Description of problem: Passing bogus arguments to PTRACE_POKEUSER makes the kernel crash on IA64. Version-Release number of selected component (if applicable): This test program was run on Linux vs-ipf-3 2.6.18-8.el5 #1 SMP Fri Jan 26 14:16:09 EST 2007 ia64 ia64 ia64 GNU/Linux A more complicated version of the test program crashed 2.6.18-8.1.6 but I no longer have access to that system to retest. It also crashed a EL3 IA64 system. How reproducible: Always and immediate. Steps to Reproduce: [rscohn1@vs-ipf-3 ~]$ gcc ptracebug.c [rscohn1@vs-ipf-3 ~]$ which gcc /usr/bin/gcc [rscohn1@vs-ipf-3 ~]$ ./a.out ProcessB (2564) doing TRACEME ProcessB (2564) doing exec ProcessA (2563) waiting for ProcessB (2564) ProcessA (2563) CONT ProcessB (2564) ProcessA (2563) waiting for ProcessB (2564) And the kernel crashes...
Created attachment 158614 [details] Running this program will crash the system.
Upstream kernel (2.6.22) does not crash with this test program (nor with Robert's original test case).
utrace patch has not in upstream yet. So it could explain why upstream kernel works.
I just tested the latest utrace kernel and unmodified upstream 2.6.23-rc3. Actually all of them run into the problem with the dmesg log attached below. I'm not sure if it is a regression from 2.6.22, I will re-test 2.6.22. ls[4432]: General Exception: IA-64 Reserved Register/Field fault (data access) 549755813936 [4] Modules linked in: nfs lockd sunrpc binfmt_misc dm_mirror dm_mod fan container sg button thermal processor ehci_hcd ohci_hcd Pid: 4432, CPU 2, comm: ls psr : 00001210085a2010 ifs : 8000000000000000 ip : [<a0000001006fc161>] Tainted: G D ip is at schedule+0x11c1/0x13a0 unat: ffffffffdeadbeef pfs : 0000000000000710 rsc : 0000000000000000 rnat: 0000000000000000 bsps: ffffffffdeadbee8 pr : 0000000000566729 ldrs: 0000000000000000 ccv : ffffffffdeadbeef fpsr: 0009804c8a70433f csd : 0000000000000000 ssd : 0000000000000000 b0 : a00000010000b860 b6 : ffffffffdeadbeef b7 : ffffffffdeadbeef f6 : 1beefffffffffdeadbeef f7 : 1beefffffffffdeadbeef f8 : 1beefffffffffdeadbeef f9 : 00000ffffffffdeadbeef f10 : 000000000000000000000 f11 : 000000000000000000000 r1 : ffffffffdeadbeef r2 : ffffffffdeadbeef r3 : ffffffffdeadbeef r8 : ffffffffdeadbeef r9 : ffffffffdeadbeef r10 : ffffffffdeadbeef r11 : ffffffffdeadbeef r12 : ffffffffdeadbeef r13 : ffffffffdeadbeef r14 : ffffffffdeadbeef r15 : ffffffffdeadbeef r16 : ffffffffdeadbeef r17 : ffffffffdeadbeef r18 : ffffffffdeadbeef r19 : ffffffffdeadbeef r20 : ffffffffdeadbeef r21 : ffffffffdeadbeef r22 : ffffffffdeadbeef r23 : ffffffffdeadbeef r24 : ffffffffdeadbeef r25 : ffffffffdeadbeef r26 : ffffffffdeadbeef r27 : ffffffffdeadbeef r28 : ffffffffdeadbeef r29 : ffffffffdeadbeef r30 : ffffffffdeadbeef r31 : ffffffffdeadbeef Call Trace: [<a000000100013f60>] show_stack+0x40/0xa0 sp=e0000001090ffa50 bsp=e0000001090f0cb0 [<a000000100014be0>] show_regs+0x840/0x880 sp=e0000001090ffc20 bsp=e0000001090f0c58 [<a0000001000371c0>] die+0x1a0/0x2a0 sp=e0000001090ffc20 bsp=e0000001090f0c10 [<a000000100037310>] die_if_kernel+0x50/0x80 sp=e0000001090ffc20 bsp=e0000001090f0bd8 [<a000000100038480>] ia64_fault+0x1140/0x1260 sp=e0000001090ffc20 bsp=e0000001090f0b80 [<a00000010000b560>] ia64_leave_kernel+0x0/0x270 sp=e0000001090ffe30 bsp=e0000001090f0b80 [<a0000001006fc160>] schedule+0x11c0/0x13a0 sp=e000000109100000 bsp=e0000001090f0b80
Tested 2.6.22 with the bogus arguments PTRACE_POKUSER test case, I get same results with 2.6.23-rc3 as well as 2.6.23-rc3 + latest utrace patch.
Created attachment 161713 [details] ia64 utrace update Please help test the ia64 utrace update patch
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
in 2.6.18-62.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0314.html