Ubuntu
linux package

2.6.24: amd64 slab-allocator local DoS

Bug #180461 reported by William Pitcock
8
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Hi,

Running firefox in combination with nspluginwrapper can sometimes result in a crash which causes denial of service inside the slab allocator when firefox is killed. I'm not sure what the particular details of this bug is, but it DOES result in denial of service. Memory used in this system is brand new and passes memtest86+. Additionally, this happens on another amd64 system of mine, so I am fairly certain this is a bug.

[ 3048.129206] Eeek! page_mapcount(page) went negative! (-1)
[ 3048.129221] page pfn = 6e0d2
[ 3048.129223] page->flags = 100000000000014
[ 3048.129225] page->count = 0
[ 3048.129227] page->mapping = 0000000000000000
[ 3048.129256] vma->vm_ops = 0x0
[ 3048.129277] ------------[ cut here ]------------
[ 3048.129280] kernel BUG at /build/buildd/linux-2.6.24/mm/rmap.c:631!
[ 3048.129282] invalid opcode: 0000 [1] SMP
[ 3048.129285] CPU 0
[ 3048.129287] Modules linked in: af_packet binfmt_misc rfcomm l2cap bluetooth ppdev ipv6 cpufreq_ondemand cpufreq_userspace cpufreq_conservative
cpufreq_powersave cpufreq_stats freq_table sbs video output sbshc ac dock container battery power_supply sbp2 lp joydev evdev usbhid hid parport_pc
parport snd_emu10k1_synth snd_emux_synth snd_seq_virmidi snd_seq_midi_emul snd_emu10k1 snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm_oss snd_mixer_oss
snd_pcm emu10k1_gp snd_seq_dummy snd_util_mem gameport nvidia(P) snd_hwdep snd_seq_oss snd_seq_midi snd_rawmidi sg snd_seq_midi_event sd_mod pcspkr
snd_seq snd_timer snd_seq_device button k8temp snd i2c_nforce2 soundcore i2c_core snd_page_alloc shpchp pci_hotplug ext3 jbd mbcache ide_cd cdrom
ide_disk sata_nv ata_generic ohci1394 pata_acpi ieee1394 libata scsi_mod ehci_hcd ohci_hcd amd74xx ide_core forcedeth usbcore ssb thermal processor fan
fuse
[ 3048.129341] Pid: 6467, comm: firefox-bin Tainted: P 2.6.24-2-generic #1
[ 3048.129343] RIP: 0010:[<ffffffff802903fa>] [<ffffffff802903fa>] page_remove_rmap+0x11a/0x130
[ 3048.129354] RSP: 0018:ffff81007610fbd8 EFLAGS: 00010246
[ 3048.129356] RAX: 0000000000000000 RBX: ffff81009f502df0 RCX: ffffffff803961e0
[ 3048.129359] RDX: 00000000ffffffff RSI: 0000000000000000 RDI: ffffffff8056b8e4
[ 3048.129361] RBP: ffff810077e184d0 R08: 0000000000000000 R09: 00000000ffffffff
[ 3048.129364] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000022e2000
[ 3048.129366] R13: ffff81009f502df0 R14: 00000000039a6000 R15: 0000000000320000
[ 3048.129369] FS: 00002b3a0c8ba8e0(0000) GS:ffffffff8059d000(0000) knlGS:00000000f751d6c0
[ 3048.129372] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 3048.129374] CR2: 00000000011b0730 CR3: 0000000000201000 CR4: 00000000000006e0
[ 3048.129377] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 3048.129379] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 3048.129382] Process firefox-bin (pid: 6467, threadinfo ffff81007610e000, task ffff81007b3d4ee0)
[ 3048.129384] Stack: ffff8100761c4710 0000000002400000 ffff8100761c4710 ffffffff802880c2
[ 3048.129389] 0000000000000000 ffffffff8060a7a0 ffff81000101a7b8 00000000039a5fff
[ 3048.129393] 0000000000000000 ffff81007610fcf8 ffffffffffffffff 0000000000000000
[ 3048.129396] Call Trace:
[ 3048.129405] [<ffffffff802880c2>] unmap_vmas+0x4f2/0x7e0
[ 3048.129431] [<ffffffff8028c1e8>] exit_mmap+0x78/0x100
[ 3048.129441] [<ffffffff80239706>] mmput+0x26/0xb0
[ 3048.129445] [<ffffffff8023fc40>] do_exit+0x650/0x910
[ 3048.129451] [<ffffffff80247b0d>] __dequeue_signal+0x2d/0x1e0
[ 3048.129461] [<ffffffff8023ff2c>] do_group_exit+0x2c/0x80
[ 3048.129467] [<ffffffff80249a47>] get_signal_to_deliver+0x2f7/0x4b0
[ 3048.129476] [<ffffffff8020b6c4>] do_notify_resume+0xc4/0x810
[ 3048.129485] [<ffffffff802522f0>] autoremove_wake_function+0x0/0x30
[ 3048.129492] [<ffffffff803ccc33>] sys_recvfrom+0x183/0x190
[ 3048.129509] [<ffffffff8025e93b>] sys_futex+0xab/0x130
[ 3048.129514] [<ffffffff802a5cbe>] vfs_write+0x14e/0x170
[ 3048.129521] [<ffffffff8020c3d7>] sysret_signal+0x1c/0x27
[ 3048.129524] [<ffffffff8020c667>] ptregscall_common+0x67/0xb0
[ 3048.129541]
[ 3048.129542]
[ 3048.129543] Code: 0f 0b eb fe 48 8b 53 10 e9 65 ff ff ff 66 0f 1f 84 00 00 00
[ 3048.129551] RIP [<ffffffff802903fa>] page_remove_rmap+0x11a/0x130
[ 3048.129554] RSP <ffff81007610fbd8>
[ 3048.129558] Fixing recursive fault but reboot is needed!

Revision history for this message
Leann Ogasawara (leannogasawara) wrote :

Hi William,

Thank you for taking the time to report this bug and helping to make Ubuntu better. Per the kernel team's bug policy, can you please attach the following information. Please be sure to attach each file as a separate attachment.

* uname -a > uname-a.log
* cat /proc/version_signature > version.log
* dmesg > dmesg.log
* sudo lspci -vvnn > lspci-vvnn.log

Also, when you capture the dmesg output, it would be great if it contained the kernel BUG message (ie as opposed to capturing dmesg output which does not reflect the issue you are experiencing). For more information regarding the kernel team bug policy, please refer to https://wiki.ubuntu.com/KernelTeamBugPolicies . Thanks again and we appreciate your help and feedback.

Changed in linux:
status: New → Incomplete
Revision history for this message
wolfger (wolfger) wrote :

4 months with no response. We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in linux:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.