Bug 278961

Summary: epoll_wait(..., -100) results in printk
Product: Red Hat Enterprise Linux 4 Reporter: Andy Isaacson <aisaacson>
Component: kernelAssignee: Peter Staubach <staubach>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.5CC: jbaron, ppokorny
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2008-0665 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-24 19:16:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 430698    
Attachments:
Description Flags
reproduction testcase
none
Proposed patch none

Description Andy Isaacson 2007-09-05 18:04:12 UTC 
Description of problem:

Calling epoll_wait with a negative value for 'timeout' results in a printk being
generated, with no information about what pid or uid caused it.  This can result
in logfile overflow and denial-of-service.

Version-Release number of selected component (if applicable):

2.6.9-55.0.2

Steps to reproduce:
1. run attached testcase on x86_64 2.6.9-55.0.2.

Actual results:

schedule_timeout: wrong timeout value fffffffffffffc19 from ffffffff8019eaff

Expected results:

return EINVAL and do not printk.

Additional info:

This issue appears to be fixed upstream by e3306dd5f7eb2e699f36a4a313fca4b48b18d5e1.
Comment 1 Andy Isaacson 2007-09-05 18:04:12 UTC 
Created attachment 187791 [details]
reproduction testcase
Comment 2 Peter Staubach 2007-09-13 21:28:31 UTC 
The semantics in the upstream kernel and as described by the patch
which was referenced do not match the expected results.  The actual
semantics of the system after applying that patch are that any
negative value passed as the timeout is treated the same as -1.

I will port the patch, but this will just prevent the printk()
from occurring, but will not cause the system call to return EINVAL.
Comment 3 Peter Staubach 2007-09-18 19:47:13 UTC 
Created attachment 198801 [details]
Proposed patch
Comment 4 Peter Staubach 2007-09-18 19:56:27 UTC 
The attached Proposed patch modifies the epoll_wait() semantics to
use any negative value to indicate an infinite wait, not just -1.
This matches the current upstream and RHEL-5 semantics.
Comment 5 RHEL Program Management 2007-09-18 20:04:15 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Vivek Goyal 2008-02-27 21:44:59 UTC 
Committed in 68.14.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 10 errata-xmlrpc 2008-07-24 19:16:05 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0665.html