Wind River Support Network

HomeOther DownloadsPatch to the linux kernel that fixes a kernel crash under heavily loaded POSIX threads and timers.
Optional Type: Patch

Patch to the linux kernel that fixes a kernel crash under heavily loaded POSIX threads and timers.

Released: Sep 16, 2007     Updated: Sep 16, 2007

Description

Problem Description:
--------------------
Running many posix timers and threads causes a kernel crash.

The message is:

kernel BUG at :15081!
invalid operand: 0000 [#1]
SMP
LTT NESTING LEVEL : 0
Modules linked in: ipmi_watchdog ipmi_si ipmi_devintf ipmi_msghandler softdog bi
nfmt_misc video thermal processor fan button battery ac sctp uhci_hcd usbcore ip
6_tables ip_tables ipv6
CPU: 2
EIP: 0060:[] Not tainted VLI
EFLAGS: 00010046 (2.6.14.7-selinux1-WR1.4aq_cgl)
EIP is at send_sigqueue+0xdf/0xf7
eax: 00000020 ebx: f6b0b368 ecx: f66115b0 edx: f6b0b368
esi: f66115b0 edi: 00000020 ebp: c04b0d9c esp: c04b0d88
ds: 007b es: 007b ss: 0068
Process swapper (pid: 0, threadinfo=c04b0000 task=c317eaf0)
Stack: 00000000 00000092 f6602248 00000000 f6b0b3f8 c04b0dac c013fd9d f6602248
f6602250 c04b0dc8 c013fe19 00000000 00000282 f660227c c013fdd2 c30250a0
c04b0df8 c0143cd8 c30250a4 f6602248 6c9d81ba 000000eb 00000001 6c9d81ba
Call Trace:
[] show_stack+0x7a/0x90
[] show_registers+0x14f/0x1c7
[] die+0x11a/0x195
[] do_trap+0x1991/0x205b
[] do_invalid_op+0xa3/0xad
[] error_code+0x4f/0x54
[] posix_timer_event+0x71/0xa6
[] posix_timer_fn+0x47/0x9d
[] hrtimer_run_queues+0x84/0xec
[] run_timer_softirq+0x15f/0x847
[] __do_softirq+0x5d6/0x110f
[] do_softirq+0x50/0x5f

- When deleting a posix timer by invoking sys_timer_delete(), a race condition is in sigqueue_free() and collect_signal().

- The __sigqueue_free() is called twice on the same "struct sigqueue"
with the obviously bad implications.

- Because all threads in the same thread group have the same ->sighand, and thus the same ->sighand->siglock.

Comments on the Fix:
--------------------
- Therefore, Adding ->sighand->siglock before checking list_empty(&q->list) in sigqueue_free(), collect_signal() is always called under sighand->siglock which is also taken by sigqueue_free(), so the race condition is impossible.
IDENTIFIER = WIND00096705PNELE14


Product Version

Linux Platforms 1.x

Downloads


Installation Notes

Installation Notes

Installation Instructions:
--------------------------

1. Copy the patch zip file to your /updates directory
2. Unzip the patch file
3. Go to your /updates/ directory
4. Run setup_linux and install the patch
5. This is a source patch so you will have to rebuild the kernel to get the patch.


Live chat
Online