Bug 278961 - epoll_wait(..., -100) results in printk
epoll_wait(..., -100) results in printk
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.5
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Staubach
Martin Jenner
:
Depends On:
Blocks: 430698
  Show dependency treegraph
 
Reported: 2007-09-05 14:04 EDT by Andy Isaacson
Modified: 2008-07-24 15:16 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2008-0665
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-24 15:16:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
reproduction testcase (692 bytes, text/x-csrc)
2007-09-05 14:04 EDT, Andy Isaacson
no flags Details
Proposed patch (852 bytes, patch)
2007-09-18 15:47 EDT, Peter Staubach
no flags Details | Diff

  None (edit)
Description Andy Isaacson 2007-09-05 14:04:12 EDT
Description of problem:

Calling epoll_wait with a negative value for 'timeout' results in a printk being
generated, with no information about what pid or uid caused it.  This can result
in logfile overflow and denial-of-service.

Version-Release number of selected component (if applicable):

2.6.9-55.0.2

Steps to reproduce:
1. run attached testcase on x86_64 2.6.9-55.0.2.

Actual results:

schedule_timeout: wrong timeout value fffffffffffffc19 from ffffffff8019eaff

Expected results:

return EINVAL and do not printk.

Additional info:

This issue appears to be fixed upstream by e3306dd5f7eb2e699f36a4a313fca4b48b18d5e1.
Comment 1 Andy Isaacson 2007-09-05 14:04:12 EDT
Created attachment 187791 [details]
reproduction testcase
Comment 2 Peter Staubach 2007-09-13 17:28:31 EDT
The semantics in the upstream kernel and as described by the patch
which was referenced do not match the expected results.  The actual
semantics of the system after applying that patch are that any
negative value passed as the timeout is treated the same as -1.

I will port the patch, but this will just prevent the printk()
from occurring, but will not cause the system call to return EINVAL.
Comment 3 Peter Staubach 2007-09-18 15:47:13 EDT
Created attachment 198801 [details]
Proposed patch
Comment 4 Peter Staubach 2007-09-18 15:56:27 EDT
The attached Proposed patch modifies the epoll_wait() semantics to
use any negative value to indicate an infinite wait, not just -1.
This matches the current upstream and RHEL-5 semantics.
Comment 5 RHEL Product and Program Management 2007-09-18 16:04:15 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Vivek Goyal 2008-02-27 16:44:59 EST
Committed in 68.14.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/
Comment 10 errata-xmlrpc 2008-07-24 15:16:05 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2008-0665.html

Note You need to log in before you can comment on or make changes to this bug.