* [BUG][kprobes][vunmap?]: kprobes may cause memory corruption @ 2009-01-28 2:32 Masami Hiramatsu 2009-01-28 2:39 ` [PATCH][bugfix?][kprobes][vunmap?]: use vm_map_ram() in text_poke() Masami Hiramatsu 2009-01-28 5:09 ` [BUG][kprobes][vunmap?]: kprobes may cause memory corruption Masami Hiramatsu 0 siblings, 2 replies; 18+ messages in thread From: Masami Hiramatsu @ 2009-01-28 2:32 UTC (permalink / raw) To: Nick Piggin, Mathieu Desnoyers Cc: LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler [-- Attachment #1: Type: text/plain, Size: 965 bytes --] Hi I found that 2.6.28-rc1+ kernel might cause a random memory corruption including double fault when repeating load/unload kprobe-using module on i386 with CONFIG_HIGHMEN4G=y. I narrowed it down by git-bisect and found that after below commit caused this bug. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=db64fe02258f1507e13fe5212a989922323685ce I also reported details of this bug on the below bugzilla. http://sources.redhat.com/bugzilla/show_bug.cgi?id=9740 I'm still investigating the root cause of this bug. I just made a ad-hoc bugfix patch which just changes text_poke() to work as before above commit(as far as I tested, it just works for me). A set of test code which written in plain c is attached, make genkprobe.ko and run testmod.sh, then the bug will be occurred. Thanks, -- Masami Hiramatsu Software Engineer Hitachi Computer Products (America) Inc. Software Solutions Division e-mail: mhiramat@redhat.com [-- Attachment #2: genkprobe.c --] [-- Type: text/plain, Size: 24865 bytes --] #include <linux/module.h> #include <linux/kernel.h> #include <linux/init.h> #include <linux/kprobes.h> MODULE_LICENSE("GPL"); static int kph(struct kprobe *kp, struct pt_regs *regs) { return 0; } static int kpfh(struct kprobe *kp, struct pt_regs *regs, int nr) { printk("fault occurred on kprobes at %p(@%lx:%d)\n", kp->addr, regs->ip, nr); return 0; } static struct kprobe kp[] = { [0]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_accept"}, [1]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_access"}, [2]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_acct"}, [3]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_add_key"}, [4]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_adjtimex"}, [5]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_alarm"}, [6]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_bdflush"}, [7]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_bind"}, [8]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_brk"}, [9]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_capget"}, [10]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_capset"}, [11]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chdir"}, [12]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chmod"}, [13]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chown"}, [14]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chown16"}, [15]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chroot"}, [16]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_getres"}, [17]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_gettime"}, [18]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_nanosleep"}, [19]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_settime"}, [20]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_close"}, [21]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_connect"}, [22]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_creat"}, [23]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_delete_module"}, [24]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_dup"}, [25]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_dup2"}, [26]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_create"}, [27]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_ctl"}, [28]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_pwait"}, [29]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_wait"}, [30]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_eventfd"}, [31]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_execve"}, [32]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_exit"}, [33]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_exit_group"}, [34]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_faccessat"}, [35]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fadvise64"}, [36]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fadvise64_64"}, [37]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchdir"}, [38]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchmod"}, [39]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchmodat"}, [40]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchown"}, [41]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchown16"}, [42]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchownat"}, [43]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fcntl"}, [44]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fcntl64"}, [45]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fdatasync"}, [46]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fgetxattr"}, [47]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_flistxattr"}, [48]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_flock"}, [49]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_fork"}, [50]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fremovexattr"}, [51]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fsetxattr"}, [52]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstat"}, [53]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstat64"}, [54]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newfstat"}, [55]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatat64"}, [56]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatfs"}, [57]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatfs64"}, [58]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fsync"}, [59]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ftruncate"}, [60]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ftruncate64"}, [61]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_futex"}, [62]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_futimesat"}, [63]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_get_thread_area"}, [64]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getcwd"}, [65]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getdents"}, [66]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getdents64"}, [67]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getegid16"}, [68]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getegid"}, [69]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_geteuid16"}, [70]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_geteuid"}, [71]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgid16"}, [72]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgid"}, [73]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgroups"}, [74]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgroups16"}, [75]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gethostname"}, [76]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getitimer"}, [77]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpeername"}, [78]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpgid"}, [79]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpgrp"}, [80]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpid"}, [81]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getppid"}, [82]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpriority"}, [83]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresgid16"}, [84]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresgid"}, [85]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresuid16"}, [86]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresuid"}, [87]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getrlimit"}, [88]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_old_getrlimit"}, [89]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getrusage"}, [90]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsid"}, [91]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsockname"}, [92]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsockopt"}, [93]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gettid"}, [94]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gettimeofday"}, [95]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getuid16"}, [96]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getuid"}, [97]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getxattr"}, [98]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_init_module"}, [99]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_add_watch"}, [100]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_init"}, [101]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_rm_watch"}, [102]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_cancel"}, [103]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_destroy"}, [104]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_getevents"}, [105]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_setup"}, [106]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_submit"}, [107]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioctl"}, [108]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioperm"}, [109]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_iopl"}, [110]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioprio_get"}, [111]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioprio_set"}, [112]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ipc"}, [113]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_kexec_load"}, [114]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_keyctl"}, [115]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_kill"}, [116]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lchown"}, [117]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lchown16"}, [118]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lgetxattr"}, [119]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_link"}, [120]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_linkat"}, [121]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_listen"}, [122]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_listxattr"}, [123]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_llistxattr"}, [124]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_llseek"}, [125]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lookup_dcookie"}, [126]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lremovexattr"}, [127]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lseek"}, [128]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lsetxattr"}, [129]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lstat"}, [130]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newlstat"}, [131]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lstat64"}, [132]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_madvise"}, [133]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mincore"}, [134]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mkdir"}, [135]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mkdirat"}, [136]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mknod"}, [137]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mknodat"}, [138]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mlock"}, [139]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mlockall"}, [140]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mmap2"}, [141]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_modify_ldt"}, [142]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mount"}, [143]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mprotect"}, [144]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_getsetattr"}, [145]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_notify"}, [146]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_open"}, [147]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_timedreceive"}, [148]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_timedsend"}, [149]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_unlink"}, [150]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mremap"}, [151]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgctl"}, [152]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgget"}, [153]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgrcv"}, [154]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgsnd"}, [155]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msync"}, [156]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munlock"}, [157]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munlockall"}, [158]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munmap"}, [159]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nanosleep"}, [160]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nfsservctl"}, [161]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ni_syscall"}, [162]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nice"}, [163]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_open"}, [164]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_openat"}, [165]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pause"}, [166]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_personality"}, [167]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pipe"}, [168]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pivot_root"}, [169]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_poll"}, [170]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ppoll"}, [171]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_prctl"}, [172]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pread64"}, [173]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pselect6"}, [174]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ptrace"}, [175]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pwrite64"}, [176]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_quotactl"}, [177]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_read"}, [178]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readahead"}, [179]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readlink"}, [180]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readlinkat"}, [181]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readv"}, [182]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_reboot"}, [183]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recv"}, [184]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recvfrom"}, [185]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recvmsg"}, [186]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_remap_file_pages"}, [187]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_removexattr"}, [188]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rename"}, [189]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_renameat"}, [190]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_request_key"}, [191]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_restart_syscall"}, [192]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rmdir"}, [193]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigaction"}, [194]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigpending"}, [195]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigprocmask"}, [196]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigqueueinfo"}, [197]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigreturn"}, [198]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigsuspend"}, [199]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigtimedwait"}, [200]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_get_priority_max"}, [201]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_get_priority_min"}, [202]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getaffinity"}, [203]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getparam"}, [204]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getscheduler"}, [205]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_rr_get_interval"}, [206]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setaffinity"}, [207]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setparam"}, [208]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setscheduler"}, [209]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_yield"}, [210]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_select"}, [211]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semctl"}, [212]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semget"}, [213]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semtimedop"}, [214]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semtimedop"}, [215]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_send"}, [216]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendfile"}, [217]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendfile64"}, [218]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendmsg"}, [219]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendto"}, [220]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_set_thread_area"}, [221]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_set_tid_address"}, [222]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setdomainname"}, [223]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsgid"}, [224]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsgid16"}, [225]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsuid"}, [226]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsuid16"}, [227]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgid"}, [228]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgid16"}, [229]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgroups"}, [230]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgroups16"}, [231]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sethostname"}, [232]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setitimer"}, [233]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setpgid"}, [234]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setpriority"}, [235]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setregid"}, [236]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setregid16"}, [237]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresgid"}, [238]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresgid16"}, [239]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresuid"}, [240]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresuid16"}, [241]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setreuid"}, [242]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setreuid16"}, [243]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setrlimit"}, [244]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setsid"}, [245]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setsockopt"}, [246]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_settimeofday"}, [247]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setuid16"}, [248]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setuid"}, [249]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setxattr"}, [250]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sgetmask"}, [251]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmat"}, [252]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmctl"}, [253]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmdt"}, [254]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmget"}, [255]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shutdown"}, [256]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigaction"}, [257]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigaltstack"}, [258]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_signal"}, [259]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_signalfd"}, [260]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigpending"}, [261]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigprocmask"}, [262]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigreturn"}, [263]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigsuspend"}, [264]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_socket"}, [265]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_socketpair"}, [266]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_splice"}, [267]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ssetmask"}, [268]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stat"}, [269]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newstat"}, [270]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stat64"}, [271]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_statfs"}, [272]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_statfs64"}, [273]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stime"}, [274]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_swapoff"}, [275]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_swapon"}, [276]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_symlink"}, [277]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_symlinkat"}, [278]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sync"}, [279]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysctl"}, [280]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysfs"}, [281]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysinfo"}, [282]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_syslog"}, [283]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tee"}, [284]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tgkill"}, [285]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_time"}, [286]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_create"}, [287]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_delete"}, [288]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_getoverrun"}, [289]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_gettime"}, [290]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_settime"}, [291]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_times"}, [292]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tkill"}, [293]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_truncate"}, [294]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_truncate64"}, [295]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_umask"}, [296]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_umount"}, [297]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_uname"}, [298]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_olduname"}, [299]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newuname"}, [300]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unlink"}, [301]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unlinkat"}, [302]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unshare"}, [303]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_uselib"}, [304]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ustat"}, [305]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utime"}, [306]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utimensat"}, [307]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utimes"}, [308]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vhangup"}, [309]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vm86"}, [310]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vm86old"}, [311]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vmsplice"}, [312]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_wait4"}, [313]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_waitid"}, [314]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_write"}, [315]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_writev"}, }; #define NRPB 316 static struct kprobe *kps[NRPB]; int __gen_init(void) { int ret, i; for (i=0;i<NRPB;i++) kps[i]=&kp[i]; printk("registering..."); ret = register_kprobes(kps, NRPB); if (ret) { printk("failed to register kprobes\n"); return ret; } printk("registered\n"); return 0; } void __gen_exit(void) { printk("unregistering..."); unregister_kprobes(kps, NRPB); printk("unregistered\n"); } module_init(__gen_init); module_exit(__gen_exit); [-- Attachment #3: testmod.sh --] [-- Type: application/x-shellscript, Size: 119 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* [PATCH][bugfix?][kprobes][vunmap?]: use vm_map_ram() in text_poke() 2009-01-28 2:32 [BUG][kprobes][vunmap?]: kprobes may cause memory corruption Masami Hiramatsu @ 2009-01-28 2:39 ` Masami Hiramatsu 2009-01-28 5:09 ` [BUG][kprobes][vunmap?]: kprobes may cause memory corruption Masami Hiramatsu 1 sibling, 0 replies; 18+ messages in thread From: Masami Hiramatsu @ 2009-01-28 2:39 UTC (permalink / raw) To: Nick Piggin, Mathieu Desnoyers Cc: LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler Use vm_map_ram() instead of vmap() in text_poke(), because text_poke() just want to map pages temporarily. --- As far as I tested, this patch works fine for me. However, there might be another hidden bug in the kernel... We need to fix that too. arch/x86/kernel/alternative.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: 2.6-rc/arch/x86/kernel/alternative.c =================================================================== --- 2.6-rc.orig/arch/x86/kernel/alternative.c +++ 2.6-rc/arch/x86/kernel/alternative.c @@ -515,12 +515,12 @@ void *__kprobes text_poke(void *addr, co BUG_ON(!pages[0]); if (!pages[1]) nr_pages = 1; - vaddr = vmap(pages, nr_pages, VM_MAP, PAGE_KERNEL); + vaddr = vm_map_ram(pages, nr_pages, -1, PAGE_KERNEL); BUG_ON(!vaddr); local_irq_save(flags); memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len); local_irq_restore(flags); - vunmap(vaddr); + vm_unmap_ram(vaddr, nr_pages); sync_core(); /* Could also do a CLFLUSH here to speed up CPU recovery; but that causes hangs on some VIA CPUs. */ -- Masami Hiramatsu Software Engineer Hitachi Computer Products (America) Inc. Software Solutions Division e-mail: mhiramat@redhat.com ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUG][kprobes][vunmap?]: kprobes may cause memory corruption 2009-01-28 2:32 [BUG][kprobes][vunmap?]: kprobes may cause memory corruption Masami Hiramatsu 2009-01-28 2:39 ` [PATCH][bugfix?][kprobes][vunmap?]: use vm_map_ram() in text_poke() Masami Hiramatsu @ 2009-01-28 5:09 ` Masami Hiramatsu 2009-01-28 15:48 ` Mathieu Desnoyers 1 sibling, 1 reply; 18+ messages in thread From: Masami Hiramatsu @ 2009-01-28 5:09 UTC (permalink / raw) Cc: Nick Piggin, Mathieu Desnoyers, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler [-- Attachment #1: Type: text/plain, Size: 1194 bytes --] Masami Hiramatsu wrote: > Hi > > I found that 2.6.28-rc1+ kernel might cause a random memory corruption > including double fault when repeating load/unload kprobe-using module on > i386 with CONFIG_HIGHMEN4G=y. I think there might be two different bugs. - First bug may be related to vunmap change. - I'm not sure the root cause of this bug. - However, this bug seems to be fixed by my patch(use vm_map_ram in text_poke()). - Second bug is kprobe_fault_handler bug - I found a clue of this bug which I reported below by using kdump&crash. http://sources.redhat.com/bugzilla/show_bug.cgi?id=9740#c21 - I thought this bug should not be fixed by my patch, but as far as I tested, this bug disappeared with my patch. > A set of test code which written in plain c is attached, > make genkprobe.ko and run testmod.sh, then the bug will > be occurred. If my thought is correct, previous test-code is only for the second bug. I attached a bit different test code(just disabled the fault handler) for the first bug. Thank you, -- Masami Hiramatsu Software Engineer Hitachi Computer Products (America) Inc. Software Solutions Division e-mail: mhiramat@redhat.com [-- Attachment #2: genkprobe1.c --] [-- Type: text/x-csrc, Size: 24903 bytes --] #include <linux/module.h> #include <linux/kernel.h> #include <linux/init.h> #include <linux/kprobes.h> MODULE_LICENSE("GPL"); static int kph(struct kprobe *kp, struct pt_regs *regs) { return 0; } #if 0 static int kpfh(struct kprobe *kp, struct pt_regs *regs, int nr) { printk("fault occurred on kprobes at %p(@%lx:%d)\n", kp->addr, regs->ip, nr); return 0; } #else #define kpfh NULL #endif static struct kprobe kp[] = { [0]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_accept"}, [1]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_access"}, [2]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_acct"}, [3]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_add_key"}, [4]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_adjtimex"}, [5]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_alarm"}, [6]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_bdflush"}, [7]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_bind"}, [8]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_brk"}, [9]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_capget"}, [10]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_capset"}, [11]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chdir"}, [12]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chmod"}, [13]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chown"}, [14]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chown16"}, [15]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chroot"}, [16]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_getres"}, [17]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_gettime"}, [18]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_nanosleep"}, [19]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_settime"}, [20]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_close"}, [21]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_connect"}, [22]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_creat"}, [23]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_delete_module"}, [24]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_dup"}, [25]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_dup2"}, [26]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_create"}, [27]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_ctl"}, [28]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_pwait"}, [29]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_wait"}, [30]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_eventfd"}, [31]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_execve"}, [32]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_exit"}, [33]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_exit_group"}, [34]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_faccessat"}, [35]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fadvise64"}, [36]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fadvise64_64"}, [37]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchdir"}, [38]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchmod"}, [39]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchmodat"}, [40]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchown"}, [41]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchown16"}, [42]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchownat"}, [43]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fcntl"}, [44]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fcntl64"}, [45]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fdatasync"}, [46]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fgetxattr"}, [47]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_flistxattr"}, [48]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_flock"}, [49]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_fork"}, [50]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fremovexattr"}, [51]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fsetxattr"}, [52]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstat"}, [53]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstat64"}, [54]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newfstat"}, [55]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatat64"}, [56]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatfs"}, [57]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatfs64"}, [58]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fsync"}, [59]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ftruncate"}, [60]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ftruncate64"}, [61]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_futex"}, [62]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_futimesat"}, [63]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_get_thread_area"}, [64]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getcwd"}, [65]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getdents"}, [66]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getdents64"}, [67]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getegid16"}, [68]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getegid"}, [69]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_geteuid16"}, [70]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_geteuid"}, [71]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgid16"}, [72]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgid"}, [73]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgroups"}, [74]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgroups16"}, [75]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gethostname"}, [76]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getitimer"}, [77]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpeername"}, [78]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpgid"}, [79]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpgrp"}, [80]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpid"}, [81]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getppid"}, [82]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpriority"}, [83]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresgid16"}, [84]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresgid"}, [85]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresuid16"}, [86]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresuid"}, [87]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getrlimit"}, [88]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_old_getrlimit"}, [89]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getrusage"}, [90]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsid"}, [91]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsockname"}, [92]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsockopt"}, [93]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gettid"}, [94]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gettimeofday"}, [95]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getuid16"}, [96]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getuid"}, [97]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getxattr"}, [98]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_init_module"}, [99]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_add_watch"}, [100]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_init"}, [101]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_rm_watch"}, [102]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_cancel"}, [103]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_destroy"}, [104]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_getevents"}, [105]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_setup"}, [106]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_submit"}, [107]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioctl"}, [108]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioperm"}, [109]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_iopl"}, [110]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioprio_get"}, [111]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioprio_set"}, [112]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ipc"}, [113]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