[Kernel-packages] [Bug 1233175] Re: Kernel panic : mempolicy potential use-after-free on server running mongodb
I will not be able to provide a reproducer of this immediately. If you agree, please keep this open until I can have it or someone comes here with his/her reproducer. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1233175 Title: Kernel panic : mempolicy potential use-after-free on server running mongodb Status in “linux” package in Ubuntu: In Progress Status in “linux” source package in Precise: In Progress Bug description: PID: 21767 TASK: 8800874bdc00 CPU: 12 COMMAND: mongod #0 [880657cc3820] machine_kexec at 810393da #1 [880657cc3890] crash_kexec at 810b53f8 #2 [880657cc3960] oops_end at 8165e528 #3 [880657cc3990] die at 810178d8 #4 [880657cc39c0] do_trap at 8165de94 #5 [880657cc3a20] do_invalid_op at 81014f65 #6 [880657cc3ac0] invalid_op at 8166796b [exception RIP: slab_node+46] RIP: 8115a66e RSP: 880657cc3b70 RFLAGS: 00010097 RAX: RBX: 880657802c00 RCX: e62f6aef RDX: RSI: 0020 RDI: 880abf18a288 RBP: 880657cc3b80 R8: 0001 R9: 000100100010 R10: R11: 0022 R12: 0002 R13: R14: R15: 0020 ORIG_RAX: CS: 0010 SS: 0018 #7 [880657cc3b88] get_any_partial at 816496a0 #8 [880657cc3c18] __slab_alloc at 816498cf #9 [880657cc3cc8] __kmalloc_node_track_caller at 81166f07 #10 [880657cc3d38] __alloc_skb at 815364c8 #11 [880657cc3d88] __netdev_alloc_skb at 81536b14 #12 [880657cc3da8] enic_rq_alloc_buf at a005484c [enic] #13 [880657cc3e08] enic_poll_msix at a00559ff [enic] #14 [880657cc3e58] net_rx_action at 81545274 #15 [880657cc3ec8] __do_softirq at 8106f5f8 #16 [880657cc3f38] call_softirq at 81667bec #17 [880657cc3f50] do_softirq at 81016305 #18 [880657cc3f70] irq_exit at 8106f9de #19 [880657cc3f80] do_IRQ at 816684a3 --- IRQ stack --- #20 [880544d8bd48] ret_from_intr at 8165d82e [exception RIP: __slab_free+737] RIP: 81649467 RSP: 880544d8bdf8 RFLAGS: 0202 RAX: 0001 RBX: ff0a0210 RCX: 000180aa00a9 RDX: 000180aa00aa RSI: ea002afc6201 RDI: 880657806200 RBP: 880544d8bea8 R8: 0001 R9: R10: 8800874be020 R11: 8800874be030 R12: 880544d8be33 R13: 000d R14: 81191895 R15: 880544d8bdb8 ORIG_RAX: ff54 CS: 0010 SS: 0018 #21 [880544d8be30] __change_pid at 81087dca #22 [880544d8beb0] kmem_cache_free at 81163634 #23 [880544d8bef0] __mpol_put at 81159937 #24 [880544d8bf00] do_exit at 8106c75c #25 [880544d8bf70] sys_exit at 8106caf7 #26 [880544d8bf80] system_call_fastpath at 81665982 RIP: 7f6f476b8f37 RSP: 7f68cbcfdbb0 RFLAGS: 0202 RAX: 003c RBX: 81665982 RCX: RDX: 7f68cbcfe700 RSI: 7f6f478c9250 RDI: RBP: R8: 7f68cbcfe700 R9: 7f68e82a0370 R10: 7fff R11: 0246 R12: 8106caf7 R13: 880544d8bf78 R14: 0003 R15: 7f68f8744a10 ORIG_RAX: ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1233175/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1233175] Re: Kernel panic : mempolicy potential use-after-free on server running mongodb
Unfortunately, we don't have a repro case yet. Do you really need a repro case to proceed this? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1233175 Title: Kernel panic : mempolicy potential use-after-free on server running mongodb Status in “linux” package in Ubuntu: In Progress Status in “linux” source package in Precise: In Progress Bug description: PID: 21767 TASK: 8800874bdc00 CPU: 12 COMMAND: mongod #0 [880657cc3820] machine_kexec at 810393da #1 [880657cc3890] crash_kexec at 810b53f8 #2 [880657cc3960] oops_end at 8165e528 #3 [880657cc3990] die at 810178d8 #4 [880657cc39c0] do_trap at 8165de94 #5 [880657cc3a20] do_invalid_op at 81014f65 #6 [880657cc3ac0] invalid_op at 8166796b [exception RIP: slab_node+46] RIP: 8115a66e RSP: 880657cc3b70 RFLAGS: 00010097 RAX: RBX: 880657802c00 RCX: e62f6aef RDX: RSI: 0020 RDI: 880abf18a288 RBP: 880657cc3b80 R8: 0001 R9: 000100100010 R10: R11: 