provide a native_init_IRQ function on 64-bit 2008-01-30 13:33:19 +01:00
init_task.c [PATCH] take init_files to fs/file.c 2008-05-16 17:22:20 -04:00
io_apic_32.c Revert "x86: fix ioapic bug again" 2008-06-12 21:26:28 +02:00
io_apic_64.c x86: section mismatch fixes, #3 2008-04-26 17:35:48 +02:00
io_delay.c x86: add dmi quirk for io_delay 2008-03-26 22:23:40 +01:00
ioport.c x86: refactor ioport unification 2008-01-30 13:33:10 +01:00
ipi.c x86: create ipi.c 2008-04-17 17:40:56 +02:00
irq_32.c proper __do_softirq() prototype 2008-04-29 08:06:02 -07:00
irq_64.c x86: rename the struct pt_regs members for 32/64-bit consistency 2008-01-30 13:30:56 +01:00
k8.c
kdebugfs.c x86, boot: export linked list of struct setup_data via debugfs 2008-04-26 21:34:42 +02:00
kgdb.c x86: KGDB build fix 2008-04-19 19:19:54 +02:00
kprobes.c x86: replace most VM86 flags with flags from processor-flags.h 2008-04-17 17:41:33 +02:00
kvm.c x86: KVM guest: hypercall batching 2008-04-27 12:00:28 +03:00
kvmclock.c namespacecheck: automated fixes 2008-05-23 14:08:06 +02:00
ldt.c x86: cleanup - eliminate numbers in LDT allocation code 2008-02-04 16:48:03 +01:00
machine_kexec_32.c vmcoreinfo: fix the configuration dependencies 2008-02-07 08:42:25 -08:00
machine_kexec_64.c vmcoreinfo: add the symbol "phys_base" 2008-04-02 15:28:19 -07:00
Makefile pcspkr: fix dependancies 2008-05-07 12:42:03 +02:00
mca_32.c x86: coding style fixes to arch/x86/kernel/mca_32.c 2008-04-17 17:40:49 +02:00
mfgpt_32.c geode: fix modular build 2008-06-12 21:25:51 +02:00
microcode.c x86: use new set_cpus_allowed_ptr function 2008-04-19 19:44:58 +02:00
mmconf-fam10h_64.c x86: add pci=check_enable_amd_mmconf and dmi check 2008-04-26 23:41:04 +02:00
module_32.c
module_64.c
mpparse.c x86: es7000 build fix 2008-05-04 20:04:45 +02:00
msr.c PM: Remove destroy_suspended_device() 2008-04-19 19:10:28 -07:00
nmi_32.c Revert "x86: fix ioapic bug again" 2008-06-12 21:26:28 +02:00
nmi_64.c ftrace: add notrace annotations for NMI routines 2008-04-19 19:19:55 +02:00
numaq_32.c x86: convert TSC disabling to generic cpuid disable bitmap 2008-01-30 13:33:20 +01:00
olpc.c x86: olpc: add One Laptop Per Child architecture support 2008-04-29 08:06:07 -07:00
paravirt_patch_32.c x86: move patching code to arch-specific file. 2008-01-30 13:32:10 +01:00
paravirt_patch_64.c x86: add stringify header 2008-01-30 13:33:19 +01:00
paravirt.c x86: add pud_alloc for 4-level pagetables 2008-04-24 23:57:31 +02:00
pci-calgary_64.c x86: remove duplicate get_bios_ebda() from rio.h 2008-04-26 17:35:47 +02:00
pci-dma.c x86, pci-dma.c: don't always add __GFP_NORETRY to gfp 2008-06-10 12:22:18 +02:00
pci-gart_64.c suspend-vs-iommu: prevent suspend if we could not resume 2008-06-04 13:11:47 +02:00
pci-nommu.c x86: unify pci-nommu 2008-04-19 19:19:57 +02:00
pci-swiotlb_64.c x86: dma-ops on highmem fix 2008-04-19 19:19:56 +02:00
pcspeaker.c
pmtimer_64.c
process_32.c x86: fix NULL pointer deref in __switch_to 2008-06-19 10:08:45 +02:00
process_64.c x86: fix NULL pointer deref in __switch_to 2008-06-19 10:08:45 +02:00
process.c x86: disable mwait for AMD family 10H/11H CPUs 2008-05-17 22:57:20 +02:00
ptrace.c x86: user_regset_view table fix for ia32 on 64-bit 2008-05-13 19:40:20 +02:00
quirks.c x86: hpet clock enable quirk on nVidia nForce 430 2008-03-21 17:06:15 +01:00
reboot_fixups_32.c x86: add the RDC machine specific reboot fixup 2008-01-30 13:33:36 +01:00
reboot.c x86: remove dell reboot dmi quirk board name match 2008-05-04 20:04:45 +02:00
relocate_kernel_32.S x86: relocate_kernel - use predefined macroses for page attributes 2008-04-17 17:41:29 +02:00
relocate_kernel_64.S x86: relocate_kernel - use predefined macroses for page attributes 2008-04-17 17:41:29 +02:00