_kexec_load"}, [114]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_keyctl"}, [115]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_kill"}, [116]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lchown"}, [117]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lchown16"}, [118]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lgetxattr"}, [119]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_link"}, [120]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_linkat"}, [121]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_listen"}, [122]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_listxattr"}, [123]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_llistxattr"}, [124]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_llseek"}, [125]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lookup_dcookie"}, [126]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lremovexattr"}, [127]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lseek"}, [128]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lsetxattr"}, [129]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lstat"}, [130]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newlstat"}, [131]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lstat64"}, [132]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_madvise"}, [133]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mincore"}, [134]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mkdir"}, [135]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mkdirat"}, [136]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mknod"}, [137]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mknodat"}, [138]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mlock"}, [139]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mlockall"}, [140]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mmap2"}, [141]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_modify_ldt"}, [142]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mount"}, [143]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mprotect"}, [144]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_getsetattr"}, [145]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_notify"}, [146]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_open"}, [147]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_timedreceive"}, [148]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_timedsend"}, [149]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_unlink"}, [150]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mremap"}, [151]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgctl"}, [152]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgget"}, [153]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgrcv"}, [154]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgsnd"}, [155]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msync"}, [156]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munlock"}, [157]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munlockall"}, [158]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munmap"}, [159]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nanosleep"}, [160]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nfsservctl"}, [161]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ni_syscall"}, [162]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nice"}, [163]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_open"}, [164]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_openat"}, [165]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pause"}, [166]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_personality"}, [167]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pipe"}, [168]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pivot_root"}, [169]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_poll"}, [170]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ppoll"}, [171]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_prctl"}, [172]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pread64"}, [173]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pselect6"}, [174]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ptrace"}, [175]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pwrite64"}, [176]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_quotactl"}, [177]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_read"}, [178]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readahead"}, [179]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readlink"}, [180]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readlinkat"}, [181]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readv"}, [182]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_reboot"}, [183]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recv"}, [184]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recvfrom"}, [185]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recvmsg"}, [186]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_remap_file_pages"}, [187]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_removexattr"}, [188]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rename"}, [189]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_renameat"}, [190]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_request_key"}, [191]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_restart_syscall"}, [192]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rmdir"}, [193]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigaction"}, [194]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigpending"}, [195]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigprocmask"}, [196]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigqueueinfo"}, [197]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigreturn"}, [198]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigsuspend"}, [199]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigtimedwait"}, [200]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_get_priority_max"}, [201]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_get_priority_min"}, [202]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getaffinity"}, [203]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getparam"}, [204]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getscheduler"}, [205]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_rr_get_interval"}, [206]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setaffinity"}, [207]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setparam"}, [208]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setscheduler"}, [209]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_yield"}, [210]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_select"}, [211]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semctl"}, [212]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semget"}, [213]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semtimedop"}, [214]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semtimedop"}, [215]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_send"}, [216]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendfile"}, [217]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendfile64"}, [218]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendmsg"}, [219]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendto"}, [220]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_set_thread_area"}, [221]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_set_tid_address"}, [222]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setdomainname"}, [223]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsgid"}, [224]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsgid16"}, [225]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsuid"}, [226]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsuid16"}, [227]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgid"}, [228]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgid16"}, [229]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgroups"}, [230]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgroups16"}, [231]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sethostname"}, [232]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setitimer"}, [233]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setpgid"}, [234]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setpriority"}, [235]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setregid"}, [236]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setregid16"}, [237]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresgid"}, [238]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresgid16"}, [239]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresuid"}, [240]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresuid16"}, [241]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setreuid"}, [242]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setreuid16"}, [243]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setrlimit"}, [244]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setsid"}, [245]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setsockopt"}, [246]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_settimeofday"}, [247]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setuid16"}, [248]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setuid"}, [249]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setxattr"}, [250]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sgetmask"}, [251]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmat"}, [252]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmctl"}, [253]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmdt"}, [254]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmget"}, [255]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shutdown"}, [256]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigaction"}, [257]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigaltstack"}, [258]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_signal"}, [259]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_signalfd"}, [260]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigpending"}, [261]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigprocmask"}, [262]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigreturn"}, [263]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigsuspend"}, [264]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_socket"}, [265]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_socketpair"}, [266]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_splice"}, [267]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ssetmask"}, [268]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stat"}, [269]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newstat"}, [270]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stat64"}, [271]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_statfs"}, [272]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_statfs64"}, [273]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stime"}, [274]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_swapoff"}, [275]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_swapon"}, [276]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_symlink"}, [277]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_symlinkat"}, [278]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sync"}, [279]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysctl"}, [280]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysfs"}, [281]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysinfo"}, [282]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_syslog"}, [283]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tee"}, [284]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tgkill"}, [285]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_time"}, [286]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_create"}, [287]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_delete"}, [288]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_getoverrun"}, [289]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_gettime"}, [290]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_settime"}, [291]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_times"}, [292]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tkill"}, [293]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_truncate"}, [294]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_truncate64"}, [295]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_umask"}, [296]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_umount"}, [297]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_uname"}, [298]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_olduname"}, [299]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newuname"}, [300]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unlink"}, [301]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unlinkat"}, [302]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unshare"}, [303]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_uselib"}, [304]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ustat"}, [305]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utime"}, [306]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utimensat"}, [307]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utimes"}, [308]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vhangup"}, [309]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vm86"}, [310]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vm86old"}, [311]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vmsplice"}, [312]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_wait4"}, [313]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_waitid"}, [314]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_write"}, [315]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_writev"}, }; #define NRPB 316 static struct kprobe *kps[NRPB]; int __gen_init(void) { int ret, i; for (i=0;i<NRPB;i++) kps[i]=&kp[i]; printk("registering..."); ret = register_kprobes(kps, NRPB); if (ret) { printk("failed to register kprobes\n"); return ret; } printk("registered\n"); return 0; } void __gen_exit(void) { printk("unregistering..."); unregister_kprobes(kps, NRPB); printk("unregistered\n"); } module_init(__gen_init); module_exit(__gen_exit); ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUG][kprobes][vunmap?]: kprobes may cause memory corruption 2009-01-28 5:09 ` [BUG][kprobes][vunmap?]: kprobes may cause memory corruption Masami Hiramatsu @ 2009-01-28 15:48 ` Mathieu Desnoyers 2009-01-28 16:22 ` Mathieu Desnoyers 2009-01-28 16:59 ` Masami Hiramatsu 0 siblings, 2 replies; 18+ messages in thread From: Mathieu Desnoyers @ 2009-01-28 15:48 UTC (permalink / raw) To: Masami Hiramatsu Cc: Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler * Masami Hiramatsu (mhiramat@redhat.com) wrote: > Masami Hiramatsu wrote: >> Hi >> I found that 2.6.28-rc1+ kernel might cause a random memory corruption >> including double fault when repeating load/unload kprobe-using module on >> i386 with CONFIG_HIGHMEN4G=y. > > I think there might be two different bugs. > > - First bug may be related to vunmap change. > - I'm not sure the root cause of this bug. > - However, this bug seems to be fixed by my patch(use vm_map_ram in > text_poke()). > > - Second bug is kprobe_fault_handler bug > - I found a clue of this bug which I reported below by using > kdump&crash. > http://sources.redhat.com/bugzilla/show_bug.cgi?id=9740#c21 > - I thought this bug should not be fixed by my patch, but as far as I > tested, > this bug disappeared with my patch. > Hi Masami, This would not surprise me if it came from bug in the new vmap() implementation done in this commit : http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=db64fe02258f1507e13fe5212a989922323685ce Especially because going from vmap -> vm_map_ram makes this behavior disappear. Looking at the commit, I notice that it delays vunmap so it's done in batch to minimize locking effect. I think it would be good to create a test case to try to isolate this, without any kprobes/text_poke involved, which does something like this : load module (this is also doing vmalloc, so it might be part of the problem) for i (i=0; i < 400; i++) { vmap() vfree() } unload module Another interesting test would be : for i (i=0; i < 400; i++) { vmalloc() vfree() } All this called in a loop. This would help isolating the "vmap" part of the issue. If this test is not enough, then we should maybe try something like this in a kernel module (which does what text_poke does with vmalloc, more or less) in a loop : char somedata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); char copydata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); void test_vmap(void) } struct page *pages[2]; char *vaddr; int i; for (i = 0; i < 2 * PAGE_SIZE; i++) copydata[i] = somedata[i]; page[0] = virt_to_page(&somedata); BUG_ON(!page[0]); page[1] = virt_to_page(&somedata + PAGE_SIZE); BUG_ON(!page[1]); vaddr = vmap(pages, 2, VM_MAP, PAGE_KERNEL); BUG_ON(!vaddr); for (i = 0; i < 2 * PAGE_SIZE; i++) vaddr[i] = copydata[i] + 1; vunmap(vaddr); for (i = 0; i < 2 * PAGE_SIZE; i++) BUG_ON(somedata[i] != copydata[i] + 1); } Given you don't seem to have hit the for (i = 0; i < len; i++) BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); test at the end of text_poke, I suspect the write through the vmapped area is correctly done, but that the problem may lay in the mm layer. Maybe it's running out of pre-allocated vmap areas or something like this ? Best regards, Mathieu >> A set of test code which written in plain c is attached, >> make genkprobe.ko and run testmod.sh, then the bug will >> be occurred. > > If my thought is correct, previous test-code is only for the second bug. > I attached a bit different test code(just