* divide error in alarm_forward
@ 2018-12-17 7:04 syzbot
2018-12-17 12:31 ` [PATCH] posix-timers: Prevent division by zero Thomas Gleixner
0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2018-12-17 7:04 UTC (permalink / raw)
To: john.stultz, linux-kernel, sboyd, syzkaller-bugs, tglx
Hello,
syzbot found the following crash on:
HEAD commit: 6531e115b7ab Merge branch 'akpm' (patches from Andrew)
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10c68f6d400000
kernel config: https://syzkaller.appspot.com/x/.config?x=c8970c89a0efbb23
dashboard link: https://syzkaller.appspot.com/bug?extid=9d38bedac9cc77b8ad5e
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9d38bedac9cc77b8ad5e@syzkaller.appspotmail.com
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 8629 Comm: syz-executor0 Not tainted 4.20.0-rc6+ #374
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:ktime_divns include/linux/ktime.h:172 [inline]
RIP: 0010:alarm_forward+0xe7/0x180 kernel/time/alarmtimer.c:458
Code: 41 5d 41 5e 41 5f 5d c3 e8 56 44 10 00 31 ff 4c 89 ee e8 7c 45 10 00
4d 85 ed 78 62 e8 42 44 10 00 48 89 d8 48 8b 4d c8 48 99 <49> f7 fd 48 89
c3 49 89 c6 48 ba 00 00 00 00 00 fc ff df 49 0f af
RSP: 0018:ffff8881b85b77e0 EFLAGS: 00010046
RAX: 0000000000008a1c RBX: 0000000000008a1c RCX: ffff8881b88e8aa0
RDX: 0000000000000000 RSI: ffffffff816f402e RDI: 0000000000000007
RBP: ffff8881b85b7820 R08: ffff8881b85a8040 R09: 0000000000000004
R10: fffffbfff14a7409 R11: 0000000000000001 R12: ffff8881b88e8a88
R13: 0000000000000000 R14: 0000000000000001 R15: 0000003d6987822d
FS: 00007f31b5e40700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f31b5e1edb8 CR3: 00000001b9024000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
alarm_forward_now kernel/time/alarmtimer.c:481 [inline]
alarm_timer_rearm+0xbb/0x150 kernel/time/alarmtimer.c:575
posixtimer_rearm+0x200/0x3e0 kernel/time/posix-timers.c:321
dequeue_signal+0x1b0/0x630 kernel/signal.c:680
signalfd_dequeue fs/signalfd.c:173 [inline]
signalfd_read+0x295/0x7f0 fs/signalfd.c:226
__vfs_read+0x117/0x9b0 fs/read_write.c:416
vfs_read+0x17f/0x3c0 fs/read_write.c:452
ksys_read+0x101/0x260 fs/read_write.c:578
__do_sys_read fs/read_write.c:588 [inline]
__se_sys_read fs/read_write.c:586 [inline]
__x64_sys_read+0x73/0xb0 fs/read_write.c:586
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457669
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f31b5e3fc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669
RDX: 000000000ae3f1a6 RSI: 0000000020000080 RDI: 0000000000000005
RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f31b5e406d4
R13: 00000000004c2b0b R14: 00000000004d6608 R15: 00000000ffffffff
Modules linked in:
---[ end trace a0d2cc178e3c2817 ]---
RIP: 0010:ktime_divns include/linux/ktime.h:172 [inline]
RIP: 0010:alarm_forward+0xe7/0x180 kernel/time/alarmtimer.c:458
Code: 41 5d 41 5e 41 5f 5d c3 e8 56 44 10 00 31 ff 4c 89 ee e8 7c 45 10 00
4d 85 ed 78 62 e8 42 44 10 00 48 89 d8 48 8b 4d c8 48 99 <49> f7 fd 48 89
c3 49 89 c6 48 ba 00 00 00 00 00 fc ff df 49 0f af
RSP: 0018:ffff8881b85b77e0 EFLAGS: 00010046
RAX: 0000000000008a1c RBX: 0000000000008a1c RCX: ffff8881b88e8aa0
RDX: 0000000000000000 RSI: ffffffff816f402e RDI: 0000000000000007
RBP: ffff8881b85b7820 R08: ffff8881b85a8040 R09: 0000000000000004
R10: fffffbfff14a7409 R11: 0000000000000001 R12: ffff8881b88e8a88
R13: 0000000000000000 R14: 0000000000000001 R15: 0000003d6987822d
FS: 00007f31b5e40700(0000) GS:ffff8881daf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f31b5e1edb8 CR3: 00000001b9024000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] posix-timers: Prevent division by zero
2018-12-17 7:04 divide error in alarm_forward syzbot
@ 2018-12-17 12:31 ` Thomas Gleixner
2018-12-17 16:39 ` [tip:timers/urgent] posix-timers: Fix division by zero bug tip-bot for Thomas Gleixner
0 siblings, 1 reply; 3+ messages in thread
From: Thomas Gleixner @ 2018-12-17 12:31 UTC (permalink / raw)
To: syzbot
Cc: John Stultz, LKML, sboyd, syzkaller-bugs, Ingo Molnar, Peter Zijlstra
The signal delivery path of posix-timers can try to rearm the timer even if
the interval is zero. That's handled for the common case (hrtimer) but not
for alarm timers. In that case the forwarding function raises a division by
zero exception.
