| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 09 Mar 2015 13:46:43 -0400 From: Sasha Levin <sasha.levin@...cle.com> To: Peter Zijlstra <peterz@...radead.org>, Ingo Molnar <mingo@...nel.org> CC: Dave Jones <davej@...emonkey.org.uk>, LKML <linux-kernel@...r.kernel.org>, nicolas.pitre@...aro.org Subject: sched: divide error in sg_capacity_factor Hi all, While fuzzing with trinity inside the latest -next kernel using trinity I've stumbled on: [ 936.784266] divide error: 0000 [#1] PREEMPT SMP KASAN [ 936.789198] Dumping ftrace buffer: [ 936.793957] (ftrace buffer empty) [ 936.793957] Modules linked in: [ 936.793957] CPU: 52 PID: 22110 Comm: trinity-c52 Tainted: G W 4.0.0-rc1-sasha-00044-ge21109a #2039 [ 936.793957] task: ffff8807ff293000 ti: ffff880f81fe8000 task.ti: ffff880f81fe8000 [ 936.793957] RIP: find_busiest_group (kernel/sched/fair.c:6152 kernel/sched/fair.c:6223 kernel/sched/fair.c:6341 kernel/sched/fair.c:6603) [ 936.829403] RSP: 0000:ffff8810c28079a8 EFLAGS: 00010206 [ 936.829403] RAX: 00000000000003ff RBX: 000000000000004e RCX: 0000000000002000 [ 936.829403] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 936.829403] RBP: ffff8810c2807be8 R08: 0000000000000001 R09: 0000000000000001 [ 936.829403] R10: 0000000000000001 R11: 0000000000000008 R12: dffffc0000000000 [ 936.829403] R13: 0000000000000001 R14: ffff8810c2807b40 R15: ffff8810c2807ce8 [ 936.829403] FS: 00007f89c95ff700(0000) GS:ffff8810c2800000(0000) knlGS:0000000000000000 [ 936.829403] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 936.829403] CR2: 0000000003503ff8 CR3: 0000000f8237b000 CR4: 00000000000007a0 [ 936.829403] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 936.829403] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000050602 [ 936.829403] Stack: [ 936.829403] 0000000000000082 ffffffff00000001 ffff8810c28079d8 ffff8810c2817a88 [ 936.829403] 0000000000000000 1ffff10218500f4b 00000000c2817a88 ffff8810c2807d14 [ 936.829403] ffff8810c2807b50 ffff8810c2807cfc ffff8810c0740010 0000000307418e2e [ 936.829403] Call Trace: [ 936.829403] <IRQ> [ 936.829403] ? __enqueue_entity (kernel/sched/fair.c:501) [ 936.829403] ? update_group_capacity (kernel/sched/fair.c:6593) [ 936.829403] ? update_cfs_shares (kernel/sched/fair.c:2375) [ 936.829403] ? cpumask_next_and (lib/cpumask.c:40) [ 936.829403] load_balance (kernel/sched/fair.c:6857) [ 936.829403] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:163 kernel/locking/spinlock.c:191) [ 936.829403] ? update_blocked_averages (kernel/sched/fair.c:5743) [ 936.829403] ? find_busiest_group (kernel/sched/fair.c:6820) [ 936.829403] ? run_rebalance_domains (kernel/sched/fair.c:7450 kernel/sched/fair.c:7659) [ 936.829403] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2566) [ 936.829403] run_rebalance_domains (kernel/sched/fair.c:7494 kernel/sched/fair.c:7659) [ 936.829403] ? run_rebalance_domains (kernel/sched/fair.c:7450 kernel/sched/fair.c:7659) [ 936.829403] ? pick_next_task_fair (kernel/sched/fair.c:7654) [ 936.829403] ? irq_exit (kernel/softirq.c:350 kernel/softirq.c:391) [ 936.829403] __do_softirq (kernel/softirq.c:273 include/linux/jump_label.h:114 include/trace/events/irq.h:126 kernel/softirq.c:274) [ 936.829403] irq_exit (kernel/softirq.c:350 kernel/softirq.c:391) [ 936.829403] smp_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:918) [ 936.829403] apic_timer_interrupt (arch/x86/kernel/entry_64.S:958) [ 936.829403] <EOI> [ 936.829403] ? is_module_address (kernel/module.c:3835) [ 