This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug runtime/19000] New: several task tapset functions can cause kernel crash

From: "mcermak at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: systemtap at sourceware dot org
Date: Thu, 24 Sep 2015 08:58:17 +0000
Subject: [Bug runtime/19000] New: several task tapset functions can cause kernel crash
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=19000

            Bug ID: 19000
           Summary: several task tapset functions can cause kernel crash
           Product: systemtap
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: runtime
          Assignee: systemtap at sourceware dot org
          Reporter: mcermak at redhat dot com
  Target Milestone: ---

Following tapset functions can crash the kernel when run with invalid
arguments: task_egid(), task_euid(), task_gid(), task_ns_gid(), task_ns_pid(),
task_ns_tid().

For instance `stap -vge 'probe oneshot {println(task_egid(0))}'` causes
following null pointer dereference:

=======
[858983.141012] BUG: unable to handle kernel NULL pointer dereference at
0000000000000668
[858983.148915] IP: [<ffffffffa07dd057>] probe_2771+0x67/0x200
[stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.158370] PGD 0 
[858983.160464] Oops: 0000 [#1] SMP 
[858983.163779] Modules linked in:
stap_694d7aba919ad48d0b9840c958b2062_15228(OE) binfmt_misc tun nfsv3
rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache snd_hda_codec_realtek
snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep
snd_seq snd_seq_device coretemp hp_wmi snd_pcm sparse_keymap rfkill iTCO_wdt
snd_timer snd kvm_intel ppdev kvm soundcore iTCO_vendor_support sg pcspkr
lpc_ich mfd_core parport_pc parport acpi_cpufreq i7core_edac edac_core shpchp
nfsd auth_rpcgss nfs_acl lockd grace sunrpc sch_fq_codel ip_tables xfs
libcrc32c sd_mod crc_t10dif crct10dif_generic sr_mod cdrom crct10dif_common
nouveau video mxm_wmi i2c_algo_bit tg3 drm_kms_helper ttm ahci crc32c_intel ptp
libahci serio_raw libata drm pps_core i2c_core wmi floppy dm_mirror
dm_region_hash dm_log dm_mod [last unloaded:
stap_473192a77b74a7b3d39dca483de1df8d__14780]
[858983.239159] CPU: 3 PID: 15228 Comm: stapio Tainted: G          IOE 
------------   3.10.0-315.el7.x86_64 #1
[858983.248946] Hardware name: Hewlett-Packard HP Z600 Workstation/0AE8h, BIOS
786G4 v03.13 10/13/2010
[858983.257951] task: ffff8800bab23980 ti: ffff880059868000 task.ti:
ffff880059868000
[858983.265488] RIP: 0010:[<ffffffffa07dd057>]  [<ffffffffa07dd057>]
probe_2771+0x67/0x200 [stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.277360] RSP: 0018:ffff88005986be20  EFLAGS: 00010202
[858983.282735] RAX: 0000000000000000 RBX: ffffc9000493b000 RCX:
0000000000002710
[858983.289950] RDX: ffffffffa07e2ca0 RSI: ffff8800bf06d6c8 RDI:
ffffc9000493b000
[858983.297140] RBP: ffff88005986be38 R08: 0000000000000096 R09:
0000000000002a0c
[858983.304330] R10: 0000000000000000 R11: ffff88005986bb86 R12:
ffffc9000493b270
[858983.311519] R13: 000000000000f608 R14: ffffffff81a686e0 R15:
0000000000000000
[858983.318709] FS:  00007fbeecbb6740(0000) GS:ffff8800bf060000(0000)
knlGS:0000000000000000
[858983.326851] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[858983.332658] CR2: 0000000000000668 CR3: 00000000b9ed8000 CR4:
00000000000007e0
[858983.339848] DR0: ffffffff819bfcb8 DR1: 0000000000000000 DR2:
0000000000000000
[858983.347039] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000600
[858983.354229] Stack:
[858983.356315]  ffff88005986be30 000000000000001f 0000000000000020
ffff88005986be60
[858983.363801]  ffffffffa07de01c ffffffffa07e2c80 ffffc9000493b000
0000000091fdf90f
[858983.371283]  ffff88005986beb8 ffffffffa07dec0c ffff880000000002
000000000000080a
[858983.378768] Call Trace:
[858983.381290]  [<ffffffffa07de01c>] enter_be_probe+0x12c/0x220
[stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.390905]  [<ffffffffa07dec0c>]
_stp_handle_start.constprop.23+0x47c/0x4e0
[stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.401904]  [<ffffffff811dfc28>] ? __sb_start_write+0x58/0x110
[858983.407887]  [<ffffffffa07deeda>] _stp_ctl_write_cmd+0x26a/0x43a
[stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.417847]  [<ffffffff811dd1ed>] vfs_write+0xbd/0x1e0
[858983.423049]  [<ffffffff811ddc8f>] SyS_write+0x7f/0xe0
[858983.428166]  [<ffffffff81644089>] system_call_fastpath+0x16/0x1b
[858983.434230] Code: c7 87 28 02 00 00 98 12 7e a0 0f 8f a4 01 00 00 89 47 1c
49 c7 44 24 08 00 00 00 00 8b 4f 18 85 c9 0f 88 1d 01 00 00 49 8b 04 24 <48> 8b
90 68 06 00 00 8b 72 18 48 8b 80 68 06 00 00 48 8b b8 80 
[858983.453756] RIP  [<ffffffffa07dd057>] probe_2771+0x67/0x200
[stap_694d7aba919ad48d0b9840c958b2062_15228]
[858983.463294]  RSP <ffff88005986be20>
[858983.466883] CR2: 0000000000000668
=======

Similarly others when run with an invalid task structure pointer such as 0 or
-1.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Follow-Ups:
- [Bug runtime/19000] several task tapset functions can cause kernel crash
  - From: mcermak at redhat dot com
- [Bug runtime/19000] several task tapset functions can cause kernel crash
  - From: dsmith at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]