sched: divide error in sg_capacity_factor

From: Sasha Levin
Date: Mon Mar 09 2015 - 13:47:37 EST

Next message: Andy Lutomirski: "Re: [PATCH v2] x86, selftests: Add sigreturn_32 selftest"
Previous message: Dmitry Torokhov: "[PATCH] mfd: tps65010: remove incorrect __exit markups"
Next in thread: Ingo Molnar: "Re: sched: divide error in sg_capacity_factor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

While fuzzing with trinity inside the latest -next kernel using trinity I've stumbled on:

[ 936.784266] divide error: 0000 [#1] PREEMPT SMP KASAN
[ 936.789198] Dumping ftrace buffer:
[ 936.793957] (ftrace buffer empty)
[ 936.793957] Modules linked in:
[ 936.793957] CPU: 52 PID: 22110 Comm: trinity-c52 Tainted: G W 4.0.0-rc1-sasha-00044-ge21109a #2039
[ 936.793957] task: ffff8807ff293000 ti: ffff880f81fe8000 task.ti: ffff880f81fe8000
[ 936.793957] RIP: find_busiest_group (kernel/sched/fair.c:6152 kernel/sched/fair.c:6223 kernel/sched/fair.c:6341 kernel/sched/fair.c:6603)
[ 936.829403] RSP: 0000:ffff8810c28079a8 EFLAGS: 00010206
[ 936.829403] RAX: 00000000000003ff RBX: 000000000000004e RCX: 0000000000002000
[ 936.829403] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 936.829403] RBP: ffff8810c2807be8 R08: 0000000000000001 R09: 0000000000000001
[ 936.829403] R10: 0000000000000001 R11: 0000000000000008 R12: dffffc0000000000
[ 936.829403] R13: 0000000000000001 R14: ffff8810c2807b40 R15: ffff8810c2807ce8
[ 936.829403] FS: 00007f89c95ff700(0000) GS:ffff8810c2800000(0000) knlGS:0000000000000000
[ 936.829403] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 936.829403] CR2: 0000000003503ff8 CR3: 0000000f8237b000 CR4: 00000000000007a0
[ 936.829403] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 936.829403] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000050602
[ 936.829403] Stack:
[ 936.829403] 0000000000000082 ffffffff00000001 ffff8810c28079d8 ffff8810c2817a88
[ 936.829403] 0000000000000000 1ffff10218500f4b 00000000c2817a88 ffff8810c2807d14
[ 936.829403] ffff8810c2807b50 ffff8810c2807cfc ffff8810c0740010 0000000307418e2e
[ 936.829403] Call Trace:
[ 936.829403] <IRQ>
[ 936.829403] ? __enqueue_entity (kernel/sched/fair.c:501)
[ 936.829403] ? update_group_capacity (kernel/sched/fair.c:6593)
[ 936.829403] ? update_cfs_shares (kernel/sched/fair.c:2375)
[ 936.829403] ? cpumask_next_and (lib/cpumask.c:40)
[ 936.829403] load_balance (kernel/sched/fair.c:6857)
[ 936.829403] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:163 kernel/locking/spinlock.c:191)
[ 936.829403] ? update_blocked_averages (kernel/sched/fair.c:5743)
[ 936.829403] ? find_busiest_group (kernel/sched/fair.c:6820)
[ 936.829403] ? run_rebalance_domains (kernel/sched/fair.c:7450 kernel/sched/fair.c:7659)
[ 936.829403] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2566)
[ 936.829403] run_rebalance_domains (kernel/sched/fair.c:7494 kernel/sched/fair.c:7659)
[ 936.829403] ? run_rebalance_domains (kernel/sched/fair.c:7450 kernel/sched/fair.c:7659)
[ 936.829403] ? pick_next_task_fair (kernel/sched/fair.c:7654)
[ 936.829403] ? irq_exit (kernel/softirq.c:350 kernel/softirq.c:391)
[ 936.829403] __do_softirq (kernel/softirq.c:273 include/linux/jump_label.h:114 include/trace/events/irq.h:126 kernel/softirq.c:274)
[ 936.829403] irq_exit (kernel/softirq.c:350 kernel/softirq.c:391)
[ 936.829403] smp_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:918)
[ 936.829403] apic_timer_interrupt (arch/x86/kernel/entry_64.S:958)
[ 936.829403] <EOI>
[ 936.829403] ? is_module_address (kernel/module.c:3835)
[ 936.829403] ? __kernel_text_address (kernel/extable.c:104)
[ 936.829403] print_context_stack (arch/x86/kernel/dumpstack.c:105)