disabled the fault handler) > for the first bug. > > Thank you, > > -- > Masami Hiramatsu > > Software Engineer > Hitachi Computer Products (America) Inc. > Software Solutions Division > > e-mail: mhiramat@redhat.com > > > #include <linux/module.h> > #include <linux/kernel.h> > #include <linux/init.h> > #include <linux/kprobes.h> > > MODULE_LICENSE("GPL"); > > static int kph(struct kprobe *kp, struct pt_regs *regs) > { > return 0; > } > #if 0 > static int kpfh(struct kprobe *kp, struct pt_regs *regs, int nr) > { > printk("fault occurred on kprobes at %p(@%lx:%d)\n", kp->addr, regs->ip, nr); > return 0; > } > #else > #define kpfh NULL > #endif > static struct kprobe kp[] = { > [0]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_accept"}, > [1]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_access"}, > [2]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_acct"}, > [3]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_add_key"}, > [4]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_adjtimex"}, > [5]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_alarm"}, > [6]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_bdflush"}, > [7]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_bind"}, > [8]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_brk"}, > [9]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_capget"}, > [10]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_capset"}, > [11]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chdir"}, > [12]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chmod"}, > [13]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chown"}, > [14]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chown16"}, > [15]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chroot"}, > [16]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_getres"}, > [17]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_gettime"}, > [18]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_nanosleep"}, > [19]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_settime"}, > [20]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_close"}, > [21]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_connect"}, > [22]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_creat"}, > [23]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_delete_module"}, > [24]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_dup"}, > [25]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_dup2"}, > [26]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_create"}, > [27]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_ctl"}, > [28]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_pwait"}, > [29]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_wait"}, > [30]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_eventfd"}, > [31]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_execve"}, > [32]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_exit"}, > [33]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_exit_group"}, > [34]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_faccessat"}, > [35]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fadvise64"}, > [36]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fadvise64_64"}, > [37]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchdir"}, > [38]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchmod"}, > [39]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchmodat"}, > [40]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchown"}, > [41]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchown16"}, > [42]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchownat"}, > [43]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fcntl"}, > [44]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fcntl64"}, > [45]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fdatasync"}, > [46]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fgetxattr"}, > [47]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_flistxattr"}, > [48]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_flock"}, > [49]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_fork"}, > [50]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fremovexattr"}, > [51]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fsetxattr"}, > [52]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstat"}, > [53]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstat64"}, > [54]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newfstat"}, > [55]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatat64"}, > [56]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatfs"}, > [57]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatfs64"}, > [58]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fsync"}, > [59]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ftruncate"}, > [60]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ftruncate64"}, > [61]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_futex"}, > [62]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_futimesat"}, > [63]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_get_thread_area"}, > [64]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getcwd"}, > [65]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getdents"}, > [66]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getdents64"}, > [67]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getegid16"}, > [68]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getegid"}, > [69]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_geteuid16"}, > [70]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_geteuid"}, > [71]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgid16"}, > [72]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgid"}, > [73]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgroups"}, > [74]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgroups16"}, > [75]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gethostname"}, > [76]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getitimer"}, > [77]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpeername"}, > [78]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpgid"}, > [79]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpgrp"}, > [80]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpid"}, > [81]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getppid"}, > [82]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpriority"}, > [83]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresgid16"}, > [84]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresgid"}, > [85]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresuid16"}, > [86]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresuid"}, > [87]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getrlimit"}, > [88]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_old_getrlimit"}, > [89]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getrusage"}, > [90]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsid"}, > [91]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsockname"}, > [92]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsockopt"}, > [93]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gettid"}, > [94]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gettimeofday"}, > [95]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getuid16"}, > [96]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getuid"}, > [97]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getxattr"}, > [98]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_init_module"}, > [99]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_add_watch"}, > [100]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_init"}, > [101]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_rm_watch"}, > [102]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_cancel"}, > [103]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_destroy"}, > [104]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_getevents"}, > [105]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_setup"}, > [106]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_submit"}, > [107]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioctl"}, > [108]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioperm"}, > [109]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_iopl"}, > [110]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioprio_get"}, > [111]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioprio_set"}, > [112]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ipc"}, > [113]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_kexec_load"}, > [114]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_keyctl"}, > [115]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_kill"}, > [116]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lchown"}, > [117]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lchown16"}, > [118]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lgetxattr"}, > [119]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_link"}, > [120]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_linkat"}, > [121]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_listen"}, > [122]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_listxattr"}, > [123]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_llistxattr"}, > [124]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_llseek"}, > [125]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lookup_dcookie"}, > [126]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lremovexattr"}, > [127]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lseek"}, > [128]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lsetxattr"}, > [129]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lstat"}, > [130]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newlstat"}, > [131]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lstat64"}, > [132]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_madvise"}, > [133]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mincore"}, > [134]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mkdir"}, > [135]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mkdirat"}, > [136]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mknod"}, > [137]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mknodat"}, > [138]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mlock"}, > [139]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mlockall"}, > [140]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mmap2"}, > [141]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_modify_ldt"}, > [142]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mount"}, > [143]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mprotect"}, > [144]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_getsetattr"}, > [145]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_notify"}, > [146]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_open"}, > [147]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_timedreceive"}, > [148]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_timedsend"}, > [149]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_unlink"}, > [150]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mremap"}, > [151]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgctl"}, > [152]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgget"}, > [153]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgrcv"}, > [154]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgsnd"}, > [155]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msync"}, > [156]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munlock"}, > [157]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munlockall"}, > [158]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munmap"}, > [159]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nanosleep"}, > [160]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nfsservctl"}, > [161]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ni_syscall"}, > [162]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nice"}, > [163]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_open"}, > [164]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_openat"}, > [165]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pause"}, > [166]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_personality"}, > [167]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pipe"}, > [168]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pivot_root"}, > [169]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_poll"}, > [170]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ppoll"}, > [171]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_prctl"}, > [172]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pread64"}, > [173]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pselect6"}, > [174]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ptrace"}, > [175]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pwrite64"}, > [176]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_quotactl"}, > [177]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_read"}, > [178]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readahead"}, > [179]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readlink"}, > [180]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readlinkat"}, > [181]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readv"}, > [182]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_reboot"}, > [183]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recv"}, > [184]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recvfrom"}, > [185]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recvmsg"}, > [186]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_remap_file_pages"}, > [187]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_removexattr"}, > [188]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rename"}, > [189]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_renameat"}, > [190]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_request_key"}, > [191]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_restart_syscall"}, > [192]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rmdir"}, > [193]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigaction"}, > [194]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigpending"}, > [195]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigprocmask"}, > [196]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigqueueinfo"}, > [197]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigreturn"}, > [198]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigsuspend"}, > [199]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigtimedwait"}, > [200]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_get_priority_max"}, > [201]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_get_priority_min"}, > [202]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getaffinity"}, > [203]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getparam"}, > [204]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getscheduler"}, > [205]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_rr_get_interval"}, > [206]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setaffinity"}, > [207]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setparam"}, > [208]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setscheduler"}, > [209]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_yield"}, > [210]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_select"}, > [211]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semctl"}, > [212]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semget"}, > [213]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semtimedop"}, > [214]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semtimedop"}, > [215]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_send"}, > [216]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendfile"}, > [217]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendfile64"}, > [218]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendmsg"}, > [219]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendto"}, > [220]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_set_thread_area"}, > [221]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_set_tid_address"}, > [222]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setdomainname"}, > [223]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsgid"}, > [224]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsgid16"}, > [225]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsuid"}, > [226]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsuid16"}, > [227]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgid"}, > [228]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgid16"}, > [229]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgroups"}, > [230]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgroups16"}, > [231]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sethostname"}, > [232]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setitimer"}, > [233]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setpgid"}, > [234]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setpriority"}, > [235]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setregid"}, > [236]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setregid16"}, > [237]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresgid"}, > [238]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresgid16"}, > [239]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresuid"}, > [240]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresuid16"}, > [241]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setreuid"}, > [242]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setreuid16"}, > [243]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setrlimit