[vserver] refcount overflow detected in ext4 ?

From: Nicolas Bareil <nico_at_chdir.org>
Date: Tue 25 Jun 2013 - 19:28:29 BST
Message-ID: <878v1yrqnm.fsf@puppet.chdir.org>

Hello,

On a new AMD64 server running 3.2.47-grsec-vs2.3.2.16+, every times a
task becomes I/O intensive, PaX kills the kernel with the following logs:

CODE: SELECT ALL
Jun 25 16:46:27 pouic kernel: PAX: From x.x.x.x: refcount overflow detected in: imap:4578, uid/euid: 1000/1000
Jun 25 16:46:27 pouic kernel: CPU 0
Jun 25 16:46:27 pouic kernel: Pid: 4578, comm: imap Not tainted 3.2.47-grsec-vs2.3.2.16+ #1 HP ProLiant DL120 G7
Jun 25 16:46:27 pouic kernel: RIP: 0010:[<ffffffff810d537e>] [<ffffffff810d537e>] kfree+0xce/0x120
Jun 25 16:46:27 pouic kernel: RSP: 0018:ffff8800edba9d28 EFLAGS: 00000886
Jun 25 16:46:27 pouic kernel: RAX: 0000000000000002 RBX: ffff8800ed8ac7c0 RCX: 0000000000000000
Jun 25 16:46:27 pouic kernel: RDX: ffff8801045ce000 RSI: 0000000000000080 RDI: ffff88010b000140
Jun 25 16:46:27 pouic kernel: RBP: ffff8800edba9d48 R08: 00000001e45d67aa R09: 0000000000000008
Jun 25 16:46:27 pouic kernel: R10: 000000000000002f R11: 0000000035383a32 R12: ffff88010b01f000
Jun 25 16:46:27 pouic kernel: R13: 0000000000000293 R14: 0000000000000000 R15: ffff8801062b9c80
Jun 25 16:46:27 pouic kernel: FS: 000003262d38b700(0000) GS:ffff88010bc00000(0000) knlGS:0000000000000000
Jun 25 16:46:27 pouic kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 25 16:46:27 pouic kernel: CR2: ffffffffff600400 CR3: 0000000001578000 CR4: 00000000000406b0
Jun 25 16:46:27 pouic kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 25 16:46:27 pouic kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Jun 25 16:46:27 pouic kernel: Process imap (pid: 4578, threadinfo ffff88010b2010c0, task ffff88010b200cf0)
Jun 25 16:46:27 pouic kernel: Stack:
Jun 25 16:46:27 pouic kernel: ffff8800ea7570a8 ffff8800ed8ac7c8 ffff8800eb3ade00 ffff8800eb02b9c8
Jun 25 16:46:27 pouic kernel: ffff8800edba9d78 ffffffff81181e19 ffff8800eb3ade00 ffff8800ed59c468
Jun 25 16:46:27 pouic kernel: ffffffff810f6290 ffff880106664000 ffff8800edba9e18 ffffffff811821e7
Jun 25 16:46:27 pouic kernel: Call Trace:
Jun 25 16:46:27 pouic kernel: [<ffffffff81181e19>] free_rb_tree_fname+0x59/0xd0
Jun 25 16:46:27 pouic kernel: [<ffffffff810f6290>] ? filldir64+0x2b0/0x2b0
Jun 25 16:46:27 pouic kernel: [<ffffffff811821e7>] ext4_readdir+0xe7/0x5b0
Jun 25 16:46:27 pouic kernel: [<ffffffff810f6290>] ? filldir64+0x2b0/0x2b0
Jun 25 16:46:27 pouic kernel: [<ffffffff810f6290>] ? filldir64+0x2b0/0x2b0
Jun 25 16:46:27 pouic kernel: [<ffffffff810f684d>] vfs_readdir+0xcd/0x100
Jun 25 16:46:27 pouic kernel: [<ffffffff810f69eb>] sys_getdents+0xdb/0x1d0
Jun 25 16:46:27 pouic kernel: [<ffffffff81565910>] system_call_fastpath+0x18/0x1d

(this Dovecot process is running inside a vserver instance)

This problem was reported to the PaX team [1]. They think that this
issue is real and is "not the usual false positive".

Configuration files and kernel images are linked in the forum post. Let
me know if you need more details!

Thanks

Footnotes:
[1] http://forums.grsecurity.net/viewtopic.php?f=3&t=3574
Received on Tue Jun 25 19:28:37 2013

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 25 Jun 2013 - 19:28:37 BST by hypermail 2.1.8