Red Hat Bugzilla – Bug 224541
oops in vsyscall_sysctl_change()
Last modified: 2008-05-21 10:41:03 EDT
OpenVZ/Virtuozzo linux kernel team has noticed the following issue on x86_64 RHEL5 beta kernels (at least on 2.6.17-1.2519.4.21.el5): Any attempt to switch vsyscall64 leads to the oops # cat /proc/sys/kernel/vsyscall64 0 # echo 1 >/proc/sys/kernel/vsyscall64 Unable to handle kernel paging request at ffffc20000076c13 RIP: [<ffffffff80074226>] vsyscall_sysctl_change+0x9f/0xc1 PGD dfe9b067 PUD dfe9c067 PMD dfe9d067 PTE fffffffffff88163 Oops: 000b [1] SMP last sysfs file: /class/vc/vcsa6/dev CPU 1 Modules linked in: ipv6 iptable_filter xt_length ipt_ttl xt_tcpmss ipt_TCPMSS iptable_mangle xt_multiport xt_limit ipt_tos ipt_REJECT ip_tables x_tables dm_m irror video sbs i2c_ec button battery asus_acpi ac uhci_hcd ehci_hcd i2c_viapro i2c_core k8_edac edac_mc snd_via82xx gameport snd_ac97_codec snd_ac97_bus snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_mpu401_uart snd_rawmidi snd_seq_device snd soundcore tg3 floppy ide_cd cdrom ext3 jbd dm_mod i2o_block i2o_core sata_via libata sd_mod scsi_mod Pid: 3829, comm: bash Not tainted 2.6.17-1.2519.4.21.el5 #1 RIP: 0010:[<ffffffff80074226>] [<ffffffff80074226>] vsyscall_sysctl_change+0x9f/0xc1 RSP: 0018:ffff8100dc5b5e78 EFLAGS: 00010202 RAX: ffffc20000078814 RBX: ffffc20000076c13 RCX: 00000000dc0f2000 RDX: ffff810037f694c8 RSI: 0000000000000000 RDI: ffffc20000078814 RBP: ffff8100dc5b5e98 R08: ffff8100dc5b5d38 R09: 000000000000003f R10: ffffffff8007957b R11: ffffffff80079796 R12: ffffffff80789000 R13: 0000000000000000 R14: ffff810037f694c8 R15: 0000000000000001 FS: 00002aaaaaffc6e0(0000) GS:ffff810037fffdf0(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffffc20000076c13 CR3: 00000000dc0f2000 CR4: 00000000000006e0 Process bash (pid: 3829, threadinfo ffff8100dc5b4000, task ffff8100dec310c0) Stack: ffff8100dc5b5e98 0000000000000002 ffffffff80377b00 ffff8100df4682a0 ffff8100dc5b5ef8 ffffffff80097c05 ffff8100dc5b5f48 0000000000000002 00002aaaaaac2000 ffffffff80032492 0000000000000002 ffff810037f694c8 Call Trace: [<ffffffff80097c05>] do_rw_proc+0xd1/0x12c [<ffffffff80097c7a>] proc_writesys+0x1a/0x1c [<ffffffff800170a0>] vfs_write+0xcf/0x175 [<ffffffff80017988>] sys_write+0x47/0x70 [<ffffffff8006034e>] system_call+0x7e/0x83 DWARF2 unwinder stuck at system_call+0x7e/0x83 Leftover inexact backtrace: Code: 66 c7 03 90 90 66 c7 00 90 90 e8 b3 05 01 00 48 89 df e8 ab RIP [<ffffffff80074226>] vsyscall_sysctl_change+0x9f/0xc1 RSP <ffff8100dc5b5e78> CR2: ffffc20000076c13 vsyscall_sysctl_change { ... map1 = ioremap(__pa_vsymbol(&vsysc1), 2); if (!map1) return -ENOMEM; map2 = ioremap(__pa_vsymbol(&vsysc2), 2); if (!map2) { ret = -ENOMEM; goto out; } if (!sysctl_vsyscall) { *map1 = SYSCALL; *map2 = SYSCALL; } else { *map1 = NOP2; <<<<<<<<<<<<< HERE *map2 = NOP2; map1 and map2 are incorrect due wrong adress translation in __pa_vsymbol macro, #define __pa_vsymbol(x) \ ({unsigned long v; \ extern char __vsyscall_0; \ asm("" : "=r" (v) : "0" (x)); \ ((v - VSYSCALL_FIRST_PAGE) + __pa_symbol(&__vsyscall_0)); }) VSYSCALL_FIRST_PAGE should be replaced by the fix_to_virt(VSYSCALL_FIRST_PAGE)
Created attachment 146668 [details] patch fixed oops in vsyscall_sysctl_change()
