Bug 224541 - oops in vsyscall_sysctl_change()
Summary: oops in vsyscall_sysctl_change()
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.0
Hardware: x86_64
OS: Linux
Target Milestone: ---
: ---
Assignee: Jeff Burke
QA Contact: Brian Brock
Depends On:
Blocks: 425461
TreeView+ depends on / blocked
Reported: 2007-01-26 08:12 UTC by Vasily Averin
Modified: 2008-05-21 14:41 UTC (History)
2 users (show)

Fixed In Version: RHBA-2008-0314
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-05-21 14:41:03 UTC
Target Upstream Version:

Attachments (Terms of Use)
patch fixed oops in vsyscall_sysctl_change() (1.02 KB, patch)
2007-01-26 08:12 UTC, Vasily Averin
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0314 0 normal SHIPPED_LIVE Updated kernel packages for Red Hat Enterprise Linux 5.2 2008-05-20 18:43:34 UTC

Description Vasily Averin 2007-01-26 08:12:26 UTC
OpenVZ/Virtuozzo linux kernel team has noticed the following issue on x86_64
RHEL5 beta kernels (at least on 2.6.17-1.2519.4.21.el5):

Any attempt to switch vsyscall64 leads to the oops

# cat /proc/sys/kernel/vsyscall64
# echo 1 >/proc/sys/kernel/vsyscall64

Unable to handle kernel paging request at ffffc20000076c13 RIP:
 [<ffffffff80074226>] vsyscall_sysctl_change+0x9f/0xc1
PGD dfe9b067 PUD dfe9c067 PMD dfe9d067 PTE fffffffffff88163
Oops: 000b [1] SMP
last sysfs file: /class/vc/vcsa6/dev
Modules linked in: ipv6 iptable_filter xt_length ipt_ttl xt_tcpmss ipt_TCPMSS
iptable_mangle xt_multiport xt_limit ipt_tos ipt_REJECT ip_tables x_tables dm_m
irror video sbs i2c_ec button battery asus_acpi ac uhci_hcd ehci_hcd i2c_viapro
i2c_core k8_edac edac_mc snd_via82xx gameport snd_ac97_codec snd_ac97_bus
snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_mpu401_uart
snd_rawmidi snd_seq_device snd soundcore tg3 floppy ide_cd cdrom ext3 jbd dm_mod
i2o_block i2o_core sata_via libata sd_mod scsi_mod
Pid: 3829, comm: bash Not tainted 2.6.17-1.2519.4.21.el5 #1
RIP: 0010:[<ffffffff80074226>]  [<ffffffff80074226>]
RSP: 0018:ffff8100dc5b5e78  EFLAGS: 00010202
RAX: ffffc20000078814 RBX: ffffc20000076c13 RCX: 00000000dc0f2000
RDX: ffff810037f694c8 RSI: 0000000000000000 RDI: ffffc20000078814
RBP: ffff8100dc5b5e98 R08: ffff8100dc5b5d38 R09: 000000000000003f
R10: ffffffff8007957b R11: ffffffff80079796 R12: ffffffff80789000
R13: 0000000000000000 R14: ffff810037f694c8 R15: 0000000000000001
FS:  00002aaaaaffc6e0(0000) GS:ffff810037fffdf0(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffc20000076c13 CR3: 00000000dc0f2000 CR4: 00000000000006e0
Process bash (pid: 3829, threadinfo ffff8100dc5b4000, task ffff8100dec310c0)
Stack:  ffff8100dc5b5e98 0000000000000002 ffffffff80377b00 ffff8100df4682a0
 ffff8100dc5b5ef8 ffffffff80097c05 ffff8100dc5b5f48 0000000000000002
 00002aaaaaac2000 ffffffff80032492 0000000000000002 ffff810037f694c8
Call Trace:
 [<ffffffff80097c05>] do_rw_proc+0xd1/0x12c
 [<ffffffff80097c7a>] proc_writesys+0x1a/0x1c
 [<ffffffff800170a0>] vfs_write+0xcf/0x175
 [<ffffffff80017988>] sys_write+0x47/0x70
 [<ffffffff8006034e>] system_call+0x7e/0x83
DWARF2 unwinder stuck at system_call+0x7e/0x83
Leftover inexact backtrace:
Code: 66 c7 03 90 90 66 c7 00 90 90 e8 b3 05 01 00 48 89 df e8 ab
RIP  [<ffffffff80074226>] vsyscall_sysctl_change+0x9f/0xc1
 RSP <ffff8100dc5b5e78>
CR2: ffffc20000076c13

vsyscall_sysctl_change {
        map1 = ioremap(__pa_vsymbol(&vsysc1), 2);
        if (!map1)
                return -ENOMEM;
        map2 = ioremap(__pa_vsymbol(&vsysc2), 2);
        if (!map2) {
                ret = -ENOMEM;
                goto out;
        if (!sysctl_vsyscall) {
                *map1 = SYSCALL;
                *map2 = SYSCALL;
        } else {
                *map1 = NOP2; <<<<<<<<<<<<< HERE
                *map2 = NOP2;

map1 and map2 are incorrect due wrong adress translation in __pa_vsymbol macro,

#define __pa_vsymbol(x)                 \
        ({unsigned long v;              \
        extern char __vsyscall_0;       \
          asm("" : "=r" (v) : "0" (x)); \
          ((v - VSYSCALL_FIRST_PAGE) + __pa_symbol(&__vsyscall_0)); })