[ 936.829403] dump_trace (arch/x86/kernel/dumpstack_64.c:244)
[ 936.829403] save_stack_trace (arch/x86/kernel/stacktrace.c:64)
[ 936.829403] __set_page_owner (mm/page_owner.c:72)
[ 936.829403] ? __reset_page_owner (mm/page_owner.c:61)
[ 936.829403] ? __inc_zone_state (mm/vmstat.c:271)
[ 936.829403] get_page_from_freelist (include/linux/page_owner.h:26 mm/page_alloc.c:2176)
[ 936.829403] __alloc_pages_nodemask (mm/page_alloc.c:2844)
[ 936.829403] ? alloc_pages_vma (mm/mempolicy.c:2007)
[ 936.829403] ? debug_check_no_locks_freed (kernel/locking/lockdep.c:3051)
[ 936.829403] ? debug_check_no_locks_freed (kernel/locking/lockdep.c:3051)
[ 936.829403] ? __alloc_pages_direct_compact (mm/page_alloc.c:2797)
[ 936.829403] ? debug_check_no_locks_freed (kernel/locking/lockdep.c:3051)
[ 936.829403] ? arch_local_irq_restore (init/do_mounts.h:19)
[ 936.829403] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2566)
[ 936.829403] alloc_pages_vma (mm/mempolicy.c:2007)
[ 936.829403] ? handle_mm_fault (mm/memory.c:2156 mm/memory.c:3164 mm/memory.c:3269 mm/memory.c:3298)
[ 936.829403] handle_mm_fault (mm/memory.c:2156 mm/memory.c:3164 mm/memory.c:3269 mm/memory.c:3298)
[ 936.829403] ? debug_check_no_locks_freed (kernel/locking/lockdep.c:3051)
[ 936.829403] ? __pmd_alloc (mm/memory.c:3280)
[ 936.829403] ? perf_event_context_sched_in (kernel/events/core.c:2755)
[ 936.829403] ? trace_hardirqs_on_caller (kernel/locking/lockdep.c:2566)
[ 936.829403] ? __do_page_fault (arch/x86/mm/fault.c:1173)
[ 936.829403] ? ___might_sleep (kernel/sched/core.c:7297 (discriminator 1))
[ 936.829403] ? find_vma (mm/mmap.c:2035)
[ 936.829403] __do_page_fault (arch/x86/mm/fault.c:1235)
[ 936.829403] ? finish_task_switch (kernel/sched/core.c:2214)
[ 936.829403] ? finish_task_switch (kernel/sched/sched.h:1058 kernel/sched/core.c:2210)
[ 936.829403] trace_do_page_fault (arch/x86/mm/fault.c:1329)
[ 936.829403] do_async_page_fault (arch/x86/kernel/kvm.c:280)
[ 936.829403] async_page_fault (arch/x86/kernel/entry_64.S:1295)
[ 936.829403] Code: 89 f8 48 c1 e8 03 42 0f b6 04 20 84 c0 74 08 3c 03 0f 8e 3a 18 00 00 8b 7e 08 44 89 e8 48 c1 e0 0a 48 8d 44 07 ff 48 89 fe 48 99 <48> f7 ff 31 d2 48 89 c7 44 89 e8 f7 f7 45 89 c5 49 81 c5 00 02
All code
========
0: 89 f8 mov %edi,%eax
2: 48 c1 e8 03 shr $0x3,%rax
6: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax
b: 84 c0 test %al,%al
d: 74 08 je 0x17
f: 3c 03 cmp $0x3,%al
11: 0f 8e 3a 18 00 00 jle 0x1851
17: 8b 7e 08 mov 0x8(%rsi),%edi
1a: 44 89 e8 mov %r13d,%eax
1d: 48 c1 e0 0a shl $0xa,%rax
21: 48 8d 44 07 ff lea -0x1(%rdi,%rax,1),%rax
26: 48 89 fe mov %rdi,%rsi
29: 48 99 cqto
2b:* 48 f7 ff idiv %rdi <-- trapping instruction
2e: 31 d2 xor %edx,%edx
30: 48 89 c7 mov %rax,%rdi
33: 44 89 e8 mov %r13d,%eax
36: f7 f7 div %edi
38: 45 89 c5 mov %r8d,%r13d
3b: 49 rex.WB
3c: 81 .byte 0x81
3d: c5 00 02 (bad)
...

Code starting with the faulting instruction
===========================================
0: 48 f7 ff idiv %rdi
3: 31 d2 xor %edx,%edx
5: 48 89 c7 mov %rax,%rdi
8: 44 89 e8 mov %r13d,%eax
b: f7 f7 div %edi
d: 45 89 c5 mov %r8d,%r13d
10: 49 rex.WB
11: 81 .byte 0x81
12: c5 00 02 (bad)
...
[ 936.829403] RIP find_busiest_group (kernel/sched/fair.c:6152 kernel/sched/fair.c:6223 kernel/sched/fair.c:6341 kernel/sched/fair.c:6603)
[ 936.829403] RSP <ffff8810c28079a8>

Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andy Lutomirski: "Re: [PATCH v2] x86, selftests: Add sigreturn_32 selftest"
Previous message: Dmitry Torokhov: "[PATCH] mfd: tps65010: remove incorrect __exit markups"
Next in thread: Ingo Molnar: "Re: sched: divide error in sg_capacity_factor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]