313081 – utrace: crash - utrace_get_signal

Bug 313081 - utrace: crash - utrace_get_signal

Summary: utrace: crash - utrace_get_signal

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	7
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Roland McGrath
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	312951
Blocks:
TreeView+	depends on / blocked

Reported:	2007-09-30 13:59 UTC by Jan Kratochvil
Modified:	2008-06-17 02:32 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-06-17 02:32:52 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Testcase, a modified one from adobriyan-at-sw.ru. (2.39 KB, text/plain) 2007-09-30 13:59 UTC, Jan Kratochvil	no flags	Details
View All

Description Jan Kratochvil 2007-09-30 13:59:01 UTC

+++ This bug was initially created as a clone of Bug #312951 +++

The rawhide problem is present also in F7.

Description of problem:
-- Additional comment from adobriyan on 2007-05-29 03:55 EST --
We saw the following oops on rhel5 utrace code

BUG: unable to handle kernel paging request at virtual address 7ca1c291
EIP is at utrace_get_signal+0x46/0x477
          get_signal_to_deliver+0xdf/0x3b1
          do_notify_resume+0xa9/0x6a5
          audit_syscall_exit+0x285/0x2a1
          work_notifysig+0x13/0x19
          copy_to_user_policy+0x73/0x7f

The failing IP corresponds to code in utrace_get_signal():

int
utrace_get_signal(struct task_struct *tsk, struct pt_regs *regs,
                  siginfo_t *info, struct k_sigaction *return_ka)
{
        struct utrace *utrace = tsk->utrace;
                ...
        if (utrace->u.live.signal != NULL) {
                signal.signr = utrace->u.live.signal->signr;
                copy_siginfo(info, utrace->u.live.signal->info);
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^

Bogus pointer was supplied here.

How ->utrace assignment should be handled correctly?
---------------------------------------------------------------------

On (2 CPUs; qemu-kvm) kernel-2.6.22.9-91.fc7.x86_64 seen:

------------[ cut here ]------------
kernel BUG at kernel/utrace.c:328!
invalid opcode: 0000 [1] SMP 
last sysfs file: /class/sound/sequencer2/dev
CPU 0 
Modules linked in: snd_hda_intel snd_usb_audio snd_seq_dummy snd_seq_oss
snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm snd_timer
snd_page_alloc snd_usb_lib snd_rawmidi snd_seq_device snd_hwdep snd soundcore
nfs nfsd exportfs lockd nfs_acl sunrpc ipv6 dm_mirror dm_mod video sbs button
dock battery ac floppy 8139too 8139cp parport_pc mii parport sr_mod sg cdrom
ata_piix ahci libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
Pid: 24866, comm: clone-get-signa Not tainted 2.6.22.9-91.fc7 #1
RIP: 0010:[<ffffffff81067ba6>]  [<ffffffff81067ba6>] check_dead_utrace+0xf2/0x158
RSP: 0018:ffff8100070ede68  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff810008948800 RCX: 0000000000000000
RDX: 0000000000000008 RSI: ffff810007763900 RDI: ffff810008948800
RBP: 0000000000000000 R08: ffff810008948800 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: ffff810007763900
R13: 0000000000000000 R14: ffff810008948800 R15: 0000000000000000
FS:  00002aaaaaac2240(0000) GS:ffffffff813ad000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000304b550904 CR3: 000000000707f000 CR4: 00000000000006e0
Process clone-get-signa (pid: 24866, threadinfo ffff8100070ec000, task
ffff8100086e4800)
Stack:  0000000000000246 ffff810008948800 0000000000000000 000000000007e569
 000000000007e569 ffffffff8106830d ffff810007763900 ffff810008948800
 ffff8100077635c0 ffffffff8106846a ffff8100077635c0 ffff810008948800
Call Trace:
 [<ffffffff8106830d>] wake_quiescent+0x4f/0x10d
 [<ffffffff8106846a>] utrace_detach+0x9f/0xb2
 [<ffffffff8106a315>] ptrace_detach+0x65/0x101
 [<ffffffff8106a8cd>] ptrace_common+0x98/0x184
 [<ffffffff8106b32e>] sys_ptrace+0xf0/0x1ed
 [<ffffffff81009c71>] tracesys+0x71/0xda
 [<ffffffff81009cd5>] tracesys+0xd5/0xda


Code: 0f 0b eb fe 4c 89 e7 e8 e9 fd ff ff 49 83 fd 10 75 35 8b b3 
RIP  [<ffffffff81067ba6>] check_dead_utrace+0xf2/0x158
 RSP <ffff8100070ede68>

---------------------------------------------------------------------


Version-Release number of selected component (if applicable):
kernel-2.6.22.9-91.fc7.x86_64

How reproducible:
After 727 runs of the testcase; testcase has 2000 internal loops =>
=> approx. 1454000th cycle.

Steps to Reproduce:
1. gcc -o ./clone-get-signal ./clone-get-signal.c -Wall -ggdb2
2. while ./clone-get-signal ;do echo -n .;done

Actual results:
Kernel crash.

Expected results:
No kernel crash, just infinite dotting.

Comment 1 Jan Kratochvil 2007-09-30 13:59:01 UTC

Created attachment 211741 [details]
Testcase, a modified one from adobriyan-at-sw.ru.

Comment 2 Christopher Brown 2008-01-14 18:08:57 UTC

Hello,

I'm reviewing this bug as part of the kernel bug triage project, an attempt to
isolate current bugs in the Fedora kernel.

http://fedoraproject.org/wiki/KernelBugTriage

I am CC'ing myself to this bug and will try and assist you in resolving it if I can.

There hasn't been much activity on this bug for a while. Could you tell me if
you are still having problems with the latest kernel?

If the problem no longer exists then please close this bug or I'll do so in a
few days if there is no additional information lodged.

Comment 3 Jan Kratochvil 2008-01-14 18:33:50 UTC

(In reply to comment #2)
> There hasn't been much activity on this bug for a while. Could you tell me if
> you are still having problems with the latest kernel?

This bug unfortunately still exists - its Fedora 8 counterpart is Bug 312951 and
the main tracker page is at: http://sourceware.org/systemtap/wiki/utrace/tests

Comment 4 Bug Zapper 2008-05-14 14:34:49 UTC

This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists.

Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs:
http://docs.fedoraproject.org/release-notes/

The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 5 Bug Zapper 2008-06-17 02:32:51 UTC

Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. 
Fedora 7 is no longer maintained, which means that it will not 
receive any further security or bug fix updates. As a result we 
are closing this bug. 

If you can reproduce this bug against a currently maintained version 
of Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.