Bug 224541 - oops in vsyscall_sysctl_change()
Summary: oops in vsyscall_sysctl_change()
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Jeff Burke
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks: 425461
TreeView+ depends on / blocked
 
Reported: 2007-01-26 08:12 UTC by Vasily Averin
Modified: 2008-05-21 14:41 UTC (History)
2 users (show)

Fixed In Version: RHBA-2008-0314
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-21 14:41:03 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
patch fixed oops in vsyscall_sysctl_change() (1.02 KB, patch)
2007-01-26 08:12 UTC, Vasily Averin
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0314 0 normal SHIPPED_LIVE Updated kernel packages for Red Hat Enterprise Linux 5.2 2008-05-20 18:43:34 UTC

Description Vasily Averin 2007-01-26 08:12:26 UTC
OpenVZ/Virtuozzo linux kernel team has noticed the following issue on x86_64
RHEL5 beta kernels (at least on 2.6.17-1.2519.4.21.el5):

Any attempt to switch vsyscall64 leads to the oops

# cat /proc/sys/kernel/vsyscall64
0
# echo 1 >/proc/sys/kernel/vsyscall64

Unable to handle kernel paging request at ffffc20000076c13 RIP:
 [<ffffffff80074226>] vsyscall_sysctl_change+0x9f/0xc1
PGD dfe9b067 PUD dfe9c067 PMD dfe9d067 PTE fffffffffff88163
Oops: 000b [1] SMP
last sysfs file: /class/vc/vcsa6/dev
CPU 1
Modules linked in: ipv6 iptable_filter xt_length ipt_ttl xt_tcpmss ipt_TCPMSS
iptable_mangle xt_multiport xt_limit ipt_tos ipt_REJECT ip_tables x_tables dm_m
irror video sbs i2c_ec button battery asus_acpi ac uhci_hcd ehci_hcd i2c_viapro
i2c_core k8_edac edac_mc snd_via82xx gameport snd_ac97_codec snd_ac97_bus
snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_mpu401_uart
snd_rawmidi snd_seq_device snd soundcore tg3 floppy ide_cd cdrom ext3 jbd dm_mod
i2o_block i2o_core sata_via libata sd_mod scsi_mod
Pid: 3829, comm: bash Not tainted 2.6.17-1.2519.4.21.el5 #1
RIP: 0010:[<ffffffff80074226>]  [<ffffffff80074226>]
vsyscall_sysctl_change+0x9f/0xc1
RSP: 0018:ffff8100dc5b5e78  EFLAGS: 00010202
RAX: ffffc20000078814 RBX: ffffc20000076c13 RCX: 00000000dc0f2000
RDX: ffff810037f694c8 RSI: 0000000000000000 RDI: ffffc20000078814
RBP: ffff8100dc5b5e98 R08: ffff8100dc5b5d38 R09: 000000000000003f
R10: ffffffff8007957b R11: ffffffff80079796 R12: ffffffff80789000
R13: 0000000000000000 R14: ffff810037f694c8 R15: 0000000000000001
FS:  00002aaaaaffc6e0(0000) GS:ffff810037fffdf0(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffc20000076c13 CR3: 00000000dc0f2000 CR4: 00000000000006e0
Process bash (pid: 3829, threadinfo ffff8100dc5b4000, task ffff8100dec310c0)
Stack:  ffff8100dc5b5e98 0000000000000002 ffffffff80377b00 ffff8100df4682a0
 ffff8100dc5b5ef8 ffffffff80097c05 ffff8100dc5b5f48 0000000000000002
 00002aaaaaac2000 ffffffff80032492 0000000000000002 ffff810037f694c8
Call Trace:
 [<ffffffff80097c05>] do_rw_proc+0xd1/0x12c
 [<ffffffff80097c7a>] proc_writesys+0x1a/0x1c
 [<ffffffff800170a0>] vfs_write+0xcf/0x175
 [<ffffffff80017988>] sys_write+0x47/0x70
 [<ffffffff8006034e>] system_call+0x7e/0x83
DWARF2 unwinder stuck at system_call+0x7e/0x83
Leftover inexact backtrace:
Code: 66 c7 03 90 90 66 c7 00 90 90 e8 b3 05 01 00 48 89 df e8 ab
RIP  [<ffffffff80074226>] vsyscall_sysctl_change+0x9f/0xc1
 RSP <ffff8100dc5b5e78>
CR2: ffffc20000076c13

vsyscall_sysctl_change {
...
        map1 = ioremap(__pa_vsymbol(&vsysc1), 2);
        if (!map1)
                return -ENOMEM;
        map2 = ioremap(__pa_vsymbol(&vsysc2), 2);
        if (!map2) {
                ret = -ENOMEM;
                goto out;
        }
        if (!sysctl_vsyscall) {
                *map1 = SYSCALL;
                *map2 = SYSCALL;
        } else {
                *map1 = NOP2; <<<<<<<<<<<<< HERE
                *map2 = NOP2;

map1 and map2 are incorrect due wrong adress translation in __pa_vsymbol macro,

#define __pa_vsymbol(x)                 \
        ({unsigned long v;              \
        extern char __vsyscall_0;       \
          asm("" : "=r" (v) : "0" (x)); \
          ((v - VSYSCALL_FIRST_PAGE) + __pa_symbol(&__vsyscall_0)); })