"}, > [244]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setsid"}, > [245]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setsockopt"}, > [246]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_settimeofday"}, > [247]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setuid16"}, > [248]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setuid"}, > [249]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setxattr"}, > [250]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sgetmask"}, > [251]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmat"}, > [252]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmctl"}, > [253]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmdt"}, > [254]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmget"}, > [255]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shutdown"}, > [256]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigaction"}, > [257]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigaltstack"}, > [258]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_signal"}, > [259]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_signalfd"}, > [260]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigpending"}, > [261]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigprocmask"}, > [262]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigreturn"}, > [263]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigsuspend"}, > [264]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_socket"}, > [265]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_socketpair"}, > [266]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_splice"}, > [267]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ssetmask"}, > [268]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stat"}, > [269]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newstat"}, > [270]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stat64"}, > [271]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_statfs"}, > [272]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_statfs64"}, > [273]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stime"}, > [274]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_swapoff"}, > [275]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_swapon"}, > [276]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_symlink"}, > [277]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_symlinkat"}, > [278]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sync"}, > [279]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysctl"}, > [280]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysfs"}, > [281]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysinfo"}, > [282]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_syslog"}, > [283]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tee"}, > [284]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tgkill"}, > [285]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_time"}, > [286]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_create"}, > [287]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_delete"}, > [288]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_getoverrun"}, > [289]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_gettime"}, > [290]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_settime"}, > [291]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_times"}, > [292]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tkill"}, > [293]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_truncate"}, > [294]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_truncate64"}, > [295]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_umask"}, > [296]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_umount"}, > [297]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_uname"}, > [298]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_olduname"}, > [299]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newuname"}, > [300]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unlink"}, > [301]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unlinkat"}, > [302]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unshare"}, > [303]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_uselib"}, > [304]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ustat"}, > [305]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utime"}, > [306]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utimensat"}, > [307]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utimes"}, > [308]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vhangup"}, > [309]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vm86"}, > [310]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vm86old"}, > [311]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vmsplice"}, > [312]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_wait4"}, > [313]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_waitid"}, > [314]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_write"}, > [315]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_writev"}, > }; > #define NRPB 316 > > static struct kprobe *kps[NRPB]; > > int __gen_init(void) > { > int ret, i; > for (i=0;i<NRPB;i++) > kps[i]=&kp[i]; > printk("registering..."); > ret = register_kprobes(kps, NRPB); > if (ret) { > printk("failed to register kprobes\n"); > return ret; > } > printk("registered\n"); > return 0; > } > > void __gen_exit(void) > { > printk("unregistering..."); > unregister_kprobes(kps, NRPB); > printk("unregistered\n"); > } > > module_init(__gen_init); > module_exit(__gen_exit); > -- Mathieu Desnoyers OpenPGP key fingerprint: 8CD5 52C3 8E3C 4140 715F BA06 3F25 A8FE 3BAE 9A68 ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUG][kprobes][vunmap?]: kprobes may cause memory corruption 2009-01-28 15:48 ` Mathieu Desnoyers @ 2009-01-28 16:22 ` Mathieu Desnoyers 2009-01-28 16:59 ` Masami Hiramatsu 1 sibling, 0 replies; 18+ messages in thread From: Mathieu Desnoyers @ 2009-01-28 16:22 UTC (permalink / raw) To: Masami Hiramatsu Cc: Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler * Mathieu Desnoyers (mathieu.desnoyers@polymtl.ca) wrote: > * Masami Hiramatsu (mhiramat@redhat.com) wrote: > > Masami Hiramatsu wrote: > >> Hi > >> I found that 2.6.28-rc1+ kernel might cause a random memory corruption > >> including double fault when repeating load/unload kprobe-using module on > >> i386 with CONFIG_HIGHMEN4G=y. > > > > I think there might be two different bugs. > > > > - First bug may be related to vunmap change. > > - I'm not sure the root cause of this bug. > > - However, this bug seems to be fixed by my patch(use vm_map_ram in > > text_poke()). > > > > - Second bug is kprobe_fault_handler bug > > - I found a clue of this bug which I reported below by using > > kdump&crash. > > http://sources.redhat.com/bugzilla/show_bug.cgi?id=9740#c21 > > - I thought this bug should not be fixed by my patch, but as far as I > > tested, > > this bug disappeared with my patch. > > > > Hi Masami, > > This would not surprise me if it came from bug in the new vmap() > implementation done in this commit : > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=db64fe02258f1507e13fe5212a989922323685ce > > Especially because going from vmap -> vm_map_ram makes this behavior > disappear. > > Looking at the commit, I notice that it delays vunmap so it's done in > batch to minimize locking effect. I think it would be good to create a > test case to try to isolate this, without any kprobes/text_poke > involved, which does something like this : > > load module (this is also doing vmalloc, so it might be part of the > problem) > for i (i=0; i < 400; i++) { > vmap() > vfree() > } > unload module > > Another interesting test would be : > > for i (i=0; i < 400; i++) { > vmalloc() > vfree() > } > > > All this called in a loop. This would help isolating the "vmap" part of > the issue. If this test is not enough, then we should maybe try > something like this in a kernel module (which does what text_poke does > with vmalloc, more or less) in a loop : > > char somedata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); > char copydata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); > > void test_vmap(void) > } > struct page *pages[2]; > char *vaddr; > int i; > > for (i = 0; i < 2 * PAGE_SIZE; i++) > copydata[i] = somedata[i]; > page[0] = virt_to_page(&somedata); > BUG_ON(!page[0]); > page[1] = virt_to_page(&somedata + PAGE_SIZE); > BUG_ON(!page[1]); > vaddr = vmap(pages, 2, VM_MAP, PAGE_KERNEL); > BUG_ON(!vaddr); > > for (i = 0; i < 2 * PAGE_SIZE; i++) > vaddr[i] = copydata[i] + 1; > > vunmap(vaddr); > > for (i = 0; i < 2 * PAGE_SIZE; i++) > BUG_ON(somedata[i] != copydata[i] + 1); > } > > > Given you don't seem to have hit the > for (i = 0; i < len; i++) > BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); > test at the end of text_poke, I suspect the write through the vmapped > area is correctly done, but that the problem may lay in the mm layer. > Maybe it's running out of pre-allocated vmap areas or something like > this ? > My red light blinks at this function : /* 422 * lazy_max_pages is the maximum amount of virtual address space we gather up 423 * before attempting to purge with a TLB flush. 424 * 425 * There is a tradeoff here: a larger number will cover more kernel page tables 426 * and take slightly longer to purge, but it will linearly reduce the number of 427 * global TLB flushes that must be performed. It would seem natural to scale 428 * this number up linearly with the number of CPUs (because vmapping activity 429 * could also scale linearly with the number of CPUs), however it is likely 430 * that in practice, workloads might be constrained in other ways that mean 431 * vmap activity will not scale linearly with CPUs. Also, I want to be 432 * conservative and not introduce a big latency on huge systems, so go with 433 * a less aggressive log scale. It will still be an improvement over the old 434 * code, and it will be simple to change the scale factor if we find that it 435 * becomes a problem on bigger systems. 436 */ 437 static unsigned long lazy_max_pages(void) 438 { 439 unsigned int log; 440 441 log = fls(num_online_cpus()); 442 443 return log * (32UL * 1024 * 1024 / PAGE_SIZE); 444 } Is it me or with 8 active CPUs, this can reach 3 * (32UL * 1024 * 1024 / PAGE_SIZE) = 24576 pages or 96 MB On my laptop with 2GB ram, I have these numbers in /proc/meminfo : VmallocTotal: 122880 kB VmallocUsed: 40268 kB VmallocChunk: 75732 kB So I think it's possible that this lazy_max_pages does not protect from using all the pages between two RCU periods. You might want as a quick test to try changing return log * (32UL * 1024 * 1024 / PAGE_SIZE); for return min(1024, log * (32UL * 1024 * 1024 / PAGE_SIZE)); (a cap to 4M of vmalloc space should be safe to start from and see if it fixes the problem. After that we could tweak it wrt available vmalloc space, but let's play on the safe side) Mathieu > Best regards, > > Mathieu > > >> A set of test code which written in plain c is attached, > >> make genkprobe.ko and run testmod.sh, then the bug will > >> be occurred. > > > > If my thought is correct, previous test-code is only for the second bug. > > I attached a bit different test code(just disabled the fault handler) > > for the first bug. > > > > Thank you, > > > > -- > > Masami Hiramatsu > > > > Software Engineer > > Hitachi Computer Products (America) Inc. > > Software Solutions Division > > > > e-mail: mhiramat@redhat.com > > > > > > > #include <linux/module.h> > > #include <linux/kernel.h> > > #include <linux/init.h> > > #include <linux/kprobes.h> > > > > MODULE_LICENSE("GPL"); > > > > static int kph(struct kprobe *kp, struct pt_regs *regs) > > { > > return 0; > > } > > #if 0 > > static int kpfh(struct kprobe *kp, struct pt_regs *regs, int nr) > > { > > printk("fault occurred on kprobes at %p(@%lx:%d)\n", kp->addr, regs->ip, nr); > > return 0; > > } > > #else > > #define kpfh NULL > > #endif > > static struct kprobe kp[] = { > > [0]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_accept"}, > > [1]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_access"}, > > [2]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_acct"}, > > [3]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_add_key"}, > > [4]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_adjtimex"}, > > [5]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_alarm"}, > > [6]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_bdflush"}, > > [7]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_bind"}, > > [8]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_brk"}, > > [9]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_capget"}, > > [10]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_capset"}, > > [11]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chdir"}, > > [12]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chmod"}, > > [13]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chown"}, > > [14]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chown16"}, > > [15]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_chroot"}, > > [16]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_getres"}, > > [17]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_gettime"}, > > [18]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_nanosleep"}, > > [19]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_clock_settime"}, > > [20]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_close"}, > > [21]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_connect"}, > > [22]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_creat"}, > > [23]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_delete_module"}, > > [24]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_dup"}, > > [25]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_dup2"}, > > [26]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_create"}, > > [27]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_ctl"}, > > [28]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_pwait"}, > > [29]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_epoll_wait"}, > > [30]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_eventfd"}, > > [31]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_execve"}, > > [32]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_exit"}, > > [33]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_exit_group"}, > > [34]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_faccessat"}, > > [35]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fadvise64"}, > > [36]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fadvise64_64"}, > > [37]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchdir"}, > > [38]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchmod"}, > > [39]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchmodat"}, > > [40]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchown"}, > > [41]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchown16"}, > > [42]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fchownat"}, > > [43]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fcntl"}, > > [44]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fcntl64"}, > > [45]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fdatasync"}, > > [46]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fgetxattr"}, > > [47]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_flistxattr"}, > > [48]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_flock"}, > > [49]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="do_fork"}, > > [50]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fremovexattr"}, > > [51]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fsetxattr"}, > > [52]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstat"}, > > [53]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstat64"}, > > [54]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newfstat"}, > > [55]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatat64"}, > > [56]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatfs"}, > > [57]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fstatfs64"}, > > [58]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_fsync"}, > > [59]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ftruncate"}, > > [60]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ftruncate64"}, > > [61]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_futex"}, > > [62]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_futimesat"}, > > [63]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_get_thread_area"}, > > [64]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getcwd"}, > > [65]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getdents"}, > > [66]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getdents64"}, > > [67]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getegid16"}, > > [68]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getegid"}, > > [69]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_geteuid16"}, > > [70]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_geteuid"}, > > [71]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgid16"}, > > [72]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgid"}, > > [73]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgroups"}, > > [74]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getgroups16"}, > > [75]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gethostname"}, > > [76]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getitimer"}, > > [77]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpeername"}, > > [78]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpgid"}, > > [79]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpgrp"}, > > [80]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpid"}, > > [81]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getppid"}, > > [82]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