The handling for hrtimer based posix timers is wrong because it marks the
timer as active despite the fact that it is stopped.
Move the check from common_hrtimer_rearm() to posixtimer_rearm() to cure
both issues.
Reported-by: syzbot+9d38bedac9cc77b8ad5e@syzkaller.appspotmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
---
kernel/time/posix-timers.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -289,9 +289,6 @@ static void common_hrtimer_rearm(struct
{
struct hrtimer *timer = &timr->it.real.timer;
- if (!timr->it_interval)
- return;
-
timr->it_overrun += hrtimer_forward(timer, timer->base->get_time(),
timr->it_interval);
hrtimer_restart(timer);
@@ -317,7 +314,7 @@ void posixtimer_rearm(struct kernel_sigi
if (!timr)
return;
- if (timr->it_requeue_pending == info->si_sys_private) {
+ if (timr->it_interval && timr->it_requeue_pending == info->si_sys_private) {
timr->kclock->timer_rearm(timr);
timr->it_active = 1;
^ permalink raw reply [flat|nested] 3+ messages in thread
* [tip:timers/urgent] posix-timers: Fix division by zero bug
2018-12-17 12:31 ` [PATCH] posix-timers: Prevent division by zero Thomas Gleixner
@ 2018-12-17 16:39 ` tip-bot for Thomas Gleixner
0 siblings, 0 replies; 3+ messages in thread
From: tip-bot for Thomas Gleixner @ 2018-12-17 16:39 UTC (permalink / raw)
To: linux-tip-commits
Cc: mingo, peterz, torvalds, hpa, tglx, john.stultz, linux-kernel
Commit-ID: 0e334db6bb4b1fd1e2d72c1f3d8f004313cd9f94
Gitweb: https://git.kernel.org/tip/0e334db6bb4b1fd1e2d72c1f3d8f004313cd9f94
Author: Thomas Gleixner <tglx@linutronix.de>
AuthorDate: Mon, 17 Dec 2018 13:31:05 +0100
Committer: Ingo Molnar <mingo@kernel.org>
CommitDate: Mon, 17 Dec 2018 17:35:45 +0100
posix-timers: Fix division by zero bug
The signal delivery path of posix-timers can try to rearm the timer even if
the interval is zero. That's handled for the common case (hrtimer) but not
for alarm timers. In that case the forwarding function raises a division by
zero exception.
The handling for hrtimer based posix timers is wrong because it marks the
timer as active despite the fact that it is stopped.
Move the check from common_hrtimer_rearm() to posixtimer_rearm() to cure
both issues.
Reported-by: syzbot+9d38bedac9cc77b8ad5e@syzkaller.appspotmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: sboyd@kernel.org
Cc: stable@vger.kernel.org
Cc: syzkaller-bugs@googlegroups.com
Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1812171328050.1880@nanos.tec.linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
kernel/time/posix-timers.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index bd62b5eeb5a0..31f49ae80f43 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -289,9 +289,6 @@ static void common_hrtimer_rearm(struct k_itimer *timr)
{
struct hrtimer *timer = &timr->it.real.timer;
- if (!timr->it_interval)
- return;
-
timr->it_overrun += hrtimer_forward(timer, timer->base->get_time(),
timr->it_interval);
hrtimer_restart(timer);
@@ -317,7 +314,7 @@ void posixtimer_rearm(struct kernel_siginfo *info)
if (!timr)
return;
- if (timr->it_requeue_pending == info->si_sys_private) {
+ if (timr->it_interval && timr->it_requeue_pending == info->si_sys_private) {
timr->kclock->timer_rearm(timr);
timr->it_active = 1;
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-12-17 16:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-17 7:04 divide error in alarm_forward syzbot
2018-12-17 12:31 ` [PATCH] posix-timers: Prevent division by zero Thomas Gleixner
2018-12-17 16:39 ` [tip:timers/urgent] posix-timers: Fix division by zero bug tip-bot for Thomas Gleixner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.