Bug 247174 - bogus arguments to PTRACE_POKEUSER makes IA64 kernel crash
Summary: bogus arguments to PTRACE_POKEUSER makes IA64 kernel crash
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel   
(Show other bugs)
Version: 5.0
Hardware: ia64
OS: Linux
Target Milestone: ---
: ---
Assignee: Luming Yu
QA Contact: Martin Jenner
Depends On:
TreeView+ depends on / blocked
Reported: 2007-07-05 19:55 UTC by Robert Cohn
Modified: 2013-08-06 01:42 UTC (History)
1 user (show)

Fixed In Version: RHBA-2008-0314
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 14:45:39 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Running this program will crash the system. (1.50 KB, text/plain)
2007-07-05 19:55 UTC, Robert Cohn
no flags Details
ia64 utrace update (6.34 KB, patch)
2007-08-17 02:35 UTC, Luming Yu
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0314 normal SHIPPED_LIVE Updated kernel packages for Red Hat Enterprise Linux 5.2 2008-05-20 18:43:34 UTC

Description Robert Cohn 2007-07-05 19:55:43 UTC
Description of problem:
Passing bogus arguments to PTRACE_POKEUSER makes the kernel crash on IA64.

Version-Release number of selected component (if applicable):
This test program was run on Linux vs-ipf-3 2.6.18-8.el5 #1 SMP Fri Jan 26
14:16:09 EST 2007 ia64 ia64 ia64 GNU/Linux

A more complicated version of the test program crashed 2.6.18-8.1.6 but I no
longer have access to that system to retest. It also crashed a EL3 IA64 system.

How reproducible:
Always and immediate.

Steps to Reproduce:

[rscohn1@vs-ipf-3 ~]$ gcc ptracebug.c
[rscohn1@vs-ipf-3 ~]$ which gcc
[rscohn1@vs-ipf-3 ~]$ ./a.out
ProcessB (2564) doing TRACEME
ProcessB (2564) doing exec
ProcessA (2563) waiting for ProcessB (2564)
ProcessA (2563) CONT ProcessB (2564)
ProcessA (2563) waiting for ProcessB (2564)

And the kernel crashes...

Comment 1 Robert Cohn 2007-07-05 19:55:43 UTC
Created attachment 158614 [details]
Running this program will crash the system.

Comment 2 Tony Luck 2007-07-10 21:01:55 UTC
Upstream kernel (2.6.22) does not crash with this test program (nor with 
Robert's original test case).

Comment 3 Luming Yu 2007-07-16 01:08:06 UTC
utrace patch has not in upstream yet. So it could explain why upstream kernel

Comment 4 Luming Yu 2007-08-16 03:59:07 UTC
I just tested the latest utrace kernel and unmodified upstream 2.6.23-rc3.
Actually all of them run into the problem with the dmesg log attached below. I'm
not sure if it is a regression from 2.6.22, I will re-test 2.6.22.

ls[4432]: General Exception: IA-64 Reserved Register/Field fault (data access)
549755813936 [4]
Modules linked in: nfs lockd sunrpc binfmt_misc dm_mirror dm_mod fan container
sg button thermal processor ehci_hcd ohci_hcd

Pid: 4432, CPU 2, comm:                   ls
psr : 00001210085a2010 ifs : 8000000000000000 ip  : [<a0000001006fc161>]   
Tainted: G      D
ip is at schedule+0x11c1/0x13a0
unat: ffffffffdeadbeef pfs : 0000000000000710 rsc : 0000000000000000
rnat: 0000000000000000 bsps: ffffffffdeadbee8 pr  : 0000000000566729
ldrs: 0000000000000000 ccv : ffffffffdeadbeef fpsr: 0009804c8a70433f
csd : 0000000000000000 ssd : 0000000000000000
b0  : a00000010000b860 b6  : ffffffffdeadbeef b7  : ffffffffdeadbeef
f6  : 1beefffffffffdeadbeef f7  : 1beefffffffffdeadbeef
f8  : 1beefffffffffdeadbeef f9  : 00000ffffffffdeadbeef
f10 : 000000000000000000000 f11 : 000000000000000000000
r1  : ffffffffdeadbeef r2  : ffffffffdeadbeef r3  : ffffffffdeadbeef
r8  : ffffffffdeadbeef r9  : ffffffffdeadbeef r10 : ffffffffdeadbeef
r11 : ffffffffdeadbeef r12 : ffffffffdeadbeef r13 : ffffffffdeadbeef
r14 : ffffffffdeadbeef r15 : ffffffffdeadbeef r16 : ffffffffdeadbeef
r17 : ffffffffdeadbeef r18 : ffffffffdeadbeef r19 : ffffffffdeadbeef
r20 : ffffffffdeadbeef r21 : ffffffffdeadbeef r22 : ffffffffdeadbeef
r23 : ffffffffdeadbeef r24 : ffffffffdeadbeef r25 : ffffffffdeadbeef
r26 : ffffffffdeadbeef r27 : ffffffffdeadbeef r28 : ffffffffdeadbeef
r29 : ffffffffdeadbeef r30 : ffffffffdeadbeef r31 : ffffffffdeadbeef

Call Trace:
 [<a000000100013f60>] show_stack+0x40/0xa0
                                sp=e0000001090ffa50 bsp=e0000001090f0cb0
 [<a000000100014be0>] show_regs+0x840/0x880
                                sp=e0000001090ffc20 bsp=e0000001090f0c58
 [<a0000001000371c0>] die+0x1a0/0x2a0
                                sp=e0000001090ffc20 bsp=e0000001090f0c10
 [<a000000100037310>] die_if_kernel+0x50/0x80
                                sp=e0000001090ffc20 bsp=e0000001090f0bd8
 [<a000000100038480>] ia64_fault+0x1140/0x1260
                                sp=e0000001090ffc20 bsp=e0000001090f0b80
 [<a00000010000b560>] ia64_leave_kernel+0x0/0x270
                                sp=e0000001090ffe30 bsp=e0000001090f0b80
 [<a0000001006fc160>] schedule+0x11c0/0x13a0
                                sp=e000000109100000 bsp=e0000001090f0b80

Comment 5 Luming Yu 2007-08-16 05:09:27 UTC
Tested 2.6.22 with the bogus arguments PTRACE_POKUSER test case, I get same
results with 2.6.23-rc3 as well as 2.6.23-rc3 + latest utrace patch.

Comment 6 Luming Yu 2007-08-17 02:35:07 UTC
Created attachment 161713 [details]
ia64 utrace update

Please help test the ia64 utrace update patch

Comment 7 RHEL Product and Program Management 2007-11-20 05:06:04 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 9 Don Zickus 2007-12-21 20:17:17 UTC
in 2.6.18-62.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 12 errata-xmlrpc 2008-05-21 14:45:39 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.