getpriority"}, > > [83]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresgid16"}, > > [84]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresgid"}, > > [85]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresuid16"}, > > [86]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getresuid"}, > > [87]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getrlimit"}, > > [88]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_old_getrlimit"}, > > [89]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getrusage"}, > > [90]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsid"}, > > [91]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsockname"}, > > [92]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getsockopt"}, > > [93]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gettid"}, > > [94]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_gettimeofday"}, > > [95]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getuid16"}, > > [96]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getuid"}, > > [97]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_getxattr"}, > > [98]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_init_module"}, > > [99]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_add_watch"}, > > [100]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_init"}, > > [101]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_inotify_rm_watch"}, > > [102]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_cancel"}, > > [103]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_destroy"}, > > [104]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_getevents"}, > > [105]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_setup"}, > > [106]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_io_submit"}, > > [107]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioctl"}, > > [108]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioperm"}, > > [109]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_iopl"}, > > [110]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioprio_get"}, > > [111]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ioprio_set"}, > > [112]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ipc"}, > > [113]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_kexec_load"}, > > [114]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_keyctl"}, > > [115]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_kill"}, > > [116]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lchown"}, > > [117]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lchown16"}, > > [118]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lgetxattr"}, > > [119]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_link"}, > > [120]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_linkat"}, > > [121]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_listen"}, > > [122]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_listxattr"}, > > [123]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_llistxattr"}, > > [124]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_llseek"}, > > [125]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lookup_dcookie"}, > > [126]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lremovexattr"}, > > [127]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lseek"}, > > [128]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lsetxattr"}, > > [129]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lstat"}, > > [130]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newlstat"}, > > [131]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_lstat64"}, > > [132]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_madvise"}, > > [133]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mincore"}, > > [134]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mkdir"}, > > [135]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mkdirat"}, > > [136]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mknod"}, > > [137]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mknodat"}, > > [138]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mlock"}, > > [139]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mlockall"}, > > [140]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mmap2"}, > > [141]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_modify_ldt"}, > > [142]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mount"}, > > [143]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mprotect"}, > > [144]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_getsetattr"}, > > [145]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_notify"}, > > [146]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_open"}, > > [147]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_timedreceive"}, > > [148]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_timedsend"}, > > [149]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mq_unlink"}, > > [150]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_mremap"}, > > [151]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgctl"}, > > [152]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgget"}, > > [153]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgrcv"}, > > [154]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msgsnd"}, > > [155]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_msync"}, > > [156]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munlock"}, > > [157]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munlockall"}, > > [158]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_munmap"}, > > [159]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nanosleep"}, > > [160]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nfsservctl"}, > > [161]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ni_syscall"}, > > [162]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_nice"}, > > [163]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_open"}, > > [164]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_openat"}, > > [165]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pause"}, > > [166]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_personality"}, > > [167]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pipe"}, > > [168]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pivot_root"}, > > [169]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_poll"}, > > [170]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ppoll"}, > > [171]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_prctl"}, > > [172]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pread64"}, > > [173]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pselect6"}, > > [174]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ptrace"}, > > [175]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_pwrite64"}, > > [176]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_quotactl"}, > > [177]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_read"}, > > [178]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readahead"}, > > [179]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readlink"}, > > [180]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readlinkat"}, > > [181]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_readv"}, > > [182]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_reboot"}, > > [183]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recv"}, > > [184]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recvfrom"}, > > [185]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_recvmsg"}, > > [186]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_remap_file_pages"}, > > [187]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_removexattr"}, > > [188]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rename"}, > > [189]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_renameat"}, > > [190]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_request_key"}, > > [191]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_restart_syscall"}, > > [192]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rmdir"}, > > [193]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigaction"}, > > [194]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigpending"}, > > [195]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigprocmask"}, > > [196]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigqueueinfo"}, > > [197]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigreturn"}, > > [198]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigsuspend"}, > > [199]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_rt_sigtimedwait"}, > > [200]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_get_priority_max"}, > > [201]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_get_priority_min"}, > > [202]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getaffinity"}, > > [203]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getparam"}, > > [204]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_getscheduler"}, > > [205]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_rr_get_interval"}, > > [206]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setaffinity"}, > > [207]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setparam"}, > > [208]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_setscheduler"}, > > [209]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sched_yield"}, > > [210]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_select"}, > > [211]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semctl"}, > > [212]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semget"}, > > [213]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semtimedop"}, > > [214]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_semtimedop"}, > > [215]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_send"}, > > [216]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendfile"}, > > [217]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendfile64"}, > > [218]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendmsg"}, > > [219]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sendto"}, > > [220]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_set_thread_area"}, > > [221]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_set_tid_address"}, > > [222]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setdomainname"}, > > [223]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsgid"}, > > [224]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsgid16"}, > > [225]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsuid"}, > > [226]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setfsuid16"}, > > [227]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgid"}, > > [228]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgid16"}, > > [229]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgroups"}, > > [230]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setgroups16"}, > > [231]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sethostname"}, > > [232]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setitimer"}, > > [233]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setpgid"}, > > [234]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setpriority"}, > > [235]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setregid"}, > > [236]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setregid16"}, > > [237]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresgid"}, > > [238]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresgid16"}, > > [239]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresuid"}, > > [240]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setresuid16"}, > > [241]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setreuid"}, > > [242]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setreuid16"}, > > [243]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setrlimit"}, > > [244]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setsid"}, > > [245]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setsockopt"}, > > [246]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_settimeofday"}, > > [247]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setuid16"}, > > [248]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setuid"}, > > [249]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_setxattr"}, > > [250]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sgetmask"}, > > [251]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmat"}, > > [252]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmctl"}, > > [253]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmdt"}, > > [254]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shmget"}, > > [255]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_shutdown"}, > > [256]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigaction"}, > > [257]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigaltstack"}, > > [258]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_signal"}, > > [259]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_signalfd"}, > > [260]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigpending"}, > > [261]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigprocmask"}, > > [262]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigreturn"}, > > [263]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sigsuspend"}, > > [264]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_socket"}, > > [265]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_socketpair"}, > > [266]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_splice"}, > > [267]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ssetmask"}, > > [268]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stat"}, > > [269]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newstat"}, > > [270]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stat64"}, > > [271]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_statfs"}, > > [272]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_statfs64"}, > > [273]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_stime"}, > > [274]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_swapoff"}, > > [275]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_swapon"}, > > [276]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_symlink"}, > > [277]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_symlinkat"}, > > [278]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sync"}, > > [279]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysctl"}, > > [280]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysfs"}, > > [281]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_sysinfo"}, > > [282]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_syslog"}, > > [283]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tee"}, > > [284]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tgkill"}, > > [285]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_time"}, > > [286]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_create"}, > > [287]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_delete"}, > > [288]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_getoverrun"}, > > [289]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_gettime"}, > > [290]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_timer_settime"}, > > [291]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_times"}, > > [292]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_tkill"}, > > [293]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_truncate"}, > > [294]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_truncate64"}, > > [295]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_umask"}, > > [296]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_umount"}, > > [297]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_uname"}, > > [298]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_olduname"}, > > [299]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_newuname"}, > > [300]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unlink"}, > > [301]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unlinkat"}, > > [302]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_unshare"}, > > [303]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_uselib"}, > > [304]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_ustat"}, > > [305]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utime"}, > > [306]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utimensat"}, > > [307]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_utimes"}, > > [308]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vhangup"}, > > [309]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vm86"}, > > [310]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vm86old"}, > > [311]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_vmsplice"}, > > [312]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_wait4"}, > > [313]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_waitid"}, > > [314]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_write"}, > > [315]={.pre_handler=kph, .fault_handler=kpfh, .symbol_name="sys_writev"}, > > }; > > #define NRPB 316 > > > > static struct kprobe *kps[NRPB]; > > > > int __gen_init(void) > > { > > int ret, i; > > for (i=0;i<NRPB;i++) > > kps[i]=&kp[i]; > > printk("registering..."); > > ret = register_kprobes(kps, NRPB); > > if (ret) { > > printk("failed to register kprobes\n"); > > return ret; > > } > > printk("registered\n"); > > return 0; > > } > > > > void __gen_exit(void) > > { > > printk("unregistering..."); > > unregister_kprobes(kps, NRPB); > > printk("unregistered\n"); > > } > > > > module_init(__gen_init); > > module_exit(__gen_exit); > > > > > -- > Mathieu Desnoyers > OpenPGP key fingerprint: 8CD5 52C3 8E3C 4140 715F BA06 3F25 A8FE 3BAE 9A68 -- Mathieu Desnoyers OpenPGP key fingerprint: 8CD5 52C3 8E3C 4140 715F BA06 3F25 A8FE 3BAE 9A68 ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUG][kprobes][vunmap?]: