COMMAND

    kernel

SYSTEMS AFFECTED

    Linux 2.2.0

PROBLEM

    Following is  based on  Linux Kernel  archives.   Dan Burcaw found
    following.  This has been tested and causes crashes on:

	AMD K6-2 350
	AMD K6-2 400
	Intel 486 SX25 w/ P90 Overdrive

    This bug works only on the  2.2.0 kernel that will allow root  and
    non-root users  to crash  the machine  (the system  reboots).   To
    replicate  this  bug  do  following;   take  any core file, and as
    normal user or root run:

	ldd core

    The  machine  will  reboot,  saying  that  it cannot get execution
    permissions for ./core

    Andrea  Arcangeli  pointed  out  how  there's another way to cause
    2.2.0 to generate many Oops, process in D state, and once it  also
    locked up when he was in X.  He wrote a simple script to reproduce
    the bad behavior:

	#!/bin/sh
	# Copyright (C) 1999  Andrea Arcangeli
	# Crash-2.2.0.sh

	while :; do
		free &>/dev/null &
		ps &>/dev/null &
	done

SOLUTION

    It is a very  subtle bug and has  nothing to do with  coredumps at
    all,  but  it's  very  rare  and  the  invalid coredump ELF layout
    accidentally  triggered  the  bug.   With  the patch below applied
    you'll get:

	[root@moon /root]# ldd core
		not a dynamic executable
	[root@moon /root]#

    just  as  expected.  The  reason  why  crashed and why it made the
    kernel reboot in  such a nasty  way was that  munmap() did just  a
    tad  more  work  than  necessary  and  we zapped 0xc0000000's page
    table entry ... that is a  pretty vital piece of 4M virtual  space
    on Linux.

    --- linux/mm/mmap.c.orig Wed Jan 27 14:09:31 1999
    +++ linux/mm/mmap.c     Wed Jan 27 14:06:09 1999
    @@ -558,7 +558,7 @@
	    unsigned long start, unsigned long end)
     {
	    unsigned long first = start & PGDIR_MASK;
    -       unsigned long last = (end & PGDIR_MASK) + PGDIR_SIZE;
    +       unsigned long last = ((end-1) & PGDIR_MASK) + PGDIR_SIZE;

	    if (!prev) {
		    prev = mm->mmap;