Bug 247174

Summary: bogus arguments to PTRACE_POKEUSER makes IA64 kernel crash
Product: Red Hat Enterprise Linux 5 Reporter: Robert Cohn <robert.s.cohn>
Component: kernelAssignee: Luming Yu <luyu>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: urgent Docs Contact:
Priority: low    
Version: 5.0CC: peterm
Target Milestone: ---   
Target Release: ---   
Hardware: ia64   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0314 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 14:45:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Running this program will crash the system.
none
ia64 utrace update none

Description Robert Cohn 2007-07-05 19:55:43 UTC 
Description of problem:
Passing bogus arguments to PTRACE_POKEUSER makes the kernel crash on IA64.

Version-Release number of selected component (if applicable):
This test program was run on Linux vs-ipf-3 2.6.18-8.el5 #1 SMP Fri Jan 26
14:16:09 EST 2007 ia64 ia64 ia64 GNU/Linux

A more complicated version of the test program crashed 2.6.18-8.1.6 but I no
longer have access to that system to retest. It also crashed a EL3 IA64 system.

How reproducible:
Always and immediate.

Steps to Reproduce:

[rscohn1@vs-ipf-3 ~]$ gcc ptracebug.c
[rscohn1@vs-ipf-3 ~]$ which gcc
/usr/bin/gcc
[rscohn1@vs-ipf-3 ~]$ ./a.out
ProcessB (2564) doing TRACEME
ProcessB (2564) doing exec
ProcessA (2563) waiting for ProcessB (2564)
ProcessA (2563) CONT ProcessB (2564)
ProcessA (2563) waiting for ProcessB (2564)

And the kernel crashes...
Comment 1 Robert Cohn 2007-07-05 19:55:43 UTC 
Created attachment 158614 [details]
Running this program will crash the system.
Comment 2 Tony Luck 2007-07-10 21:01:55 UTC 
Upstream kernel (2.6.22) does not crash with this test program (nor with 
Robert's original test case).
Comment 3 Luming Yu 2007-07-16 01:08:06 UTC 
utrace patch has not in upstream yet. So it could explain why upstream kernel
works.
Comment 4 Luming Yu 2007-08-16 03:59:07 UTC 
I just tested the latest utrace kernel and unmodified upstream 2.6.23-rc3.
Actually all of them run into the problem with the dmesg log attached below. I'm
not sure if it is a regression from 2.6.22, I will re-test 2.6.22.


ls[4432]: General Exception: IA-64 Reserved Register/Field fault (data access)
549755813936 [4]
Modules linked in: nfs lockd sunrpc binfmt_misc dm_mirror dm_mod fan container
sg button thermal processor ehci_hcd ohci_hcd

Pid: 4432, CPU 2, comm:                   ls
psr : 00001210085a2010 ifs : 8000000000000000 ip  : [<a0000001006fc161>]   
Tainted: G      D
ip is at schedule+0x11c1/0x13a0
unat: ffffffffdeadbeef pfs : 0000000000000710 rsc : 0000000000000000
rnat: 0000000000000000 bsps: ffffffffdeadbee8 pr  : 0000000000566729
ldrs: 0000000000000000 ccv : ffffffffdeadbeef fpsr: 0009804c8a70433f
csd : 0000000000000000 ssd : 0000000000000000
b0  : a00000010000b860 b6  : ffffffffdeadbeef b7  : ffffffffdeadbeef
f6  : 1beefffffffffdeadbeef f7  : 1beefffffffffdeadbeef
f8  : 1beefffffffffdeadbeef f9  : 00000ffffffffdeadbeef
f10 : 000000000000000000000 f11 : 000000000000000000000
r1  : ffffffffdeadbeef r2  : ffffffffdeadbeef r3  : ffffffffdeadbeef
r8  : ffffffffdeadbeef r9  : ffffffffdeadbeef r10 : ffffffffdeadbeef
r11 : ffffffffdeadbeef r12 : ffffffffdeadbeef r13 : ffffffffdeadbeef
r14 : ffffffffdeadbeef r15 : ffffffffdeadbeef r16 : ffffffffdeadbeef
r17 : ffffffffdeadbeef r18 : ffffffffdeadbeef r19 : ffffffffdeadbeef
r20 : ffffffffdeadbeef r21 : ffffffffdeadbeef r22 : ffffffffdeadbeef
r23 : ffffffffdeadbeef r24 : ffffffffdeadbeef r25 : ffffffffdeadbeef
r26 : ffffffffdeadbeef r27 : ffffffffdeadbeef r28 : ffffffffdeadbeef
r29 : ffffffffdeadbeef r30 : ffffffffdeadbeef r31 : ffffffffdeadbeef

Call Trace:
 [<a000000100013f60>] show_stack+0x40/0xa0
                                sp=e0000001090ffa50 bsp=e0000001090f0cb0
 [<a000000100014be0>] show_regs+0x840/0x880
                                sp=e0000001090ffc20 bsp=e0000001090f0c58
 [<a0000001000371c0>] die+0x1a0/0x2a0
                                sp=e0000001090ffc20 bsp=e0000001090f0c10
 [<a000000100037310>] die_if_kernel+0x50/0x80
                                sp=e0000001090ffc20 bsp=e0000001090f0bd8
 [<a000000100038480>] ia64_fault+0x1140/0x1260
                                sp=e0000001090ffc20 bsp=e0000001090f0b80
 [<a00000010000b560>] ia64_leave_kernel+0x0/0x270
                                sp=e0000001090ffe30 bsp=e0000001090f0b80
 [<a0000001006fc160>] schedule+0x11c0/0x13a0
                                sp=e000000109100000 bsp=e0000001090f0b80
Comment 5 Luming Yu 2007-08-16 05:09:27 UTC 
Tested 2.6.22 with the bogus arguments PTRACE_POKUSER test case, I get same
results with 2.6.23-rc3 as well as 2.6.23-rc3 + latest utrace patch.
Comment 6 Luming Yu 2007-08-17 02:35:07 UTC 
Created attachment 161713 [details]
ia64 utrace update

Please help test the ia64 utrace update patch
Comment 7 RHEL Program Management 2007-11-20 05:06:04 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 9 Don Zickus 2007-12-21 20:17:17 UTC 
in 2.6.18-62.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 12 errata-xmlrpc 2008-05-21 14:45:39 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0314.html