[Bug runtime/19000] New: several task tapset functions can cause kernel crash

[Bug runtime/19000] New: several task tapset functions can cause kernel crash

[mcermak at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=19000

            Bug ID: 19000
           Summary: several task tapset functions can cause kernel crash
           Product: systemtap
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: runtime
          Assignee: systemtap at sourceware dot org
          Reporter: mcermak at redhat dot com
  Target Milestone: ---

Following tapset functions can crash the kernel when run with invalid
arguments: task_egid(), task_euid(), task_gid(), task_ns_gid(), task_ns_pid(),
task_ns_tid().

For instance `stap -vge 'probe oneshot {println(task_egid(0))}'` causes
following null pointer dereference:

=======
[858983.141012] BUG: unable to handle kernel NULL pointer dereference at
0000000000000668
[858983.148915] IP: [<ffffffffa07dd057>] probe_2771+0x67/0x200
[stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.158370] PGD 0 
[858983.160464] Oops: 0000 [#1] SMP 
[858983.163779] Modules linked in:
stap_694d7aba919ad48d0b9840c958b2062_15228(OE) binfmt_misc tun nfsv3
rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache snd_hda_codec_realtek
snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep
snd_seq snd_seq_device coretemp hp_wmi snd_pcm sparse_keymap rfkill iTCO_wdt
snd_timer snd kvm_intel ppdev kvm soundcore iTCO_vendor_support sg pcspkr
lpc_ich mfd_core parport_pc parport acpi_cpufreq i7core_edac edac_core shpchp
nfsd auth_rpcgss nfs_acl lockd grace sunrpc sch_fq_codel ip_tables xfs
libcrc32c sd_mod crc_t10dif crct10dif_generic sr_mod cdrom crct10dif_common
nouveau video mxm_wmi i2c_algo_bit tg3 drm_kms_helper ttm ahci crc32c_intel ptp
libahci serio_raw libata drm pps_core i2c_core wmi floppy dm_mirror
dm_region_hash dm_log dm_mod [last unloaded:
stap_473192a77b74a7b3d39dca483de1df8d__14780]
[858983.239159] CPU: 3 PID: 15228 Comm: stapio Tainted: G          IOE 
------------   3.10.0-315.el7.x86_64 #1
[858983.248946] Hardware name: Hewlett-Packard HP Z600 Workstation/0AE8h, BIOS
786G4 v03.13 10/13/2010
[858983.257951] task: ffff8800bab23980 ti: ffff880059868000 task.ti:
ffff880059868000
[858983.265488] RIP: 0010:[<ffffffffa07dd057>]  [<ffffffffa07dd057>]
probe_2771+0x67/0x200 [stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.277360] RSP: 0018:ffff88005986be20  EFLAGS: 00010202
[858983.282735] RAX: 0000000000000000 RBX: ffffc9000493b000 RCX:
0000000000002710
[858983.289950] RDX: ffffffffa07e2ca0 RSI: ffff8800bf06d6c8 RDI:
ffffc9000493b000
[858983.297140] RBP: ffff88005986be38 R08: 0000000000000096 R09:
0000000000002a0c
[858983.304330] R10: 0000000000000000 R11: ffff88005986bb86 R12:
ffffc9000493b270
[858983.311519] R13: 000000000000f608 R14: ffffffff81a686e0 R15:
0000000000000000
[858983.318709] FS:  00007fbeecbb6740(0000) GS:ffff8800bf060000(0000)
knlGS:0000000000000000
[858983.326851] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[858983.332658] CR2: 0000000000000668 CR3: 00000000b9ed8000 CR4:
00000000000007e0
[858983.339848] DR0: ffffffff819bfcb8 DR1: 0000000000000000 DR2:
0000000000000000
[858983.347039] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000600
[858983.354229] Stack:
[858983.356315]  ffff88005986be30 000000000000001f 0000000000000020
ffff88005986be60
[858983.363801]  ffffffffa07de01c ffffffffa07e2c80 ffffc9000493b000
0000000091fdf90f
[858983.371283]  ffff88005986beb8 ffffffffa07dec0c ffff880000000002
000000000000080a
[858983.378768] Call Trace:
[858983.381290]  [<ffffffffa07de01c>] enter_be_probe+0x12c/0x220
[stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.390905]  [<ffffffffa07dec0c>]
_stp_handle_start.constprop.23+0x47c/0x4e0
[stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.401904]  [<ffffffff811dfc28>] ? __sb_start_write+0x58/0x110
[858983.407887]  [<ffffffffa07deeda>] _stp_ctl_write_cmd+0x26a/0x43a
[stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.417847]  [<ffffffff811dd1ed>] vfs_write+0xbd/0x1e0
[858983.423049]  [<ffffffff811ddc8f>] SyS_write+0x7f/0xe0
[858983.428166]  [<ffffffff81644089>] system_call_fastpath+0x16/0x1b
[858983.434230] Code: c7 87 28 02 00 00 98 12 7e a0 0f 8f a4 01 00 00 89 47 1c
49 c7 44 24 08 00 00 00 00 8b 4f 18 85 c9 0f 88 1d 01 00 00 49 8b 04 24 <48> 8b
90 68 06 00 00 8b 72 18 48 8b 80 68 06 00 00 48 8b b8 80 
[858983.453756] RIP  [<ffffffffa07dd057>] probe_2771+0x67/0x200
[stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.463294]  RSP <ffff88005986be20>
[858983.466883] CR2: 0000000000000668
=======