kprobes may cause memory corruption 2009-01-28 15:48 ` Mathieu Desnoyers 2009-01-28 16:22 ` Mathieu Desnoyers @ 2009-01-28 16:59 ` Masami Hiramatsu 2009-01-28 17:13 ` Mathieu Desnoyers 1 sibling, 1 reply; 18+ messages in thread From: Masami Hiramatsu @ 2009-01-28 16:59 UTC (permalink / raw) To: Mathieu Desnoyers Cc: Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler Mathieu Desnoyers wrote: > * Masami Hiramatsu (mhiramat@redhat.com) wrote: >> Masami Hiramatsu wrote: > Hi Masami, > > This would not surprise me if it came from bug in the new vmap() > implementation done in this commit : > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=db64fe02258f1507e13fe5212a989922323685ce > > Especially because going from vmap -> vm_map_ram makes this behavior > disappear. > > Looking at the commit, I notice that it delays vunmap so it's done in > batch to minimize locking effect. I think it would be good to create a > test case to try to isolate this, without any kprobes/text_poke > involved, which does something like this : > > load module (this is also doing vmalloc, so it might be part of the > problem) > for i (i=0; i < 400; i++) { > vmap() > vfree() ^^^^^ vunmap? > } > unload module > > Another interesting test would be : > > for i (i=0; i < 400; i++) { > vmalloc() > vfree() > } Hi Mathieu, Thank you for test ideas. I made both of above two tests and run it. Both test modules do NOT cause memory corruption... > All this called in a loop. This would help isolating the "vmap" part of > the issue. If this test is not enough, then we should maybe try > something like this in a kernel module (which does what text_poke does > with vmalloc, more or less) in a loop : > > char somedata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); > char copydata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); Should both of them have PAGE_SIZE*2? > > void test_vmap(void) > } > struct page *pages[2]; > char *vaddr; > int i; > > for (i = 0; i < 2 * PAGE_SIZE; i++) > copydata[i] = somedata[i]; > page[0] = virt_to_page(&somedata); > BUG_ON(!page[0]); > page[1] = virt_to_page(&somedata + PAGE_SIZE); > BUG_ON(!page[1]); > vaddr = vmap(pages, 2, VM_MAP, PAGE_KERNEL); > BUG_ON(!vaddr); > > for (i = 0; i < 2 * PAGE_SIZE; i++) > vaddr[i] = copydata[i] + 1; > > vunmap(vaddr); > > for (i = 0; i < 2 * PAGE_SIZE; i++) > BUG_ON(somedata[i] != copydata[i] + 1); > } Hmm, when I ran above code, it hit the last BUG_ON(). I checked that somedata[i] didn't updated. > Given you don't seem to have hit the > for (i = 0; i < len; i++) > BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); > test at the end of text_poke, However, when I ran kprobe-based test, it doesn't hit the BUG_ON() in text_poke(). > I suspect the write through the vmapped > area is correctly done, but that the problem may lay in the mm layer. > Maybe it's running out of pre-allocated vmap areas or something like > this ? I haven't seen vmalloc failure message on 2.6.29-rc2. Thank you again, -- Masami Hiramatsu Software Engineer Hitachi Computer Products (America) Inc. Software Solutions Division e-mail: mhiramat@redhat.com ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUG][kprobes][vunmap?]: kprobes may cause memory corruption 2009-01-28 16:59 ` Masami Hiramatsu @ 2009-01-28 17:13 ` Mathieu Desnoyers 2009-01-28 17:58 ` Masami Hiramatsu 0 siblings, 1 reply; 18+ messages in thread From: Mathieu Desnoyers @ 2009-01-28 17:13 UTC (permalink / raw) To: Masami Hiramatsu Cc: Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler * Masami Hiramatsu (mhiramat@redhat.com) wrote: > Mathieu Desnoyers wrote: > > * Masami Hiramatsu (mhiramat@redhat.com) wrote: > >> Masami Hiramatsu wrote: > > Hi Masami, > > > > This would not surprise me if it came from bug in the new vmap() > > implementation done in this commit : > > > > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=db64fe02258f1507e13fe5212a989922323685ce > > > > Especially because going from vmap -> vm_map_ram makes this behavior > > disappear. > > > > Looking at the commit, I notice that it delays vunmap so it's done in > > batch to minimize locking effect. I think it would be good to create a > > test case to try to isolate this, without any kprobes/text_poke > > involved, which does something like this : > > > > load module (this is also doing vmalloc, so it might be part of the > > problem) > > for i (i=0; i < 400; i++) { > > vmap() > > vfree() > ^^^^^ vunmap? yep. > > } > > unload module > > > > Another interesting test would be : > > > > for i (i=0; i < 400; i++) { > > vmalloc() > > vfree() > > } > > Hi Mathieu, > > Thank you for test ideas. > I made both of above two tests and run it. Both test modules > do NOT cause memory corruption... > OK > > All this called in a loop. This would help isolating the "vmap" part of > > the issue. If this test is not enough, then we should maybe try > > something like this in a kernel module (which does what text_poke does > > with vmalloc, more or less) in a loop : > > > > char somedata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); > > char copydata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); > > Should both of them have PAGE_SIZE*2? > Yes. > > > > void test_vmap(void) > > } > > struct page *pages[2]; > > char *vaddr; > > int i; > > > > for (i = 0; i < 2 * PAGE_SIZE; i++) > > copydata[i] = somedata[i]; > > page[0] = virt_to_page(&somedata); > > BUG_ON(!page[0]); > > page[1] = virt_to_page(&somedata + PAGE_SIZE); > > BUG_ON(!page[1]); > > vaddr = vmap(pages, 2, VM_MAP, PAGE_KERNEL); > > BUG_ON(!vaddr); > > > > for (i = 0; i < 2 * PAGE_SIZE; i++) > > vaddr[i] = copydata[i] + 1; > > > > vunmap(vaddr); > > > > for (i = 0; i < 2 * PAGE_SIZE; i++) > > BUG_ON(somedata[i] != copydata[i] + 1); > > } > > Hmm, when I ran above code, it hit the last BUG_ON(). > I checked that somedata[i] didn't updated. > Do you hit the BUG_ON after the first loop ? > > Given you don't seem to have hit the > > for (i = 0; i < len; i++) > > BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); > > test at the end of text_poke, > > However, when I ran kprobe-based test, it doesn't hit the BUG_ON() > in text_poke(). > The variable declarations should have been 2*PAGE_SIZE, hopefully you fixed them. There is also a sync_core() in text_poke. It should not matter, but maybe that could help ? > > I suspect the write through the vmapped > > area is correctly done, but that the problem may lay in the mm layer. > > Maybe it's running out of pre-allocated vmap areas or something like > > this ? > > I haven't seen vmalloc failure message on 2.6.29-rc2. > It could be because the available vmalloc space is slightly higher. Looking into the lazy vunmap threshold would be useful. You could also try with loop values higher than 400. Mathieu > Thank you again, > > > -- > Masami Hiramatsu > > Software Engineer > Hitachi Computer Products (America) Inc. > Software Solutions Division > > e-mail: mhiramat@redhat.com > -- Mathieu Desnoyers OpenPGP key fingerprint: 8CD5 52C3 8E3C 4140 715F BA06 3F25 A8FE 3BAE 9A68 ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUG][kprobes][vunmap?]: kprobes may cause memory corruption 2009-01-28 17:13 ` Mathieu Desnoyers @ 2009-01-28 17:58 ` Masami Hiramatsu 2009-01-28 18:10 ` Mathieu Desnoyers 2009-01-28 18:13 ` [BUG][kprobes][vunmap?]: kprobes may cause memory corruption Masami Hiramatsu 0 siblings, 2 replies; 18+ messages in thread From: Masami Hiramatsu @ 2009-01-28 17:58 UTC (permalink / raw) To: Mathieu Desnoyers Cc: Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler Mathieu Desnoyers wrote: > * Masami Hiramatsu (mhiramat@redhat.com) wrote: >> Mathieu Desnoyers wrote: [...] >>> All this called in a loop. This would help isolating the "vmap" part of >>> the issue. If this test is not enough, then we should maybe try >>> something like this in a kernel module (which does what text_poke does >>> with vmalloc, more or less) in a loop : >>> >>> char somedata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); >>> char copydata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); >> Should both of them have PAGE_SIZE*2? >> > > Yes. > >>> void test_vmap(void) >>> } >>> struct page *pages[2]; >>> char *vaddr; >>> int i; >>> >>> for (i = 0; i < 2 * PAGE_SIZE; i++) >>> copydata[i] = somedata[i]; >>> page[0] = virt_to_page(&somedata); >>> BUG_ON(!page[0]); >>> page[1] = virt_to_page(&somedata + PAGE_SIZE); >>> BUG_ON(!page[1]); Oops, these should be vmalloc_to_page(), shouldn't it? >>> vaddr = vmap(pages, 2, VM_MAP, PAGE_KERNEL); >>> BUG_ON(!vaddr); >>> >>> for (i = 0; i < 2 * PAGE_SIZE; i++) >>> vaddr[i] = copydata[i] + 1; >>> >>> vunmap(vaddr); >>> >>> for (i = 0; i < 2 * PAGE_SIZE; i++) >>> BUG_ON(somedata[i] != copydata[i] + 1); >>> } >> Hmm, when I ran above code, it hit the last BUG_ON(). >> I checked that somedata[i] didn't updated. >> > > Do you hit the BUG_ON after the first loop ? At the first loop, it hit the BUG_ON. >>> Given you don't seem to have hit the >>> for (i = 0; i < len; i++) >>> BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); >>> test at the end of text_poke, >> However, when I ran kprobe-based test, it doesn't hit the BUG_ON() >> in text_poke(). >> > > The variable declarations should have been 2*PAGE_SIZE, hopefully you > fixed them. Sure, > There is also a sync_core() in text_poke. It should not matter, but > maybe that could help ? Adding sync_core() could not help me... anyway, I'll try again with using vmalloc_to_page(). >>> I suspect the write through the vmapped >>> area is correctly done, but that the problem may lay in the mm layer. >>> Maybe it's running out of pre-allocated vmap areas or something like >>> this ? >> I haven't seen vmalloc failure message on 2.6.29-rc2. >> > > It could be because the available vmalloc space is slightly higher. > Looking into the lazy vunmap threshold would be useful. > > You could also try with loop values higher than 400. OK, Thanks, -- Masami Hiramatsu Software Engineer Hitachi Computer Products (America) Inc. Software Solutions Division e-mail: mhiramat@redhat.com ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUG][kprobes][vunmap?]: kprobes may cause memory corruption 2009-01-28 17:58 ` Masami Hiramatsu @ 2009-01-28 18:10 ` Mathieu Desnoyers 2009-02-05 22:12 ` [BUGFIX][PATCH -rc/-mm] prevent kprobes from catching spurious page faults Masami Hiramatsu 2009-03-16 22:57 ` [BUGFIX][PATCH] prevent boosting kprobes on exception address Masami Hiramatsu 2009-01-28 18:13 ` [BUG][kprobes][vunmap?]: kprobes may cause memory corruption Masami Hiramatsu 1 sibling, 2 replies; 18+ messages in thread From: Mathieu Desnoyers @ 2009-01-28 18:10 UTC (permalink / raw) To: Masami Hiramatsu Cc: Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler * Masami Hiramatsu (mhiramat@redhat.com) wrote: > Mathieu Desnoyers wrote: > > * Masami Hiramatsu (mhiramat@redhat.com) wrote: > >> Mathieu Desnoyers wrote: > [...] > >>> All this called in a loop. This would help isolating the "vmap" part of > >>> the issue. If this test is not enough, then we should maybe try > >>> something like this in a kernel module (which does what text_poke does > >>> with vmalloc, more or less) in a loop : > >>> > >>> char somedata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); > >>> char copydata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); > >> Should both of them have PAGE_SIZE*2? > >> > > > > Yes. > > > >>> void test_vmap(void) > >>> } > >>> struct page *pages[2]; > >>> char *vaddr; > >>> int i; > >>> > >>> for (i = 0; i < 2 * PAGE_SIZE; i++) > >>> copydata[i] = somedata[i]; > >>> page[0] = virt_to_page(&somedata); > >>> BUG_ON(!page[0]); > >>> page[1] = virt_to_page(&somedata + PAGE_SIZE); > >>> BUG_ON(!page[1]); > > Oops, these should be vmalloc_to_page(), shouldn't it? > Yes, my bad. That should fix your oopses. Mathieu > >>> vaddr = vmap(pages, 2, VM_MAP, PAGE_KERNEL); > >>> BUG_ON(!vaddr); > >>> > >>> for (i = 0; i < 2 * PAGE_SIZE; i++) > >>> vaddr[i] = copydata[i] + 1; > >>> > >>> vunmap(vaddr); > >>> > >>> for (i = 0; i < 2 * PAGE_SIZE; i++) > >>> BUG_ON(somedata[i] != copydata[i] + 1); > >>> } > >> Hmm, when I ran above code, it hit the last BUG_ON(). > >> I checked that somedata[i] didn't updated. > >> > > > > Do you hit the BUG_ON after the first loop ? > > At the first loop, it hit the BUG_ON. > > >>> Given you don't seem to have hit the > >>> for (i = 0; i < len; i++) > >>> BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); > >>> test at the end of text_poke, > >> However, when I ran kprobe-based test, it doesn't hit the BUG_ON() > >> in text_poke(). > >> > > > > The variable declarations should have been 2*PAGE_SIZE, hopefully you > > fixed them. > > Sure, > > > There is also a sync_core() in text_poke. It should not matter, but > > maybe that could help ? > > Adding sync_core() could not help me... anyway, I'll try again > with using vmalloc_to_page(). > > >>> I suspect the write through the vmapped > >>> area is correctly done, but that the problem may lay in the mm layer. > >>> Maybe it's running out of pre-allocated vmap areas or something like > >>> this ? > >> I haven't seen vmalloc failure message on 2.6.29-rc2. > >> > > > > It could be because the available vmalloc space is slightly higher. > > Looking into the lazy vunmap threshold would be useful. > > > > You could also try with loop values higher than 400. > > OK, Thanks, > > -- > Masami Hiramatsu > > Software Engineer > Hitachi Computer Products (America) Inc. > Software Solutions Division > > e-mail: mhiramat@redhat.com > -- Mathieu Desnoyers OpenPGP key fingerprint: 8CD5 52C3 8E3C 4140 715F BA06 3F25 A8FE 3BAE 9A68 ^ permalink raw reply [flat|nested] 18+ messages in thread
* [BUGFIX][PATCH -rc/-mm] prevent kprobes from catching spurious page faults 2009-01-28 18:10 ` Mathieu Desnoyers @ 2009-02-05 22:12 ` Masami Hiramatsu 2009-02-05 23:57 ` Ingo Molnar 2009-03-16 22:57 ` [BUGFIX][PATCH] prevent boosting kprobes on exception address Masami Hiramatsu 1 sibling, 1 reply; 18+ messages in thread From: Masami Hiramatsu @ 2009-02-05 22:12 UTC (permalink / raw) To: Andrew Morton, Linus Torvalds, Greg KH Cc: Mathieu Desnoyers, Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler Prevent kprobes from catching spurious faults which will cause infinite recursive page-fault and memory corruption by stack overflow. Signed-off-by: Masami Hiramatsu <mhiramat@redhat.com> --- This patch solves memory corruption bug which I reported last week. http://lkml.org/lkml/2009/1/27/428 Since 2.6.28 kernel also has same bug, I think it should be applied to 2.6.28.y too. Thanks, arch/x86/mm/fault.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) Index: linux-2.6/arch/x86/mm/fault.c =================================================================== --- linux-2.6.orig/arch/x86/mm/fault.c +++ linux-2.6/arch/x86/mm/fault.c @@ -603,8 +603,6 @@ void __kprobes do_page_fault(struct pt_r si_code = SEGV_MAPERR; - if (notify_page_fault(regs)) - return; if (unlikely(kmmio_fault(regs, address))) return; @@ -634,6 +632,9 @@ void __kprobes do_page_fault(struct pt_r if (spurious_fault(address, error_code)) return; + /* kprobes don't want to hook the spurious faults. */ + if (notify_page_fault(regs)) + return; /* * Don't take the mm semaphore here. If we fixup a prefetch * fault we could otherwise deadlock. @@ -641,6 +642,9 @@ void __kprobes do_page_fault(struct pt_r goto bad_area_nosemaphore; } + /* kprobes don't want to hook the spurious faults. */ + if (notify_page_fault(regs)) + return; /* * It's safe to allow irq's after cr2 has been saved and the -- Masami Hiramatsu Software Engineer Hitachi Computer Products (America) Inc. Software Solutions Division e-mail: mhiramat@redhat.com ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUGFIX][PATCH -rc/-mm] prevent kprobes from catching spurious page faults 2009-02-05 22:12 ` [BUGFIX][PATCH -rc/-mm] prevent kprobes from catching spurious page faults Masami Hiramatsu @ 2009-02-05 23:57 ` Ingo Molnar 2009-02-06 1:13 ` Mathieu Desnoyers 2009-02-06 15:57 ` Masami Hiramatsu 0 siblings, 2 replies; 18+ messages in thread From: Ingo Molnar @ 2009-02-05 23:57 UTC (permalink / raw) To: Masami Hiramatsu Cc: Andrew Morton, Linus Torvalds, Greg KH, Mathieu Desnoyers, Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler * Masami Hiramatsu <mhiramat@redhat.com> wrote: > - if (notify_page_fault(regs)) > - return; > if (unlikely(kmmio_fault(regs, address))) > return; > > @@ -634,6 +632,9 @@ void __kprobes do_page_fault(struct pt_r > if (spurious_fault(address, error_code)) > return; > > + /* kprobes don't want to hook the spurious faults. */ > + if (notify_page_fault(regs)) > + return; > /* > * Don't take the mm semaphore here. If we fixup a prefetch > * fault we could otherwise deadlock. > @@ -641,6 +642,9 @@ void __kprobes do_page_fault(struct pt_r > goto bad_area_nosemaphore; > } > > + /* kprobes don't want to hook the spurious faults. */ > + if (notify_page_fault(regs)) > + return; I dont know - this spreads that callback to two places now. Any reason why kprobes cannot call spurious_fault(), if there's a probe active? Also, moving that would remove the planned cleanup of merging these two into one call: if (notify_page_fault(regs)) return; if (unlikely(kmmio_fault(regs, address))) return; We should reduce the probing cross section, not increase it, especially in such a critical codepath as the pagefault handler. Btw., why cannot kprobes install a dynamic probe to the fault handler itself? That way the default path would have no such callbacks and checks at all. Ingo ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUGFIX][PATCH -rc/-mm] prevent kprobes from catching spurious page faults 2009-02-05 23:57 ` Ingo Molnar @ 2009-02-06 1:13 ` Mathieu Desnoyers 2009-02-06 2:04 ` Ingo Molnar 2009-02-06 16:30 ` Masami Hiramatsu 2009-02-06 15:57 ` Masami Hiramatsu 1 sibling, 2 replies; 18+ messages in thread From: Mathieu Desnoyers @ 2009-02-06 1:13 UTC (permalink / raw) To: Ingo Molnar Cc: Masami Hiramatsu, Andrew