If someone hotplugs all the little CPUs while another CPU is handling a wakeup, we can potentially return new_cpu == NR_CPUS from hmp_select_slower_cpu (which is called internally by hmp_best_little_cpu as well). We will use this to deref the per_cpu rq array in hmp_next_down_delay which can go boom.
Signed-off-by: Chris Redpath chris.redpath@arm.com --- kernel/sched/fair.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c index 71da724..483dee8 100644 --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -4483,7 +4483,11 @@ unlock: #else new_cpu = hmp_select_slower_cpu(p, prev_cpu); #endif - if (new_cpu != prev_cpu) { + /* + * we might have no suitable CPU + * in which case new_cpu == NR_CPUS + */ + if (new_cpu < NR_CPUS && new_cpu != prev_cpu) { hmp_next_down_delay(&p->se, new_cpu); trace_sched_hmp_migrate(p, new_cpu, HMP_MIGRATE_WAKEUP); return new_cpu;