936.829403] ? __kernel_text_address (kernel/extable.c:104) [ 936.829403] print_context_stack (arch/x86/kernel/dumpstack.c:105) [ 936.829403] dump_trace (arch/x86/kernel/dumpstack_64.c:244) [ 936.829403] save_stack_trace (arch/x86/kernel/stacktrace.c:64) [ 936.829403] __set_page_owner (mm/page_owner.c:72) [ 936.829403] ? __reset_page_owner (mm/page_owner.c:61) [ 936.829403] ? __inc_zone_state (mm/vmstat.c:271) [ 936.829403] get_page_from_freelist (include/linux/page_owner.h:26 mm/page_alloc.c:2176) [ 936.829403] __alloc_pages_nodemask (mm/page_alloc.c:2844) [ 936.829403] ? alloc_pages_vma (mm/mempolicy.c:2007) [ 936.829403] ? debug_check_no_locks_freed (kernel/locking/lockdep.c:3051) [ 936.829403] ? debug_check_no_locks_freed (kernel/locking/lockdep.c:3051) [ 936.829403] ? __alloc_pages_direct_compact (mm/page_alloc.c:2797) [ 936.829403] ? debug_check_no_locks_freed (kernel/locking/lockdep.c:3051) [ 936.829403] ? arch_local_irq_restore (init/do_mounts.h:19) [ 936.829403] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2566) [ 936.829403] alloc_pages_vma (mm/mempolicy.c:2007) [ 936.829403] ? handle_mm_fault (mm/memory.c:2156 mm/memory.c:3164 mm/memory.c:3269 mm/memory.c:3298) [ 936.829403] handle_mm_fault (mm/memory.c:2156 mm/memory.c:3164 mm/memory.c:3269 mm/memory.c:3298) [ 936.829403] ? debug_check_no_locks_freed (kernel/locking/lockdep.c:3051) [ 936.829403] ? __pmd_alloc (mm/memory.c:3280) [ 936.829403] ? perf_event_context_sched_in (kernel/events/core.c:2755) [ 936.829403] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2566) [ 936.829403] ? __do_page_fault (arch/x86/mm/fault.c:1173) [ 936.829403] ? ___might_sleep (kernel/sched/core.c:7297 (discriminator 1)) [ 936.829403] ? find_vma (mm/mmap.c:2035) [ 936.829403] __do_page_fault (arch/x86/mm/fault.c:1235) [ 936.829403] ? finish_task_switch (kernel/sched/core.c:2214) [ 936.829403] ? finish_task_switch (kernel/sched/sched.h:1058 kernel/sched/core.c:2210) [ 936.829403] trace_do_page_fault (arch/x86/mm/fault.c:1329) [ 936.829403] do_async_page_fault (arch/x86/kernel/kvm.c:280) [ 936.829403] async_page_fault (arch/x86/kernel/entry_64.S:1295) [ 936.829403] Code: 89 f8 48 c1 e8 03 42 0f b6 04 20 84 c0 74 08 3c 03 0f 8e 3a 18 00 00 8b 7e 08 44 89 e8 48 c1 e0 0a 48 8d 44 07 ff 48 89 fe 48 99 <48> f7 ff 31 d2 48 89 c7 44 89 e8 f7 f7 45 89 c5 49 81 c5 00 02 All code ======== 0: 89 f8 mov %edi,%eax 2: 48 c1 e8 03 shr $0x3,%rax 6: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax b: 84 c0 test %al,%al d: 74 08 je 0x17 f: 3c 03 cmp $0x3,%al 11: 0f 8e 3a 18 00 00 jle 0x1851 17: 8b 7e 08 mov 0x8(%rsi),%edi 1a: 44 89 e8 mov %r13d,%eax 1d: 48 c1 e0 0a shl $0xa,%rax 21: 48 8d 44 07 ff lea -0x1(%rdi,%rax,1),%rax 26: 48 89 fe mov %rdi,%rsi 29: 48 99 cqto 2b:* 48 f7 ff idiv %rdi <-- trapping instruction 2e: 31 d2 xor %edx,%edx 30: 48 89 c7 mov %rax,%rdi 33: 44 89 e8 mov %r13d,%eax 36: f7 f7 div %edi 38: 45 89 c5 mov %r8d,%r13d 3b: 49 rex.WB 3c: 81 .byte 0x81 3d: c5 00 02 (bad) ... Code starting with the faulting instruction =========================================== 0: 48 f7 ff idiv %rdi 3: 31 d2 xor %edx,%edx 5: 48 89 c7 mov %rax,%rdi 8: 44 89 e8 mov %r13d,%eax b: f7 f7 div %edi d: 45 89 c5 mov %r8d,%r13d 10: 49 rex.WB 11: 81 .byte 0x81 12: c5 00 02 (bad) ... [ 936.829403] RIP find_busiest_group (kernel/sched/fair.c:6152 kernel/sched/fair.c:6223 kernel/sched/fair.c:6341 kernel/sched/fair.c:6603) [ 936.829403] RSP <ffff8810c28079a8> Thanks, Sasha -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists