From: "Luiz Fernando N. Capitulino" <lcapitulino@mandriva.com.br>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
mingo@elte.hu, herton@mandriva.com.br, dvgevers@xs4all.nl
Subject: [local DoS] Re: Linux 2.6.24-rc4
Date: Tue, 4 Dec 2007 12:07:15 -0200 [thread overview]
Message-ID: <20071204120715.4ea204a8@mandriva.com.br> (raw)
In-Reply-To: <alpine.LFD.0.9999.0712032055080.2981@woody.linux-foundation.org>
Em Mon, 3 Dec 2007 21:08:12 -0800 (PST)
Linus Torvalds <torvalds@linux-foundation.org> escreveu:
| That said, none of the changes are really _exciting_ or really scary. And
| we should have fixed a number of regressions, although more certainly
| remain.
A Mandriva user reported this bug last week. Run the following program
as a normal user.
"""
#include <stdio.h>
#include <sched.h>
int main(void)
{
sched_rr_get_interval(1, NULL);
return 0;
}
"""
You should get the following OOPS and the machine will hang.
"""
divide error: 0000 [#1] SMP
Modules linked in: af_packet snd_seq_dummy snd_seq_oss snd_seq_midi_event ipv6 snd_seq snd_pcm_oss snd_mie
Pid: 4202, comm: unhide Not tainted (2.6.24-desktop-0.rc3.2mdv #1)
EIP: 0060:[<c01276cb>] EFLAGS: 00010046 CPU: 0
EIP is at sched_slice+0x3b/0x60
EAX: 00000004 EBX: c4b40000 ECX: 00000004 EDX: 00000000
ESI: 00000000 EDI: 00000000 EBP: d7d2bf84 ESP: d7d2bf78
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process unhide (pid: 4202, ti=d7d2a000 task=d7d29580 task.ti=d7d2a000)
Stack: c140a0a0 df98a000 00000000 d7d2bfb0 c012cc1e d7d2bfb8 d7c019f4 00000064
0804a898 00000000 00000286 00000001 b7f3acc0 00000000 d7d2a000 c010830e
00000001 bffdc2b8 b7f0cff4 b7f3acc0 00000000 bffdc2c8 000000a1 0000007b
Call Trace:
[<c01094ca>] show_trace_log_lvl+0x1a/0x30
[<c010958b>] show_stack_log_lvl+0xab/0xd0
[<c010966d>] show_registers+0xbd/0x1c0
[<c0109894>] die+0x124/0x250
[<c0109a51>] do_trap+0x91/0xc0
[<c0109f55>] do_divide_error+0x85/0x90
[<c033bc6a>] error_code+0x72/0x78
[<c012cc1e>] sys_sched_rr_get_interval+0x7e/0xf0
[<c010830e>] sysenter_past_esp+0x6b/0xa1
=======================
Code: d6 89 7c 24 08 8b 40 08 e8 b3 fe ff ff 8b 0e 8b 3b 89 d6 0f af f1 f7 e1 8d 1c 16 89 da 89 d1 31 d2
EIP: [<c01276cb>] sched_slice+0x3b/0x60 SS:ESP 0068:d7d2bf78
"""
That OOPS is from a -rc3-git1 Mandriva kernel, but the same thing
happens with you're latest tree.
I've reported it to vendor-sec but looks like it's only
present in 2.6.24-rcs and Ingo's CFS backports.
As Ingo's usually very responsive and he didn't answer me so
far I'm starting to think you can't reproduce this problem?
Anyway, the problem seems to be in sched_slice() called by
sys_sched_rr_get_interval():
time_slice = NS_TO_JIFFIES(sched_slice(cfs_rq_of(se), se));
sched_slice() will use 'cfs_rq->load.weight' as the base for a
division, which is zero for process 1.
The following hack fixes the problem for me.
-----
Index: linux-2.6.23/kernel/sched_fair.c
===================================================================
--- linux-2.6.23.orig/kernel/sched_fair.c
+++ linux-2.6.23/kernel/sched_fair.c
@@ -266,7 +266,8 @@ static u64 sched_slice(struct cfs_rq *cf
u64 slice = __sched_period(cfs_rq->nr_running);
slice *= se->load.weight;
- do_div(slice, cfs_rq->load.weight);
+ if (likely(cfs_rq->load.weight))
+ do_div(slice, cfs_rq->load.weight);
return slice;
}
--
Luiz Fernando N. Capitulino
next prev parent reply other threads:[~2007-12-04 14:07 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-04 5:08 Linux 2.6.24-rc4 Linus Torvalds
2007-12-04 10:23 ` [build failure] Re: Linux 2.6.24-rc4 on S390x Kamalesh Babulal
2007-12-04 10:31 ` Martin Schwidefsky
2007-12-04 10:32 ` Ingo Molnar
2007-12-04 13:22 ` Linux 2.6.24-rc4 Nicolas Pitre
2007-12-04 16:04 ` Jeff Garzik
2007-12-04 14:07 ` Luiz Fernando N. Capitulino [this message]
2007-12-04 15:56 ` [local DoS] " Linus Torvalds
2007-12-04 16:00 ` Ingo Molnar
2007-12-04 16:04 ` Luiz Fernando N. Capitulino
2007-12-04 16:08 ` Ingo Molnar
2007-12-04 16:18 ` [git pull] scheduler fixes Ingo Molnar
2007-12-04 16:40 ` Luiz Fernando N. Capitulino
2007-12-04 18:28 ` Greg KH
2007-12-04 18:41 ` Luiz Fernando N. Capitulino
2007-12-04 21:04 ` Ingo Molnar
2007-12-04 20:51 ` Linux 2.6.24-rc4 Maciej Rutecki
2007-12-04 21:06 ` Linus Torvalds
2007-12-04 21:19 ` Maciej Rutecki
2007-12-04 21:23 ` ATA ACPI (was Re: Linux 2.6.24-rc4) Jeff Garzik
2007-12-04 21:25 ` Jeff Garzik
2007-12-04 21:25 ` Alan Cox
2007-12-04 21:27 ` Jeff Garzik
2007-12-04 22:48 ` Maciej Rutecki
2007-12-04 23:00 ` Jeff Garzik
2007-12-05 7:46 ` Maciej Rutecki
2007-12-10 8:42 ` Tejun Heo
2007-12-05 0:23 ` Linux 2.6.24-rc4 Diego Calleja
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071204120715.4ea204a8@mandriva.com.br \
--to=lcapitulino@mandriva.com.br \
--cc=dvgevers@xs4all.nl \
--cc=herton@mandriva.com.br \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.