On Tue, Jun 25, 2013 at 08:28:29PM +0200, Nicolas Bareil wrote:
> Hello,
> On a new AMD64 server running 3.2.47-grsec-vs2.3.2.16+, every
> times a task becomes I/O intensive, PaX kills the kernel with
> the following logs:
> CODE: SELECT ALL
> Jun 25 16:46:27 pouic kernel: PAX: From x.x.x.x: refcount overflow detected in: imap:4578, uid/euid: 1000/1000
> Jun 25 16:46:27 pouic kernel: CPU 0
> Jun 25 16:46:27 pouic kernel: Pid: 4578, comm: imap Not tainted 3.2.47-grsec-vs2.3.2.16+ #1 HP ProLiant DL120 G7
> Jun 25 16:46:27 pouic kernel: RIP: 0010:[<ffffffff810d537e>] [<ffffffff810d537e>] kfree+0xce/0x120
> Jun 25 16:46:27 pouic kernel: RSP: 0018:ffff8800edba9d28 EFLAGS: 00000886
> Jun 25 16:46:27 pouic kernel: RAX: 0000000000000002 RBX: ffff8800ed8ac7c0 RCX: 0000000000000000
> Jun 25 16:46:27 pouic kernel: RDX: ffff8801045ce000 RSI: 0000000000000080 RDI: ffff88010b000140
> Jun 25 16:46:27 pouic kernel: RBP: ffff8800edba9d48 R08: 00000001e45d67aa R09: 0000000000000008
> Jun 25 16:46:27 pouic kernel: R10: 000000000000002f R11: 0000000035383a32 R12: ffff88010b01f000
> Jun 25 16:46:27 pouic kernel: R13: 0000000000000293 R14: 0000000000000000 R15: ffff8801062b9c80
> Jun 25 16:46:27 pouic kernel: FS: 000003262d38b700(0000) GS:ffff88010bc00000(0000) knlGS:0000000000000000
> Jun 25 16:46:27 pouic kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> Jun 25 16:46:27 pouic kernel: CR2: ffffffffff600400 CR3: 0000000001578000 CR4: 00000000000406b0
> Jun 25 16:46:27 pouic kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> Jun 25 16:46:27 pouic kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Jun 25 16:46:27 pouic kernel: Process imap (pid: 4578, threadinfo ffff88010b2010c0, task ffff88010b200cf0)
> Jun 25 16:46:27 pouic kernel: Stack:
> Jun 25 16:46:27 pouic kernel: ffff8800ea7570a8 ffff8800ed8ac7c8 ffff8800eb3ade00 ffff8800eb02b9c8
> Jun 25 16:46:27 pouic kernel: ffff8800edba9d78 ffffffff81181e19 ffff8800eb3ade00 ffff8800ed59c468
> Jun 25 16:46:27 pouic kernel: ffffffff810f6290 ffff880106664000 ffff8800edba9e18 ffffffff811821e7
> Jun 25 16:46:27 pouic kernel: Call Trace:
> Jun 25 16:46:27 pouic kernel: [<ffffffff81181e19>] free_rb_tree_fname+0x59/0xd0
> Jun 25 16:46:27 pouic kernel: [<ffffffff810f6290>] ? filldir64+0x2b0/0x2b0
> Jun 25 16:46:27 pouic kernel: [<ffffffff811821e7>] ext4_readdir+0xe7/0x5b0
> Jun 25 16:46:27 pouic kernel: [<ffffffff810f6290>] ? filldir64+0x2b0/0x2b0
> Jun 25 16:46:27 pouic kernel: [<ffffffff810f6290>] ? filldir64+0x2b0/0x2b0
> Jun 25 16:46:27 pouic kernel: [<ffffffff810f684d>] vfs_readdir+0xcd/0x100
> Jun 25 16:46:27 pouic kernel: [<ffffffff810f69eb>] sys_getdents+0xdb/0x1d0
> Jun 25 16:46:27 pouic kernel: [<ffffffff81565910>] system_call_fastpath+0x18/0x1d
> (this Dovecot process is running inside a vserver instance)
> This problem was reported to the PaX team [1]. They think that
> this issue is real and is "not the usual false positive".
> Configuration files and kernel images are linked in the forum
> post. Let me know if you need more details!
First, thanks for reporting!
Spender did take a closer look at the issue and came up
with the suggestion to extend the involved refcounters
to 64bit atomics (patch 1, 1b).
During this, we also decided to remove the now unused
page array counters completely (patch 2).
Both patches will be included in the next patch release
cycle, but they should apply to your kernel just fine.
best,
Herbert
http://vserver.13thfloor.at/ExperimentalT/spender/
> Thanks
> Footnotes:
> [1] http://forums.grsecurity.net/viewtopic.php?f=3&t=3574
Received on Thu Jun 27 21:06:05 2013