reproduced on 2.6.18-8.1.1.el5 kernel # uname -a Linux ts28 2.6.18-8.1.1.el5 #1 SMP Mon Feb 26 20:37:57 EST 2007 x86_64 x86_64 x86_64 GNU/Linux # cat /proc/sys/kernel/vsyscall64 0 # echo 1 > /proc/sys/kernel/vsyscall64 Unable to handle kernel paging request at ffffc2000005ec0f RIP: [<ffffffff8006d972>] vsyscall_sysctl_change+0x96/0xb5 PGD dfe8b067 PUD dfe8c067 PMD dfe8d067 PTE ffffffffffbb8163 Oops: 000b [1] SMP last sysfs file: /module/libata/version CPU 0 Modules linked in: xt_tcpudp autofs4 hidp rfcomm l2cap bluetooth sunrpc 8021q bridge ipv6 xt_length ipt_ttl xt_tcpmss ipt_TCPMSS iptable_mangle iptable_filter xt_multiport xt_limit ipt_tos ipt_REJECT ip_tables x_tables dm_mirror dm_mod video sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp snd_via82xx gameport snd_ac97_codec snd_ac97_bus snd_seq_dummy sg snd_seq_oss snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm shpchp snd_timer snd_page_alloc snd_mpu401_uart ide_cd snd_rawmidi i2c_viapro floppy k8_edac tg3 parport_pc snd_seq_device i2c_core parport snd cdrom edac_mc pcspkr soundcore serio_raw sata_via libata sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd Pid: 3093, comm: bash Not tainted 2.6.18-8.1.1.el5 #1 RIP: 0010:[<ffffffff8006d972>] [<ffffffff8006d972>] vsyscall_sysctl_change+0x96/0xb5 RSP: 0018:ffff8100dcd4fe98 EFLAGS: 00010202 RAX: ffffc20000072810 RBX: ffffc2000005ec0f RCX: 00000000d6c10000 RDX: 0000000000000660 RSI: 0000000000000000 RDI: ffffc20000072810 RBP: ffffffff803b9000 R08: 0000000000000002 R09: 000000000000003e R10: ffff8100dcd4fc98 R11: 000000d0ffffffff R12: 0000000000000000 MR13: ffff8100de8936c0 R14: 0000000000000001 R15: 0000000000000002 FS: 00002aaaaaab6db0(0000) GS:ffffffff8038a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffffc2000005ec0f CR3: 00000000d6c10000 CR4: 00000000000006e0 Process bash (pid: 3093, threadinfo ffff8100dcd4e000, task ffff8100dcf90860) Stack: 0000000000000002 ffffffff802d47e0 ffff810037f340c0 ffffffff8008f51f 0000000a09fc1aa4 ffff8100dcd4ff50 00002aaaadfbf000 00002aaaadfbf000 0000000000000002 ffff8100de8936c0 0000000000000002 00002aaaadfbf000 Call Trace: [<ffffffff8008f51f>] do_rw_proc+0xcb/0x126 [<ffffffff80016121>] vfs_write+0xce/0x174 [<ffffffff800169b2>] sys_write+0x45/0x6e [<ffffffff8005b2c1>] tracesys+0xd1/0xdc Code: 66 c7 03 90 90 66 c7 00 90 90 e8 29 f2 00 00 48 89 df e8 21 RIP [<ffffffff8006d972>] vsyscall_sysctl_change+0x96/0xb5 RSP <ffff8100dcd4fe98> CR2: ffffc2000005ec0f <0>Kernel panic - not syncing: Fatal exception
Posted patch to internal list for acceptance. Awaiting code review. Vasily, Thank you for attaching the patch to the BZ. It is greatly appreciated. Regards, Jeff
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
in 2.6.18-58.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
reproduced on 2.6.18-53.el5 then verified on 2.6.18-85.el5 # uname -a Linux ts28 2.6.18-85.el5 #1 SMP Tue Mar 11 18:51:21 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux # cat /proc/sys/kernel/vsyscall64 0 # echo 1 > /proc/sys/kernel/vsyscall64 # cat /proc/sys/kernel/vsyscall64 1 # echo 0 > /proc/sys/kernel/vsyscall64 # cat /proc/sys/kernel/vsyscall64 0
verified on the -90.el5 kernel.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0314.html