From: "izi at guardicore dot com" <sourceware-bugzilla@sourceware.org>
To: systemtap@sourceware.org
Subject: [Bug runtime/17862] Kernel crash on module insertion: kernel tried to execute NX-protected page - exploit attempt
Date: Thu, 22 Jan 2015 08:41:00 -0000 [thread overview]
Message-ID: <bug-17862-6586-emMoXcbanU@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-17862-6586@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=17862
--- Comment #6 from izi at guardicore dot com ---
I'm loading several systemtap modules concurrently, so I'm guessing there is a
race here. The other modules also include a few uprobes and a timer probe for
each one. The module insertion usually works fine in 9 out of 10 runs and I see
the printfs later on when the probed functions are called. So it probably does
successfully install the probes in the correct place, unless a race occurs.
Additionally, I see that the crash doesn't necessarily occurs in the same
place. This could be the same problem or a separate one. For instance, one of
them:
Jan 18 05:37:36 ldsm kernel: [ 17.113464] WARNING: CPU: 0 PID: 2759 at
/build/buildd/linux-3.11.0/kernel/trace/ftrace.c:1701 ftrace_bug+0x206/0x270()
Jan 18 05:37:36 ldsm kernel: [ 17.113465] Modules linked in: gc__2757(OF+)
g_2759(OF+) gc_2751(OF) g_2745(OF) g_2742(OF) veth(F) arc4(F) md4(F) nls_utf8
cifs(F) fscache(F) openvswitch gre(F) snd_hda_intel cirrus snd_hda_codec ttm
drm_kms_helper microcode(F) snd_hwdep(F) psmouse(F) snd_pcm(F) serio_raw(F)
snd_page_alloc(F) drm virtio_balloon(F) snd_timer(F) snd(F) soundcore(F)
syscopyarea(F) sysfillrect(F) sysimgblt(F) i2c_piix4 mac_hid lp(F) parport(F)
ext2(F) 8139too(F) 8139cp(F) mii(F) floppy(F)
Jan 18 05:37:36 ldsm kernel: [ 17.113498] CPU: 0 PID: 2759 Comm: staprun
Tainted: GF O 3.11.0-12-generic #19-Ubuntu
Jan 18 05:37:36 ldsm kernel: [ 17.113500] Hardware name: QEMU Standard PC
(i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Jan 18 05:37:36 ldsm kernel: [ 17.113501] 0000000000000009 ffff88006a99bc30
ffffffff816e547a 0000000000000000
Jan 18 05:37:36 ldsm kernel: [ 17.113504] ffff88006a99bc68 ffffffff81061dbd
0000000000000000 ffffffffa0358000
Jan 18 05:37:36 ldsm kernel: [ 17.113506] ffff88007b735b80 0000000000000000
ffff880069d85000 ffff88006a99bc78
Jan 18 05:37:36 ldsm kernel: [ 17.113508] Call Trace:
Jan 18 05:37:36 ldsm kernel: [ 17.113514] [<ffffffff816e547a>]
dump_stack+0x45/0x56
Jan 18 05:37:36 ldsm kernel: [ 17.113517] [<ffffffff81061dbd>]
warn_slowpath_common+0x7d/0xa0
Jan 18 05:37:36 ldsm kernel: [ 17.113520] [<ffffffffa0358000>] ?
0xffffffffa0357fff
Jan 18 05:37:36 ldsm kernel: [ 17.113522] [<ffffffff81061e9a>]
warn_slowpath_null+0x1a/0x20
Jan 18 05:37:36 ldsm kernel: [ 17.113525] [<ffffffff81108566>]
ftrace_bug+0x206/0x270
Jan 18 05:37:36 ldsm kernel: [ 17.113527] [<ffffffffa0358000>] ?
0xffffffffa0357fff
Jan 18 05:37:36 ldsm kernel: [ 17.113529] [<ffffffff811088da>]
ftrace_process_locs+0x30a/0x640
Jan 18 05:37:36 ldsm kernel: [ 17.113532] [<ffffffff81108c4c>]
ftrace_module_notify_enter+0x3c/0x40
Jan 18 05:37:36 ldsm kernel: [ 17.113535] [<ffffffff816f0a7c>]
notifier_call_chain+0x4c/0x70
Jan 18 05:37:36 ldsm kernel: [ 17.113539] [<ffffffff8108a1dd>]
__blocking_notifier_call_chain+0x4d/0x70
Jan 18 05:37:36 ldsm kernel: [ 17.113541] [<ffffffff8108a216>]
blocking_notifier_call_chain+0x16/0x20
Jan 18 05:37:36 ldsm kernel: [ 17.113544] [<ffffffff810cbd3f>]
load_module+0x125f/0x1b80
Jan 18 05:37:36 ldsm kernel: [ 17.113546] [<ffffffff810c7c60>] ?
store_uevent+0x40/0x40
Jan 18 05:37:36 ldsm kernel: [ 17.113550] [<ffffffff810cc702>]
SyS_init_module+0xa2/0xf0
Jan 18 05:37:36 ldsm kernel: [ 17.113552] [<ffffffff816f542f>]
tracesys+0xe1/0xe6
Jan 18 05:37:36 ldsm kernel: [ 17.113554] ---[ end trace 41fb784a51ea714c
]---
Jan 18 05:37:36 ldsm kernel: [ 17.113555] ftrace faulted on writing
[<ffffffffa0358000>] stp_task_work_cancel+0x0/0x20 [g_2759]
Jan 18 05:37:36 ldsm kernel: [ 17.121994] gc_2751: systemtap: 2.6/0.157,
base: ffffffffa0319000, memory: 195data/52text/960ctx/2058net/9alloc kb,
probes: 2
Jan 18 05:37:36 ldsm kernel: [ 17.183226] g_2759: systemtap: 2.6/0.157, base:
ffffffffa0358000, memory: 191data/48text/448ctx/2058net/9alloc kb, probes: 2
But it also crashes in other places.
--
You are receiving this mail because:
You are the assignee for the bug.
prev parent reply other threads:[~2015-01-22 8:41 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-21 10:11 [Bug runtime/17862] New: Kernel crash during " izi at guardicore dot com
2015-01-21 10:12 ` [Bug runtime/17862] " izi at guardicore dot com
2015-01-21 10:12 ` izi at guardicore dot com
2015-01-21 10:13 ` [Bug runtime/17862] Kernel crash " izi at guardicore dot com
2015-01-21 13:38 ` izi at guardicore dot com
2015-01-21 13:38 ` izi at guardicore dot com
2015-01-21 14:47 ` dsmith at redhat dot com
2015-01-21 18:04 ` jistone at redhat dot com
2015-01-22 8:41 ` izi at guardicore dot com [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-17862-6586-emMoXcbanU@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=systemtap@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).