rtc.c provide rtc_cmos platform device 2008-06-12 18:05:42 -07:00
scx200_32.c x86: fix sparse warning in kernel/scx200_32.c 2008-01-31 22:05:45 +01:00
setup64.c x86: fix exec mappings comments 2008-04-19 19:19:55 +02:00
setup_32.c x86: restrict keyboard io ports reservation to make ipmi driver work 2008-05-10 19:31:45 +02:00
setup_64.c x86: early_init_centaur(): use set_cpu_cap() 2008-05-13 19:37:38 +02:00
setup.c x86: [VOYAGER] fix duplicate phys_cpu_present_map symbol 2008-05-12 21:27:51 +02:00
sigframe.h x86: move struct definitions to unifed sigframe.h 2008-04-17 17:40:46 +02:00
signal_32.c signals: x86 TS_RESTORE_SIGMASK 2008-04-30 08:29:37 -07:00
signal_64.c signals: x86 TS_RESTORE_SIGMASK 2008-04-30 08:29:37 -07:00
smp.c x86: fix app crashes after SMP resume 2008-05-13 19:36:12 +02:00
smpboot.c x86: disable preemption in native_smp_prepare_cpus 2008-06-04 13:11:46 +02:00
smpcommon_32.c x86: create smpcommon.c 2008-04-17 17:40:55 +02:00
smpcommon.c x86: create smpcommon.c 2008-04-17 17:40:55 +02:00
srat_32.c x86: replace remaining __FUNCTION__ occurances 2008-04-17 17:40:57 +02:00
stacktrace.c x86: don't save unreliable stack trace entries 2008-02-26 12:55:58 +01:00
step.c x86: prevent unconditional writes to DebugCtl MSR 2008-04-17 17:40:58 +02:00
summit_32.c x86: use get_bios_ebda() 2008-04-26 17:35:47 +02:00
sys_i386_32.c unified (weak) sys_pipe implementation 2008-05-03 13:50:33 -07:00
sys_x86_64.c unified (weak) sys_pipe implementation 2008-05-03 13:50:33 -07:00
syscall_64.c x86: coding style fixes to arch/x86/kernel/syscall_64.c 2008-04-17 17:40:48 +02:00
syscall_table_32.S timerfd: wire the new timerfd API to the x86 family 2008-02-05 09:44:07 -08:00
tce_64.c
test_nx.c x86: Explicitly include required header files. 2008-04-17 17:41:15 +02:00
test_rodata.c x86: include proper prototypes for rodata_test 2008-02-14 23:30:20 +01:00
time_32.c proper extern for late_time_init 2008-04-29 08:06:03 -07:00
time_64.c time: fix typo in comments 2008-02-08 09:22:29 -08:00
tlb_32.c x86: create tlb files 2008-04-17 17:40:56 +02:00
tlb_64.c x86: use cpumask function for present, possible, and online cpus 2008-04-26 17:35:47 +02:00
tls.c asmlinkage_protect replaces prevent_tail_call 2008-04-10 17:28:26 -07:00
tls.h x86: x86 user_regset TLS 2008-01-30 13:31:52 +01:00
topology.c x86: fix section mismatch warning in topology.c:arch_register_cpu 2008-02-19 16:18:30 +01:00
trampoline_32.S x86: trampoline_32.S - switch to .cpuinit.data 2008-04-26 17:35:47 +02:00
trampoline_64.S x86: move suspend wakeup code to C 2008-04-17 17:41:37 +02:00
trampoline.c x86: standalone trampoline code 2008-04-17 17:41:37 +02:00
traps_32.c x86, lockdep: fix "WARNING: at kernel/lockdep.c:2658 check_flags+0x4c/0x128()" 2008-06-12 21:27:19 +02:00
traps_64.c x86, fpu: lazy allocation of FPU area - v5 2008-04-19 19:19:55 +02:00
tsc_32.c x86: disable TSC for sched_clock() when calibration failed 2008-05-23 14:08:06 +02:00
tsc_64.c x86: fix setup of cyc2ns in tsc_64.c 2008-05-23 14:08:06 +02:00
tsc_sync.c x86: add warning to check_tsc_warp() 2008-01-30 13:33:24 +01:00
verify_cpu_64.S
vm86_32.c x86: replace most VM86 flags with flags from processor-flags.h 2008-04-17 17:41:33 +02:00
vmi_32.c x86: unify KERNEL_PGD_PTRS 2008-04-24 23:57:31 +02:00
vmiclock_32.c x86: isolate PIC/PIT in/out calls 2008-01-30 13:33:14 +01:00
vmlinux_32.lds.S x86: use ELF section to list CPU vendor specific code 2008-04-17 17:40:47 +02:00
vmlinux_64.lds.S x86_64 vDSO: use initdata 2008-04-28 13:49:35 -07:00
vmlinux.lds.S
vsmp_64.c x86: fix warning in "x86: clean up vSMP detection" 2008-04-29 13:45:24 +02:00
vsyscall_64.c "make namespacecheck" fixes 2008-04-24 23:15:44 +02:00
x8664_ksyms_64.c x86: fix csum_partial() export 2008-05-13 19:38:47 +02:00