Similarly others when run with an invalid task structure pointer such as 0 or
-1.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/19000] several task tapset functions can cause kernel crash

[mcermak at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=19000

--- Comment #1 from Martin Cermak <mcermak at redhat dot com> ---
(In reply to Martin Cermak from comment #0)
> Following tapset functions can crash the kernel when run with invalid
> arguments: task_egid(), task_euid(), task_gid(), task_ns_gid(),
> task_ns_pid(), task_ns_tid().

task_uid() too

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/19000] several task tapset functions can cause kernel crash

[dsmith at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=19000

David Smith <dsmith at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |dsmith at redhat dot com
         Resolution|---                         |FIXED

--- Comment #2 from David Smith <dsmith at redhat dot com> ---
Fixed in commit 08c687a. Updated several functions: task_ns_pid(),
task_ns_tid(), task_gid(), task_ns_gid(), task_egid(), task_ns_egid(),
task_uid(), task_ns_uid(), task_euid(), and task_ns_euid().

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/19000] several task tapset functions can cause kernel crash

[mcermak at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=19000

--- Comment #3 from Martin Cermak <mcermak at redhat dot com> ---
Using stap release-2.9-4-g4dc97b40ad9e, `stap -ge 'probe oneshot
{println(task_egid(0))}'` still seems to kill the rhel7/s390x kernel:

=======
[  727.130211] stap_09eb0146da34d3191a27df63ae2c7fb4_3098: module verification
f
ailed: signature and/or required key missing - tainting kernel
[  727.170592] Unable to handle kernel pointer dereference at virtual kernel
add
ress 00a8b00000001000
[  727.170635] Oops: 0038 [#1] SMP
[  727.170639] Modules linked in:
stap_09eb0146da34d3191a27df63ae2c7fb4_3098(OE)
 vmur nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c
dasd_f
ba_mod qeth_l2 dasd_eckd_mod dasd_mod lcs ctcm qeth qdio ccwgroup fsm dm_mirror
dm_region_hash dm_log dm_mod
[  727.170667] CPU: 1 PID: 3098 Comm: stapio Tainted: G           OE 
----------
--   3.10.0-319.el7.s390x #1
[  727.170671] task: 0000000001fa5be0 ti: 000000007ab54000 task.ti:
000000007ab5
4000
[  727.170675] Krnl PSW : 0704e00180000000 00000000001c2816
(map_id_up+0x6/0x80)