0022 R12: 0002 R13: R14: R15: 0020 ORIG_RAX: CS: 0010 SS: 0018 #7 [880657cc3b88] get_any_partial at 816496a0 #8 [880657cc3c18] __slab_alloc at 816498cf #9 [880657cc3cc8] __kmalloc_node_track_caller at 81166f07 #10 [880657cc3d38] __alloc_skb at 815364c8 #11 [880657cc3d88] __netdev_alloc_skb at 81536b14 #12 [880657cc3da8] enic_rq_alloc_buf at a005484c [enic] #13 [880657cc3e08] enic_poll_msix at a00559ff [enic] #14 [880657cc3e58] net_rx_action at 81545274 #15 [880657cc3ec8] __do_softirq at 8106f5f8 #16 [880657cc3f38] call_softirq at 81667bec #17 [880657cc3f50] do_softirq at 81016305 #18 [880657cc3f70] irq_exit at 8106f9de #19 [880657cc3f80] do_IRQ at 816684a3 --- IRQ stack --- #20 [880544d8bd48] ret_from_intr at 8165d82e [exception RIP: __slab_free+737] RIP: 81649467 RSP: 880544d8bdf8 RFLAGS: 0202 RAX: 0001 RBX: ff0a0210 RCX: 000180aa00a9 RDX: 000180aa00aa RSI: ea002afc6201 RDI: 880657806200 RBP: 880544d8bea8 R8: 0001 R9: R10: 8800874be020 R11: 8800874be030 R12: 880544d8be33 R13: 000d R14: 81191895 R15: 880544d8bdb8 ORIG_RAX: ff54 CS: 0010 SS: 0018 #21 [880544d8be30] __change_pid at 81087dca #22 [880544d8beb0] kmem_cache_free at 81163634 #23 [880544d8bef0] __mpol_put at 81159937 #24 [880544d8bf00] do_exit at 8106c75c #25 [880544d8bf70] sys_exit at 8106caf7 #26 [880544d8bf80] system_call_fastpath at 81665982 RIP: 7f6f476b8f37 RSP: 7f68cbcfdbb0 RFLAGS: 0202 RAX: 003c RBX: 81665982 RCX: RDX: 7f68cbcfe700 RSI: 7f6f478c9250 RDI: RBP: R8: 7f68cbcfe700 R9: 7f68e82a0370 R10: 7fff R11: 0246 R12: 8106caf7 R13: 880544d8bf78 R14: 0003 R15: 7f68f8744a10 ORIG_RAX: ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1233175/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1233175] Re: Kernel panic : mempolicy potential use-after-free on server running mongodb
Hi Chris, Does anyone of you have a repro case? Although the patch itself is really straightforward, I don't have a reliable repro case of this race unfortunately. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1233175 Title: Kernel panic : mempolicy potential use-after-free on server running mongodb Status in “linux” package in Ubuntu: In Progress Status in “linux” source package in Precise: In Progress Bug description: PID: 21767 TASK: 8800874bdc00 CPU: 12 COMMAND: mongod #0 [880657cc3820] machine_kexec at 810393da #1 [880657cc3890] crash_kexec at 810b53f8 #2 [880657cc3960] oops_end at 8165e528 #3 [880657cc3990] die at 810178d8 #4 [880657cc39c0] do_trap at 8165de94 #5 [880657cc3a20] do_invalid_op at 81014f65 #6 [880657cc3ac0] invalid_op at 8166796b [exception RIP: slab_node+46] RIP: 8115a66e RSP: 880657cc3b70 RFLAGS: 00010097 RAX: RBX: 880657802c00 RCX: e62f6aef RDX: RSI: 0020 RDI: 880abf18a288 RBP: 880657cc3b80 R8: 0001 R9: 000100100010 R10: R11: 0022 R12: 0002 R13: R14: R15: 0020 ORIG_RAX: CS: 0010 SS: 0018 #7 [880657cc3b88] get_any_partial at 816496a0 #8 [880657cc3c18] __slab_alloc at 816498cf #9 [880657cc3cc8] __kmalloc_node_track_caller at 81166f07 #10 [880657cc3d38] __alloc_skb at 815364c8 #11 [880657cc3d88] __netdev_alloc_skb at 81536b14 #12 [880657cc3da8] enic_rq_alloc_buf at a005484c [enic] #13 [880657cc3e08] enic_poll_msix at a00559ff [enic] #14 [880657cc3e58] net_rx_action at 81545274 #15 [880657cc3ec8] __do_softirq at 8106f5f8 #16 [880657cc3f38] call_softirq at 81667bec #17 [880657cc3f50] do_softirq at 81016305 #18 [880657cc3f70] irq_exit at 8106f9de #19 [880657cc3f80] do_IRQ at 816684a3 --- IRQ stack --- #20 [880544d8bd48] ret_from_intr at 8165d82e [exception RIP: __slab_free+737] RIP: 81649467 RSP: 880544d8bdf8 RFLAGS: 0202 RAX: 0001 RBX: ff0a0210 RCX: 000180aa00a9 RDX: 000180aa00aa RSI: ea002afc6201 RDI: 880657806200 RBP: 880544d8bea8 R8: 0001 R9: R10: 8800874be020 R11: 8800874be030 R12: 880544d8be33 R13: 000d R14: 81191895 