Morton, Linus Torvalds, Greg KH, Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler * Ingo Molnar (mingo@elte.hu) wrote: > > * Masami Hiramatsu <mhiramat@redhat.com> wrote: > > > - if (notify_page_fault(regs)) > > - return; > > if (unlikely(kmmio_fault(regs, address))) > > return; > > > > @@ -634,6 +632,9 @@ void __kprobes do_page_fault(struct pt_r > > if (spurious_fault(address, error_code)) > > return; > > > > + /* kprobes don't want to hook the spurious faults. */ > > + if (notify_page_fault(regs)) > > + return; > > /* > > * Don't take the mm semaphore here. If we fixup a prefetch > > * fault we could otherwise deadlock. > > @@ -641,6 +642,9 @@ void __kprobes do_page_fault(struct pt_r > > goto bad_area_nosemaphore; > > } > > > > + /* kprobes don't want to hook the spurious faults. */ > > + if (notify_page_fault(regs)) > > + return; > > I dont know - this spreads that callback to two places now. Any > reason why kprobes cannot call spurious_fault(), if there's a > probe active? > > Also, moving that would remove the planned cleanup of merging these > two into one call: > > if (notify_page_fault(regs)) > return; > if (unlikely(kmmio_fault(regs, address))) > return; > > We should reduce the probing cross section, not increase it, > especially in such a critical codepath as the pagefault handler. > > Btw., why cannot kprobes install a dynamic probe to the fault > handler itself? That way the default path would have no such > callbacks and checks at all. > Or we could simply merge my 2 LTTng page fault handler tracepoints per architecture and be done with it ? I'd need to clean up the patchset a little bit to fold a few patches, but that would be straightforward enough. Mathieu -- Mathieu Desnoyers OpenPGP key fingerprint: 8CD5 52C3 8E3C 4140 715F BA06 3F25 A8FE 3BAE 9A68 ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUGFIX][PATCH -rc/-mm] prevent kprobes from catching spurious page faults 2009-02-06 1:13 ` Mathieu Desnoyers @ 2009-02-06 2:04 ` Ingo Molnar 2009-02-06 2:05 ` Ingo Molnar 2009-02-06 16:30 ` Masami Hiramatsu 1 sibling, 1 reply; 18+ messages in thread From: Ingo Molnar @ 2009-02-06 2:04 UTC (permalink / raw) To: Mathieu Desnoyers Cc: Masami Hiramatsu, Andrew Morton, Linus Torvalds, Greg KH, Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler * Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca> wrote: > * Ingo Molnar (mingo@elte.hu) wrote: > > > > * Masami Hiramatsu <mhiramat@redhat.com> wrote: > > > > > - if (notify_page_fault(regs)) > > > - return; > > > if (unlikely(kmmio_fault(regs, address))) > > > return; > > > > > > @@ -634,6 +632,9 @@ void __kprobes do_page_fault(struct pt_r > > > if (spurious_fault(address, error_code)) > > > return; > > > > > > + /* kprobes don't want to hook the spurious faults. */ > > > + if (notify_page_fault(regs)) > > > + return; > > > /* > > > * Don't take the mm semaphore here. If we fixup a prefetch > > > * fault we could otherwise deadlock. > > > @@ -641,6 +642,9 @@ void __kprobes do_page_fault(struct pt_r > > > goto bad_area_nosemaphore; > > > } > > > > > > + /* kprobes don't want to hook the spurious faults. */ > > > + if (notify_page_fault(regs)) > > > + return; > > > > I dont know - this spreads that callback to two places now. Any > > reason why kprobes cannot call spurious_fault(), if there's a > > probe active? > > > > Also, moving that would remove the planned cleanup of merging these > > two into one call: > > > > if (notify_page_fault(regs)) > > return; > > if (unlikely(kmmio_fault(regs, address))) > > return; > > > > We should reduce the probing cross section, not increase it, > > especially in such a critical codepath as the pagefault handler. > > > > Btw., why cannot kprobes install a dynamic probe to the fault > > handler itself? That way the default path would have no such > > callbacks and checks at all. > > > > Or we could simply merge my 2 LTTng page fault handler tracepoints per > architecture and be done with it ? > > I'd need to clean up the patchset a little bit to fold a few patches, > but that would be straightforward enough. yes, that would be an option too - it depends on the details of how it looks like and what kind of complexity it hides. Ingo ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUGFIX][PATCH -rc/-mm] prevent kprobes from catching spurious page faults 2009-02-06 2:04 ` Ingo Molnar @ 2009-02-06 2:05 ` Ingo Molnar 0 siblings, 0 replies; 18+ messages in thread From: Ingo Molnar @ 2009-02-06 2:05 UTC (permalink / raw) To: Mathieu Desnoyers Cc: Masami Hiramatsu, Andrew Morton, Linus Torvalds, Greg KH, Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler * Ingo Molnar <mingo@elte.hu> wrote: > > * Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca> wrote: > > > * Ingo Molnar (mingo@elte.hu) wrote: > > > > > > * Masami Hiramatsu <mhiramat@redhat.com> wrote: > > > > > > > - if (notify_page_fault(regs)) > > > > - return; > > > > if (unlikely(kmmio_fault(regs, address))) > > > > return; > > > > > > > > @@ -634,6 +632,9 @@ void __kprobes do_page_fault(struct pt_r > > > > if (spurious_fault(address, error_code)) > > > > return; > > > > > > > > + /* kprobes don't want to hook the spurious faults. */ > > > > + if (notify_page_fault(regs)) > > > > + return; > > > > /* > > > > * Don't take the mm semaphore here. If we fixup a prefetch > > > > * fault we could otherwise deadlock. > > > > @@ -641,6 +642,9 @@ void __kprobes do_page_fault(struct pt_r > > > > goto bad_area_nosemaphore; > > > > } > > > > > > > > + /* kprobes don't want to hook the spurious faults. */ > > > > + if (notify_page_fault(regs)) > > > > + return; > > > > > > I dont know - this spreads that callback to two places now. Any > > > reason why kprobes cannot call spurious_fault(), if there's a > > > probe active? > > > > > > Also, moving that would remove the planned cleanup of merging these > > > two into one call: > > > > > > if (notify_page_fault(regs)) > > > return; > > > if (unlikely(kmmio_fault(regs, address))) > > > return; > > > > > > We should reduce the probing cross section, not increase it, > > > especially in such a critical codepath as the pagefault handler. > > > > > > Btw., why cannot kprobes install a dynamic probe to the fault > > > handler itself? That way the default path would have no such > > > callbacks and checks at all. > > > > > > > Or we could simply merge my 2 LTTng page fault handler tracepoints per > > architecture and be done with it ? > > > > I'd need to clean up the patchset a little bit to fold a few patches, > > but that would be straightforward enough. > > yes, that would be an option too - it depends on the details of how it looks > like and what kind of complexity it hides. Linus just merged the fix so the urgency of the matter has become lower :) Ingo ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUGFIX][PATCH -rc/-mm] prevent kprobes from catching spurious page faults 2009-02-06 1:13 ` Mathieu Desnoyers 2009-02-06 2:04 ` Ingo Molnar @ 2009-02-06 16:30 ` Masami Hiramatsu 1 sibling, 0 replies; 18+ messages in thread From: Masami Hiramatsu @ 2009-02-06 16:30 UTC (permalink / raw) To: Mathieu Desnoyers Cc: Ingo Molnar, Andrew Morton, Linus Torvalds, Greg KH, Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler Mathieu Desnoyers wrote: > * Ingo Molnar (mingo@elte.hu) wrote: >> * Masami Hiramatsu <mhiramat@redhat.com> wrote: >> >>> - if (notify_page_fault(regs)) >>> - return; >>> if (unlikely(kmmio_fault(regs, address))) >>> return; >>> >>> @@ -634,6 +632,9 @@ void __kprobes do_page_fault(struct pt_r >>> if (spurious_fault(address, error_code)) >>> return; >>> >>> + /* kprobes don't want to hook the spurious faults. */ >>> + if (notify_page_fault(regs)) >>> + return; >>> /* >>> * Don't take the mm semaphore here. If we fixup a prefetch >>> * fault we could otherwise deadlock. >>> @@ -641,6 +642,9 @@ void __kprobes do_page_fault(struct pt_r >>> goto bad_area_nosemaphore; >>> } >>> >>> + /* kprobes don't want to hook the spurious faults. */ >>> + if (notify_page_fault(regs)) >>> + return; >> I dont know - this spreads that callback to two places now. Any >> reason why kprobes cannot call spurious_fault(), if there's a >> probe active? >> >> Also, moving that would remove the planned cleanup of merging these >> two into one call: >> >> if (notify_page_fault(regs)) >> return; >> if (unlikely(kmmio_fault(regs, address))) >> return; >> >> We should reduce the probing cross section, not increase it, >> especially in such a critical codepath as the pagefault handler. >> >> Btw., why cannot kprobes install a dynamic probe to the fault >> handler itself? That way the default path would have no such >> callbacks and checks at all. >> > > Or we could simply merge my 2 LTTng page fault handler tracepoints per > architecture and be done with it ? As you can see, these functions are a kind of fixup code. If it succeed fixup a fault, do_page_fault() has to return because the fault is fixed. Since tracepoint itself is just a watchpoint, it should not change code path. So, I think just moving kmmio_fault() to notify_page_fault() is enough. > I'd need to clean up the patchset a little bit to fold a few patches, > but that would be straightforward enough. Anyway, I agree with the idea to push tracepoint in the pagefault. It is very useful for watching system behavior. Thanks! > > Mathieu > -- Masami Hiramatsu Software Engineer Hitachi Computer Products (America) Inc. Software Solutions Division e-mail: mhiramat@redhat.com ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUGFIX][PATCH -rc/-mm] prevent kprobes from catching spurious page faults 2009-02-05 23:57 ` Ingo Molnar 2009-02-06 1:13 ` Mathieu Desnoyers @ 2009-02-06 15:57 ` Masami Hiramatsu 1 sibling, 0 replies; 18+ messages in thread From: Masami Hiramatsu @ 2009-02-06 15:57 UTC (permalink / raw) To: Ingo Molnar Cc: Andrew Morton, Linus Torvalds, Greg KH, Mathieu Desnoyers, Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler Ingo Molnar wrote: > * Masami Hiramatsu <mhiramat@redhat.com> wrote: > >> - if (notify_page_fault(regs)) >> - return; >> if (unlikely(kmmio_fault(regs, address))) >> return; >> >> @@ -634,6 +632,9 @@ void __kprobes do_page_fault(struct pt_r >> if (spurious_fault(address, error_code)) >> return; >> >> + /* kprobes don't want to hook the spurious faults. */ >> + if (notify_page_fault(regs)) >> + return; >> /* >> * Don't take the mm semaphore here. If we fixup a prefetch >> * fault we could otherwise deadlock. >> @@ -641,6 +642,9 @@ void __kprobes do_page_fault(struct pt_r >> goto bad_area_nosemaphore; >> } >> >> + /* kprobes don't want to hook the spurious faults. */ >> + if (notify_page_fault(regs)) >> + return; > > I dont know - this spreads that callback to two places now. Any > reason why kprobes cannot call spurious_fault(), if there's a > probe active? Hmm, because I think how the spurious faults are treated depends on do_page_fault(). Calling spurious_fault() and vmalloc_fault() in kprobe_fault_handler() is just spreading another code different way... > Also, moving that would remove the planned cleanup of merging these > two into one call: > > if (notify_page_fault(regs)) > return; > if (unlikely(kmmio_fault(regs, address))) > return; Sure, that is reasonable, if kmmio also want not catch spurious fault too. > We should reduce the probing cross section, not increase it, > especially in such a critical codepath as the pagefault handler. I think my patch doesn't increase it, the first path jumps to bad_area_nosemaphore right after calling notify_page_fault(). > > Btw., why cannot kprobes install a dynamic probe to the fault > handler itself? That way the default path would have no such > callbacks and checks at all. because kprobe_fault_handler() is implemented not only for the user fault handler but also for fixup page-fault ip during single step out-of-line. It's an elemental part of kprobes. Thank you, -- Masami Hiramatsu Software Engineer Hitachi Computer Products (America) Inc. Software Solutions Division e-mail: mhiramat@redhat.com ^ permalink raw reply [flat|nested] 18+ messages in thread
* [BUGFIX][PATCH] prevent boosting kprobes on exception address 2009-01-28 18:10 ` Mathieu Desnoyers 2009-02-05 22:12 ` [BUGFIX][PATCH -rc/-mm] prevent kprobes from catching spurious page faults Masami Hiramatsu @ 2009-03-16 22:57 ` Masami Hiramatsu 1 sibling, 0 replies; 18+ messages in thread From: Masami Hiramatsu @ 2009-03-16 22:57 UTC (permalink / raw) To: Andrew Morton, Linus Torvalds, Greg KH Cc: LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler Don't boost at the addresses which are listed on exception tables, because major page fault will occur on those addresses. In that case, kprobes can not ensure that when instruction buffer can be freed since some processes will sleep on the buffer. (kprobes-ia64 already has same check.) Signed-off-by: Masami Hiramatsu <mhiramat@redhat.com> Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com> --- arch/x86/kernel/kprobes.c | 3 +++ 1 file changed, 3 insertions(+) Index: mmotm/arch/x86/kernel/kprobes.c =================================================================== --- mmotm.orig/arch/x86/kernel/kprobes.c +++ mmotm/arch/x86/kernel/kprobes.c @@ -193,6 +193,9 @@ static int __kprobes can_boost(kprobe_op kprobe_opcode_t opcode; kprobe_opcode_t *orig_opcodes = opcodes; + if (search_exception_tables(opcodes)) + return 0; /* Page fault may occur on this address. */ + retry: if (opcodes - orig_opcodes > MAX_INSN_SIZE - 1) return 0; -- Masami Hiramatsu Software Engineer Hitachi Computer Products (America) Inc. Software Solutions Division e-mail: mhiramat@redhat.com ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [BUG][kprobes][vunmap?]: kprobes may cause memory corruption 2009-01-28 17:58 ` Masami Hiramatsu 2009-01-28 18:10 ` Mathieu Desnoyers @ 2009-01-28 18:13 ` Masami Hiramatsu 1 sibling, 0 replies; 18+ messages in thread From: Masami Hiramatsu @ 2009-01-28 18:13 UTC (permalink / raw) To: Mathieu Desnoyers Cc: Nick Piggin, LKML, Ananth N Mavinakayanahalli, Jim Keniston, systemtap-ml, Frank Ch. Eigler Masami Hiramatsu wrote: > Mathieu Desnoyers wrote: >> * Masami Hiramatsu (mhiramat@redhat.com) wrote: >>> Mathieu Desnoyers wrote: > [...] >>>> All this called in a loop. This would help isolating the "vmap" part of >>>> the issue. If this test is not enough, then we should maybe try >>>> something like this in a kernel module (which does what text_poke does >>>> with vmalloc, more or less) in a loop : >>>> >>>> char somedata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); >>>> char copydata[PAGE_SIZE] __attribute__((aligned(PAGE_SIZE))); >>> Should both of them have PAGE_SIZE*2? >>> >> Yes. >> >>>> void test_vmap(void) >>>> } >>>> struct page *pages[2]; >>>> char *vaddr; >>>> int i; >>>> >>>> for (i = 0; i < 2 * PAGE_SIZE; i++) >>>> copydata[i] = somedata[i]; >>>> page[0] = virt_to_page(&somedata); >>>> BUG_ON(!page[0]); >>>> page[1] = virt_to_page(&somedata + PAGE_SIZE); >>>> BUG_ON(!page[1]); > > Oops, these should be vmalloc_to_page(), shouldn't it? > >>>> vaddr = vmap(pages, 2, VM_MAP, PAGE_KERNEL); >>>> BUG_ON(!vaddr); >>>> >>>> for (i = 0; i < 2 * PAGE_SIZE; i++) >>>> vaddr[i] = copydata[i] + 1; >>>> >>>> vunmap(vaddr); >>>> >>>> for (i = 0; i < 2 * PAGE_SIZE; i++) >>>> BUG_ON(somedata[i] != copydata[i] + 1); >>>> } >>> Hmm, when I ran above code, it hit the last BUG_ON(). >>> I checked that somedata[i] didn't updated. >>> >> Do you hit the BUG_ON after the first loop ? > > At the first loop, it hit the BUG_ON. > >>>> Given you don't seem to have hit the >>>> for (i = 0; i < len; i++) >>>> BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); >>>> test at the end of text_poke, >>> However, when I ran kprobe-based test, it doesn't hit the BUG_ON() >>> in text_poke(). >>> >> The variable declarations should have been 2*PAGE_SIZE, hopefully you >> fixed them. > > Sure, > >> There is also a sync_core() in text_poke. It should not matter, but >> maybe that could help ? > > Adding sync_core() could not help me... anyway, I'll try again > with using vmalloc_to_page(). Hmm, using vmalloc_to_page() works fine... the test didn't hit any BUG_ON. > >>>> I suspect the write through the vmapped >>>> area is correctly done, but that the problem may lay in the mm layer. >>>> Maybe it's running out of pre-allocated vmap areas or something like >>>> this ? >>> I haven't seen vmalloc failure message on 2.6.29-rc2. >>> >> It could be because the available vmalloc space is slightly higher. >> Looking into the lazy vunmap threshold would be useful. >> >> You could also try with loop values higher than 400. I also tested with 1000 loops, but nothing happened. Thank you, > > OK, Thanks, > -- Masami Hiramatsu Software Engineer Hitachi Computer Products (America) Inc. Software Solutions Division e-mail: mhiramat@redhat.com ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2009-03-16 22:57 UTC | newest] Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2009-01-28 2:32 [BUG][kprobes][vunmap?]: kprobes may cause memory corruption Masami Hiramatsu 2009-01-28 2:39 ` [PATCH][bugfix?][kprobes][vunmap?]: use vm_map_ram() in text_poke() Masami Hiramatsu 2009-01-28 5:09 ` [BUG][kprobes][vunmap?]: kprobes may cause memory corruption Masami Hiramatsu 2009-01-28 15:48 ` Mathieu Desnoyers 2009-01-28 16:22 ` Mathieu Desnoyers 2009-01-28 16:59 ` Masami Hiramatsu 2009-01-28 17:13 ` Mathieu Desnoyers 2009-01-28 17:58 ` Masami Hiramatsu 2009-01-28 18:10 ` Mathieu Desnoyers 2009-02-05 22:12 ` [BUGFIX][PATCH -rc/-mm] prevent kprobes from catching spurious page faults Masami Hiramatsu 2009-02-05 23:57 ` Ingo Molnar 2009-02-06 1:13 ` Mathieu Desnoyers 2009-02-06 2:04 ` Ingo Molnar 2009-02-06 2:05 ` Ingo Molnar 2009-02-06 16:30 ` Masami Hiramatsu 2009-02-06 15:57 ` Masami Hiramatsu 2009-03-16 22:57 ` [BUGFIX][PATCH] prevent boosting kprobes on exception address Masami Hiramatsu 2009-01-28 18:13 ` [BUG][kprobes][vunmap?]: kprobes may cause memory corruption Masami Hiramatsu
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).