VSYSCALL_FIRST_PAGE should be replaced by the fix_to_virt(VSYSCALL_FIRST_PAGE)

Comment 1 Vasily Averin 2007-01-26 08:12:26 UTC
Created attachment 146668 [details]
patch fixed oops in vsyscall_sysctl_change()

Comment 2 Vasily Averin 2007-03-29 06:31:06 UTC
reproduced on 2.6.18-8.1.1.el5 kernel
# uname -a
Linux ts28 2.6.18-8.1.1.el5 #1 SMP Mon Feb 26 20:37:57 EST 2007 x86_64 x86_64
x86_64 GNU/Linux
# cat /proc/sys/kernel/vsyscall64
# echo 1 > /proc/sys/kernel/vsyscall64

Unable to handle kernel paging request at ffffc2000005ec0f RIP:
 [<ffffffff8006d972>] vsyscall_sysctl_change+0x96/0xb5
PGD dfe8b067 PUD dfe8c067 PMD dfe8d067 PTE ffffffffffbb8163
Oops: 000b [1] SMP
last sysfs file: /module/libata/version
Modules linked in: xt_tcpudp autofs4 hidp rfcomm l2cap bluetooth sunrpc 8021q
bridge ipv6 xt_length ipt_ttl xt_tcpmss ipt_TCPMSS iptable_mangle iptable_filter
xt_multiport xt_limit ipt_tos ipt_REJECT ip_tables x_tables dm_mirror dm_mod
video sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp snd_via82xx
gameport snd_ac97_codec snd_ac97_bus snd_seq_dummy sg snd_seq_oss
snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm shpchp snd_timer
snd_page_alloc snd_mpu401_uart ide_cd snd_rawmidi i2c_viapro floppy k8_edac tg3
parport_pc snd_seq_device i2c_core parport snd cdrom edac_mc pcspkr soundcore
serio_raw sata_via libata sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd
Pid: 3093, comm: bash Not tainted 2.6.18-8.1.1.el5 #1
RIP: 0010:[<ffffffff8006d972>]  [<ffffffff8006d972>]
RSP: 0018:ffff8100dcd4fe98  EFLAGS: 00010202
RAX: ffffc20000072810 RBX: ffffc2000005ec0f RCX: 00000000d6c10000
RDX: 0000000000000660 RSI: 0000000000000000 RDI: ffffc20000072810
RBP: ffffffff803b9000 R08: 0000000000000002 R09: 000000000000003e
R10: ffff8100dcd4fc98 R11: 000000d0ffffffff R12: 0000000000000000
MR13: ffff8100de8936c0 R14: 0000000000000001 R15: 0000000000000002
FS:  00002aaaaaab6db0(0000) GS:ffffffff8038a000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffc2000005ec0f CR3: 00000000d6c10000 CR4: 00000000000006e0
Process bash (pid: 3093, threadinfo ffff8100dcd4e000, task ffff8100dcf90860)
Stack:  0000000000000002 ffffffff802d47e0 ffff810037f340c0 ffffffff8008f51f
 0000000a09fc1aa4 ffff8100dcd4ff50 00002aaaadfbf000 00002aaaadfbf000
 0000000000000002 ffff8100de8936c0 0000000000000002 00002aaaadfbf000
Call Trace:
 [<ffffffff8008f51f>] do_rw_proc+0xcb/0x126
 [<ffffffff80016121>] vfs_write+0xce/0x174
 [<ffffffff800169b2>] sys_write+0x45/0x6e
 [<ffffffff8005b2c1>] tracesys+0xd1/0xdc
Code: 66 c7 03 90 90 66 c7 00 90 90 e8 29 f2 00 00 48 89 df e8 21
RIP  [<ffffffff8006d972>] vsyscall_sysctl_change+0x96/0xb5
 RSP <ffff8100dcd4fe98>
CR2: ffffc2000005ec0f
 <0>Kernel panic - not syncing: Fatal exception

Comment 3 Jeff Burke 2007-08-20 13:36:56 UTC
Posted patch to internal list for acceptance. Awaiting code review.

Vasily, Thank you for attaching the patch to the BZ. It is greatly appreciated.


Comment 4 RHEL Program Management 2007-11-01 23:45:32 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 6 Don Zickus 2007-11-29 17:07:09 UTC
in 2.6.18-58.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 8 Vasily Averin 2008-03-19 15:30:38 UTC
reproduced on 2.6.18-53.el5
then verified on 2.6.18-85.el5

# uname -a
Linux ts28 2.6.18-85.el5 #1 SMP Tue Mar 11 18:51:21 EDT 2008 x86_64 x86_64
x86_64 GNU/Linux
# cat /proc/sys/kernel/vsyscall64
# echo 1 > /proc/sys/kernel/vsyscall64
# cat /proc/sys/kernel/vsyscall64
# echo 0 > /proc/sys/kernel/vsyscall64
# cat /proc/sys/kernel/vsyscall64

Comment 9 Mike Gahagan 2008-04-25 20:39:37 UTC
verified on the -90.el5 kernel.

Comment 11 errata-xmlrpc 2008-05-21 14:41:03 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.