VSYSCALL_FIRST_PAGE should be replaced by the fix_to_virt(VSYSCALL_FIRST_PAGE)

Comment 1 Vasily Averin 2007-01-26 08:12:26 UTC
Created attachment 146668 [details]
patch fixed oops in vsyscall_sysctl_change()

Comment 2 Vasily Averin 2007-03-29 06:31:06 UTC
reproduced on 2.6.18-8.1.1.el5 kernel
# uname -a
Linux ts28 2.6.18-8.1.1.el5 #1 SMP Mon Feb 26 20:37:57 EST 2007 x86_64 x86_64
x86_64 GNU/Linux
# cat /proc/sys/kernel/vsyscall64
0
# echo 1 > /proc/sys/kernel/vsyscall64

Unable to handle kernel paging request at ffffc2000005ec0f RIP:
 [<ffffffff8006d972>] vsyscall_sysctl_change+0x96/0xb5
PGD dfe8b067 PUD dfe8c067 PMD dfe8d067 PTE ffffffffffbb8163
Oops: 000b [1] SMP
last sysfs file: /module/libata/version
CPU 0
Modules linked in: xt_tcpudp autofs4 hidp rfcomm l2cap bluetooth sunrpc 8021q
bridge ipv6 xt_length ipt_ttl xt_tcpmss ipt_TCPMSS iptable_mangle iptable_filter
xt_multiport xt_limit ipt_tos ipt_REJECT ip_tables x_tables dm_mirror dm_mod
video sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp snd_via82xx
gameport snd_ac97_codec snd_ac97_bus snd_seq_dummy sg snd_seq_oss
snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm shpchp snd_timer
snd_page_alloc snd_mpu401_uart ide_cd snd_rawmidi i2c_viapro floppy k8_edac tg3
parport_pc snd_seq_device i2c_core parport snd cdrom edac_mc pcspkr soundcore
serio_raw sata_via libata sd_mod scsi_mod ext3 jbd ehci_hcd ohci_hcd uhci_hcd
Pid: 3093, comm: bash Not tainted 2.6.18-8.1.1.el5 #1
RIP: 0010:[<ffffffff8006d972>]  [<ffffffff8006d972>]
vsyscall_sysctl_change+0x96/0xb5
RSP: 0018:ffff8100dcd4fe98  EFLAGS: 00010202
RAX: ffffc20000072810 RBX: ffffc2000005ec0f RCX: 00000000d6c10000
RDX: 0000000000000660 RSI: 0000000000000000 RDI: ffffc20000072810
RBP: ffffffff803b9000 R08: 0000000000000002 R09: 000000000000003e
R10: ffff8100dcd4fc98 R11: 000000d0ffffffff R12: 0000000000000000
MR13: ffff8100de8936c0 R14: 0000000000000001 R15: 0000000000000002
FS:  00002aaaaaab6db0(0000) GS:ffffffff8038a000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffc2000005ec0f CR3: 00000000d6c10000 CR4: 00000000000006e0
Process bash (pid: 3093, threadinfo ffff8100dcd4e000, task ffff8100dcf90860)
Stack:  0000000000000002 ffffffff802d47e0 ffff810037f340c0 ffffffff8008f51f
 0000000a09fc1aa4 ffff8100dcd4ff50 00002aaaadfbf000 00002aaaadfbf000
 0000000000000002 ffff8100de8936c0 0000000000000002 00002aaaadfbf000
Call Trace:
 [<ffffffff8008f51f>] do_rw_proc+0xcb/0x126
 [<ffffffff80016121>] vfs_write+0xce/0x174
 [<ffffffff800169b2>] sys_write+0x45/0x6e
 [<ffffffff8005b2c1>] tracesys+0xd1/0xdc
Code: 66 c7 03 90 90 66 c7 00 90 90 e8 29 f2 00 00 48 89 df e8 21
RIP  [<ffffffff8006d972>] vsyscall_sysctl_change+0x96/0xb5
 RSP <ffff8100dcd4fe98>
CR2: ffffc2000005ec0f
 <0>Kernel panic - not syncing: Fatal exception


Comment 3 Jeff Burke 2007-08-20 13:36:56 UTC
Posted patch to internal list for acceptance. Awaiting code review.

Vasily, Thank you for attaching the patch to the BZ. It is greatly appreciated.

Regards,
Jeff

Comment 4 RHEL Program Management 2007-11-01 23:45:32 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 6 Don Zickus 2007-11-29 17:07:09 UTC
in 2.6.18-58.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 8 Vasily Averin 2008-03-19 15:30:38 UTC
reproduced on 2.6.18-53.el5
then verified on 2.6.18-85.el5

# uname -a
Linux ts28 2.6.18-85.el5 #1 SMP Tue Mar 11 18:51:21 EDT 2008 x86_64 x86_64
x86_64 GNU/Linux
# cat /proc/sys/kernel/vsyscall64
0
# echo 1 > /proc/sys/kernel/vsyscall64
# cat /proc/sys/kernel/vsyscall64
1
# echo 0 > /proc/sys/kernel/vsyscall64
# cat /proc/sys/kernel/vsyscall64
0


Comment 9 Mike Gahagan 2008-04-25 20:39:37 UTC
verified on the -90.el5 kernel.


Comment 11 errata-xmlrpc 2008-05-21 14:41:03 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0314.html



Note You need to log in before you can comment on or make changes to this bug.