Description of problem: Possible memory corruption when /proc/kcore is read Version-Release number of selected component (if applicable): 2.4.9-e.57 How reproducible: dd if=/proc/kcore of=/tmp/kcore bs=4k count=10 (if necessary, repeat a few times) Steps to Reproduce: see above Actual results: Various; usually the machine freezes after some /proc/kcore reads. Expected results: No problems, /proc/lcore is correctly read. Additional info: The problem is that the size of the kcore header is calculated incorrectly if there are lots of VMAs. The reason is that the size of the data fields in the ELF notes is not accounted for oin get_kcore_size() (fs/proc/kcore.c). RH's Ernie Petrides has posted a patch for this to LKML. http://marc.theaimsgroup.com/?t=110739734900006&r=1&w=2 It was accepted by Marcelo into 2.4 mainline. http://linux.bkbits.net:8080/linux-2.4/cset@42024081gb19vludDwvjkxZjV0NvPg?nav=index.html|src/|src/fs|src/fs/proc|related/fs/proc/kcore.c In 2.6 the problem has been fixed for 1.5 years. ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.5/2.5.69/2.5.69-mm9/broken-out/proc-kcore-rework.patch BUG 141394 contains references to this problem for RHEL3.
According to Ernie, this was accepted into the RHEL-U3 patch set. The patch is pretty small and can hardly break stuff, so it'd be nice to see it in AS2.1 ASAP, too.
As of February 7th, all new requests must go through Issue Tracker. If you have further questions or need more information, please go through your partner manager.
Jim, please note that bug 141394 has been deemed to be caused by some other problem, which is yet unsolved. The RHEL3 bugs resolved by the /proc/kcore fix are 132838, 133905, 134988, and 136317.
I've picked this issue up. There seems to be another bug in /proc/kcore on 2.1: I can consistently crash the machine by repeatedly reading the kcore. The crash appears to be due to an unmapped region in the vmlist: crash> p vmlist vmlist = $7 = (struct vm_struct *) 0xc14f1a00 crash> list -s vm_struct vm_struct.next 0xc14f1a00 | less . . . ced68ca0 struct vm_struct { flags = 2, addr = 0xd08c3000, size = 20480, next = 0xcde37240 } cde37240 struct vm_struct { flags = 2, addr = 0xd08c8000, size = 8192, next = 0xc14f1900 } c14f1900 struct vm_struct { flags = 2, addr = 0xd08cf000, size = 36864, next = 0xc14f12c0 } ... crash> kmem 0xd08c3000 d08c3000 (m) (autofs module) VM_STRUCT ADDRESS RANGE SIZE ced68ca0 d08c3000 - d08c8000 20480 PAGE PHYSICAL MAPPING INDEX CNT FLAGS c13cea1c e553000 0 0 1 crash> kmem 0xd08cf000 d08cf000 (m) (3c59x module) VM_STRUCT ADDRESS RANGE SIZE c14f1900 d08cf000 - d08d8000 36864 PAGE PHYSICAL MAPPING INDEX CNT FLAGS c13e15bc e9bb000 0 0 1 crash> kmem 0xd08c8000 d08c8000: address not found Is it kosher for there to be unmapped regions in the vmlist? It would seem not.
See BZ 213567 for more regarding comment #8.
I couldn't recreate the crash with e.70, however I have verified that the fix is in as part of linux-2.4.26-updates.patch and that patch is being applied in e.71.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0013.html