[  727.170683]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0
EA:
3
Krnl GPRS: 0000000000000081 00000000001c2980 00a8b00000001044 0000000000000000
[  727.170692]            000003ff00000001 0000000000000000 000003e081e05270
000
000007ab57d90
[  727.170701]            0000000000000000 000003e081e05000 000003ff00000001
000
0000000000000
[  727.170702]            000000000000000c 000000000000092f 00000000001c29ac
000
000007ab57cc0
[  727.170710] Krnl Code: 00000000001c280c: 07fe                bcr     15,%r14
           00000000001c280e: 0707               bcr     0,%r7
          #00000000001c2810: ebbcf0700024       stmg    %r11,%r12,112(%r15)
          >00000000001c2816: 58b02000           l       %r11,0(%r2)
           00000000001c281a: 07e0               bcr     14,%r0
           00000000001c281c: ecb8001b007e       cij     %r11,0,8,1c2852
           00000000001c2822: b9040012           lgr     %r1,%r2
           00000000001c2826: a7080000           lhi     %r0,0
[  727.170722] Call Trace:
[  727.170723] ([<0000000000000001>] 0x1)
[  727.170725]  [<000003ff80839508>] probe_2757+0x178/0x320
[stap_09eb0146da34d3
191a27df63ae2c7fb4_3098]
[  727.170728]  [<000003ff8083aade>] enter_be_probe+0x10e/0x230
[stap_09eb0146da
34d3191a27df63ae2c7fb4_3098]
[  727.170730]  [<000003ff8083ba5e>] _stp_ctl_write_cmd+0x94e/0x9d0
[stap_09eb01
46da34d3191a27df63ae2c7fb4_3098]
[  727.170733]  [<000000000028b4ea>] vfs_write+0xa2/0x1c8
[  727.170737]  [<000000000028c084>] SyS_write+0x6c/0x100
[  727.170738]  [<00000000005d66fa>] sysc_tracego+0x14/0x1a
[  727.170742]  [<000003fffd389520>] 0x3fffd389520
[  727.170744] Last Breaking-Event-Address:
[  727.170744]  [<00000000001c29a6>] from_kgid_munged+0x26/0x48
[  727.170746]
[  727.170747] Kernel panic - not syncing: Fatal exception: panic_on_oops
00: HCPGSP2629I The virtual machine is placed in CP mode due to a SIGP stop
from
 CPU 00.
01: HCPGIR450W CP entered; disabled wait PSW 00020001 80000000 00000000
0010EC20
=======

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/19000] several task tapset functions can cause kernel crash

[mcermak at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=19000

--- Comment #4 from Martin Cermak <mcermak at redhat dot com> ---
Hmm, same with `stap -ge 'probe oneshot {println(task_euid(0))}'` on rhel7.2 /
s390x kernel:

=======
[ 3661.098528] stap_d81f3e59f58b2c26a85410ab00420e35_3393: module verification
f
ailed: signature and/or required key missing - tainting kernel
[ 3661.138794] Unable to handle kernel pointer dereference at virtual kernel
add
ress 00a8b00000011000
[ 3661.138835] Oops: 0038 [#1] SMP
[ 3661.138839] Modules linked in:
stap_d81f3e59f58b2c26a85410ab00420e35_3393(OE)
 nfsv3 rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache vmur nfsd auth_rpcgss
nfs_
acl lockd grace sunrpc ip_tables xfs libcrc32c dasd_fba_mod qeth_l2
dasd_eckd_mo
d dasd_mod lcs ctcm fsm qeth qdio ccwgroup dm_mirror dm_region_hash dm_log
dm_mo
d
[ 3661.138874] CPU: 0 PID: 3393 Comm: stapio Tainted: G           OE 
----------
--   3.10.0-319.el7.s390x #1
[ 3661.138877] task: 000000007d439b90 ti: 000000007cb98000 task.ti:
000000007cb9
8000
[ 3661.138881] Krnl PSW : 0704e00180000000 00000000001c2816
(map_id_up+0x6/0x80)