R15: 880544d8bdb8 ORIG_RAX: ff54 CS: 0010 SS: 0018 #21 [880544d8be30] __change_pid at 81087dca #22 [880544d8beb0] kmem_cache_free at 81163634 #23 [880544d8bef0] __mpol_put at 81159937 #24 [880544d8bf00] do_exit at 8106c75c #25 [880544d8bf70] sys_exit at 8106caf7 #26 [880544d8bf80] system_call_fastpath at 81665982 RIP: 7f6f476b8f37 RSP: 7f68cbcfdbb0 RFLAGS: 0202 RAX: 003c RBX: 81665982 RCX: RDX: 7f68cbcfe700 RSI: 7f6f478c9250 RDI: RBP: R8: 7f68cbcfe700 R9: 7f68e82a0370 R10: 7fff R11: 0246 R12: 8106caf7 R13: 880544d8bf78 R14: 0003 R15: 7f68f8744a10 ORIG_RAX: ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1233175/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1233175] Re: Kernel panic : mempolicy potential use-after-free on server running mongodb
Hi, We also have experienced this issue with 3.2.0-57-generic. Thanks to the core dump analysis by Louis Bouchard, I could notice that accessing current-mempolicy in interrupt context is totally bad idea, and then found the following commit. http://git.kernel.org/cgit/linux/kernel/git/stable/linux- stable.git/commit/?id=e7b691b085fda913830e5280ae6f724b2a63c824 This fix was introduced in 3.6-rc1, that's why 3.8 kernel hasn't experienced this issue. Can you backport the fix to 12.04's 3.2 kernel? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1233175 Title: Kernel panic : mempolicy potential use-after-free on server running mongodb Status in “linux” package in Ubuntu: In Progress Status in “linux” source package in Precise: In Progress Bug description: PID: 21767 TASK: 8800874bdc00 CPU: 12 COMMAND: mongod #0 [880657cc3820] machine_kexec at 810393da #1 [880657cc3890] crash_kexec at 810b53f8 #2 [880657cc3960] oops_end at 8165e528 #3 [880657cc3990] die at 810178d8 #4 [880657cc39c0] do_trap at 8165de94 #5 [880657cc3a20] do_invalid_op at 81014f65 #6 [880657cc3ac0] invalid_op at 8166796b [exception RIP: slab_node+46] RIP: 8115a66e RSP: 880657cc3b70 RFLAGS: 00010097 RAX: RBX: 880657802c00 RCX: e62f6aef RDX: RSI: 0020 RDI: 880abf18a288 RBP: 880657cc3b80 R8: 0001 R9: 000100100010 R10: R11: 0022 R12: 0002 R13: R14: R15: 0020 ORIG_RAX: CS: 0010 SS: 0018 #7 [880657cc3b88] get_any_partial at 816496a0 #8 [880657cc3c18] __slab_alloc at 816498cf #9 [880657cc3cc8] __kmalloc_node_track_caller at 81166f07 #10 [880657cc3d38] __alloc_skb at 815364c8 #11 [880657cc3d88] __netdev_alloc_skb at 81536b14 #12 [880657cc3da8] enic_rq_alloc_buf at a005484c [enic] #13 [880657cc3e08] enic_poll_msix at a00559ff [enic] #14 [880657cc3e58] net_rx_action at 81545274 #15 [880657cc3ec8] __do_softirq at 8106f5f8 #16 [880657cc3f38] call_softirq at 81667bec #17 [880657cc3f50] do_softirq at 81016305 #18 [880657cc3f70] irq_exit at 8106f9de #19 [880657cc3f80] do_IRQ at 816684a3 --- IRQ stack --- #20 [880544d8bd48] ret_from_intr at 8165d82e [exception RIP: __slab_free+737] RIP: 81649467 RSP: 880544d8bdf8 RFLAGS: 0202 RAX: 0001 RBX: ff0a0210 RCX: 000180aa00a9 RDX: 000180aa00aa RSI: ea002afc6201 RDI: 880657806200 RBP: 880544d8bea8 R8: 0001 R9: R10: 8800874be020 R11: 8800874be030 R12: 880544d8be33 R13: 000d R14: 81191895 R15: 880544d8bdb8 ORIG_RAX: ff54 CS: 0010 SS: 0018 #21 [880544d8be30] __change_pid at 81087dca #22 [880544d8beb0] kmem_cache_free at 81163634 #23 [880544d8bef0] __mpol_put at 81159937 #24 [880544d8bf00] do_exit at 8106c75c #25 [880544d8bf70] sys_exit at 8106caf7 #26 [880544d8bf80] system_call_fastpath at 81665982 RIP: 7f6f476b8f37 RSP: 7f68cbcfdbb0 RFLAGS: 0202 RAX: 003c RBX: 81665982 RCX: RDX: 7f68cbcfe700 RSI: 7f6f478c9250 RDI: RBP: R8: 7f68cbcfe700 R9: 7f68e82a0370 R10: 7fff R11: 0246 R12: 8106caf7 R13: 880544d8bf78 R14: 0003 R15: 7f68f8744a10 ORIG_RAX: ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1233175/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
