Bug 227394

Summary: CVE-2007-0006 spinlock cpu recursion
Product: [Fedora] Fedora Reporter: devon kerr <support>
Component: kernelAssignee: David Howells <dhowells>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 2.6.19-1.2288.fc5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-22 20:24:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
This is the error log of the spinlock recursion
none
Patch to fix the key serial no. collision problem none

Description devon kerr 2007-02-05 19:31:51 UTC 
Description of problem:
We would like to report an error we received from one of our web servers.  We
are hesitantly suggesting 
that this is a software issue:  we have an identical machine which has not
exhibited this error.  A line 
from the error log seems to provide some insight:

Dec 12 10:13:01 clio kernel:  <0>BUG: spinlock cpu recursion on CPU#1,
suexec/27413 (Not tainted)

the complete text of the error log has been attached

Version-Release number of selected component (if applicable):
Fedora Core 5; Linux Kernel 2.16.18-1.2239 for x86_64; Apache 2.2.3; php 5.1

How reproducible:
we have yet to reproduce this issue.


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 devon kerr 2007-02-05 19:31:51 UTC 
Created attachment 147394 [details]
This is the error log of the spinlock recursion
Comment 2 Chuck Ebbert 2007-02-05 21:23:17 UTC 
*** Bug 227395 has been marked as a duplicate of this bug. ***
Comment 3 Chuck Ebbert 2007-02-05 22:08:50 UTC 
This is the real problem:
Unable to handle kernel NULL pointer dereference at 0000000000000010
RIP:  [<ffffffff80225942>] __rb_rotate_left+0x7/0x5b
PGD 3a828067 PUD 3d934067 PMD 0 
Oops: 0000 [1] SMP 
last sysfs file: /block/hdb/size\
CPU 1
Modules linked in: ipv6 nfs lockd fscache nfs_acl rfcomm l2cap bluetooth sunrpc
dm_mirror dm_mod video sbs i2c_ec i2c_core button battery asus_acpi ac lp
parport_pc parport sg tg3 ide_cd cdrom shpchp k8_edac edac_mc ohci_hcd
serio_raw floppy ehci_hcd pcspkr raid1 ext3 jbd sata_svw libata sd_mod
scsi_mod
Pid: 27406, comm: suexec Not tainted 2.6.18-1.2239.fc5 #1
RIP: 0010:[<ffffffff80225942>]  [<ffffffff80225942>] __rb_rotate_left+0x7/0x5b
RSP: 0018:ffff810151397df0  EFLAGS: 00010282\
RAX: ffff81005a1ded48 RBX: ffff810102505508 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff806de5e0 RDI: ffff810203166088
RBP: ffff810203166088 R08: ffff8102031668c8 R09: 0000000000000000
R10: 000000005e4ae5f3 R11: ffff810151397c70 R12: ffff810102505508
R13: ffff81005a1ded48 R14: ffffffff806de5e0 R15: 0000000000000026
FS:  00002aaaaaabb850(0000) GS:ffff810103c3b1c0(0000) knlGS: 00000000f7fee8d0
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000010 CR3: 00000000da38b000 CR4: 00000000000006e0
Process suexec (pid: 27406, threadinfo ffff810151396000, task ffff8101d7cf5080)
Stack:  ffffffff80212aff ffff81005a1ded40 ffff810102505518 0000000000000000
	ffff81005a1ded40 ffff810151397eb8 ffffffff80312779 0000000046f0a978
	0000000000000000 1f3f0000aa8adfff ffff8101d7cf5080 000003eaffffffff
Call Trace:
  [<ffffffff80212aff>] rb_insert_color+0xb2/0xda
  [<ffffffff80312779>] key_alloc+0x2b0/0x384
  [<ffffffff8031377b>] keyring_alloc+0x29/0x5f
  [<ffffffff80314ea2>] alloc_uid_keyring+0x3d/0xa6
  [<ffffffff80293a5c>] alloc_uid+0xa9/0x16f
  [<ffffffff802963d6>] set_user+0xf/0x97
  [<ffffffff80297b5c>] sys_setuid+0x7d/0x154
  [<ffffffff8025c00e>] system_call+0x7e/0x83
Code: 48 8b 51 10 49 83 e0 fc 48 85 d2 48 89 57 08 74 0c 48 8b 02
Comment 4 David Howells 2007-02-06 13:31:41 UTC 
Duplicate of http://bugzilla.kernel.org/show_bug.cgi?id=7727
Comment 5 David Howells 2007-02-06 13:41:11 UTC 
Created attachment 147464 [details]
Patch to fix the key serial no. collision problem