[ 3661.138890]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0
EA:
3
Krnl GPRS: 0000000000000081 00000000001c28e0 00a8b00000011202 0000000000000000
[ 3661.138935]            000003ff00000001 0000000000000000 000003e0817fa270
000
000007cb9bd90
[ 3661.138941]            0000000000000000 000003e0817fa000 000003ff00000001
000
0000000000000
[ 3661.138943]            000000000000000c 000000000000092f 00000000001c2908
000
000007cb9bcc0
[ 3661.138952] Krnl Code: 00000000001c280c: 07fe                bcr     15,%r14
           00000000001c280e: 0707               bcr     0,%r7
          #00000000001c2810: ebbcf0700024       stmg    %r11,%r12,112(%r15)
          >00000000001c2816: 58b02000           l       %r11,0(%r2)
           00000000001c281a: 07e0               bcr     14,%r0
           00000000001c281c: ecb8001b007e       cij     %r11,0,8,1c2852
           00000000001c2822: b9040012           lgr     %r1,%r2
           00000000001c2826: a7080000           lhi     %r0,0
[ 3661.139022] Call Trace:
[ 3661.139025] ([<0000000000000001>] 0x1)
[ 3661.139031]  [<000003ff8092e508>] probe_2757+0x178/0x320
[stap_d81f3e59f58b2c
26a85410ab00420e35_3393]
[ 3661.139038]  [<000003ff8092fade>] 01: HCPGSP2629I The virtual machine is
plac
ed in CP mode due to a SIGP stop from
 CPU 01.
enter_be_probe+0x10e/0x230 [stap_d81f3e59f58b2c26a85410ab00420e35_3393]
[ 3661.139070]  [<000003ff80930a5e>] _stp_ctl_write_cmd+0x94e/0x9d0
[stap_d81f3e
59f58b2c26a85410ab00420e35_3393]
[ 3661.139073]  [<000000000028b4ea>] vfs_write+0xa2/0x1c8
[ 3661.139078]  [<000000000028c084>] SyS_write+0x6c/0x100
[ 3661.139081]  [<00000000005d66fa>] sysc_tracego+0x14/0x1a
[ 3661.139087]  [<000003fffd475520>] 0x3fffd475520
[ 3661.139094] Last Breaking-Event-Address:
[ 3661.139102]  [<00000000001c2902>] from_kuid_munged+0x22/0x48
[ 3661.139106]
[ 3661.139107] Kernel panic - not syncing: Fatal exception: panic_on_oops
00: HCPGIR450W CP entered; disabled wait PSW 00020001 80000000 00000000
0010EC20
=======

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/19000] several task tapset functions can cause kernel crash

[mcermak at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=19000

--- Comment #5 from Martin Cermak <mcermak at redhat dot com> ---
Similarly task_gid(0) or task_gid(1) on rhel-7 / s390x. Good news is that
issues reported in comments 3, 4, and this one (5) are only related to rhel-7 /
s390x. They do not crash rhel-6 or rhel-5 / s390x kernels. I can offer access
to testing boxes if that would be of any help.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/19000] several task tapset functions can cause kernel crash

[dsmith at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=19000

--- Comment #6 from David Smith <dsmith at redhat dot com> ---
Those s390x failures should be resolved by commit aee2613.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/19000] several task tapset functions can cause kernel crash

[mcermak at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=19000

--- Comment #7 from Martin Cermak <mcermak at redhat dot com> ---
Excuse me for reporting issues again. It looks like task_ns_pid() and
task_ns_tid() still need attention on rhel7/s390x. The rest looks fine to me.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug runtime/19000] several task tapset functions can cause kernel crash

[dsmith at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=19000

--- Comment #8 from David Smith <dsmith at redhat dot com> ---
Those task_ns_pid() and task_ns_tid() rhel7/s390x failures should be fixed in
commit 19b8ace.

-- 
You are receiving this mail because:
You are the assignee for the bug.