Kernel panics in path_init in presence of sisips module

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • sisips kernel module

Issue

The machine experiences panic in the path_init() routine:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
IP: [<ffffffffa52583fb>] path_init+0x33b/0x3f0

Resolution

Please consider contacting sisips kernel module vendor for possible assistance.

Root Cause

The panic happens under following conditions:

  • the panic task is exiting
  • the task_struct.fs member is set to NULL as expected via the exit_fs() call
  • while processing fput() callbacks in the task exit path the sisips kernel module code chain is triggered leading to manipulation with the NULL'ified ->fs member, which is not expected by the core kernel code

Diagnostic Steps

The following panic task call chain applies:

crash> bt
PID: 1169   TASK: ffff93dc1deba0e0  CPU: 5   COMMAND: "sshd"
#10 [ffff93da03e5b2f0] async_page_fault at ffffffffa57847a8
    [exception RIP: path_init+0x33b]
…
#11 [ffff93da03e5b3f8] path_lookupat at ffffffffa525ae15
#12 [ffff93da03e5b490] filename_lookup at ffffffffa525b6ab
#13 [ffff93da03e5b4c8] kern_path at ffffffffa525d3b5
#14 [ffff93da03e5b598] sisips_path_lookup at ffffffffc02f76be [sisips]
#15 [ffff93da03e5b5d8] ReadSymLink at ffffffffc02f7748 [sisips]
#16 [ffff93da03e5b6b0] _Z26GetProcessPathFromProcLinkiPci at ffffffffc0308251 [sisips]
#17 [ffff93da03e5b6d0] _Z14SetProcessPathP7Process at ffffffffc030841a [sisips]
#18 [ffff93da03e5b6f0] _Z12SetUpProcessP7Process at ffffffffc0308b00 [sisips]
#19 [ffff93da03e5b720] _ZN13ProcessCommon10GetProcessEi at ffffffffc031ff26 [sisips]
#20 [ffff93da03e5b740] AppfireCheckConnect at ffffffffc0306b67 [sisips]
#21 [ffff93da03e5b7c0] hook_dgram_sendmsg at ffffffffc02f2f21 [sisips]
#22 [ffff93da03e5b828] sock_sendmsg at ffffffffa562f3a6
#23 [ffff93da03e5b988] kernel_sendmsg at ffffffffa562f417
…
#41 [ffff93da03e5bdb8] __fput at ffffffffa524cb2c
#42 [ffff93da03e5be00] ____fput at ffffffffa524cd8e
#43 [ffff93da03e5be10] task_work_run at ffffffffa50c2d2b
#44 [ffff93da03e5be50] do_exit at ffffffffa50a2044
#45 [ffff93da03e5bee8] do_group_exit at ffffffffa50a283f
#46 [ffff93da03e5bf18] sys_exit_group at ffffffffa50a28b4
#47 [ffff93da03e5bf28] hook_exit_group at ffffffffc02f0461 [sisips]
…

The path_init() code expects current->fs value to not be NULL:

 677 static __always_inline void set_root_rcu(struct nameidata *nd)
 678 {
 679     if (!nd->root.mnt) {
 680         struct fs_struct *fs = current->fs;

In this case it, however, is:

crash> task -R fs
PID: 1169   TASK: ffff93dc1deba0e0  CPU: 5   COMMAND: "sshd"
  fs = 0x0,

It is set in the task exit path as expected:

 93 void exit_fs(struct task_struct *tsk)
 94 {
 95     struct fs_struct *fs = tsk->fs;
 96
 97     if (fs) {
…
101         tsk->fs = NULL;

 794 void do_exit(long code)
 795 {
…
 883     exit_fs(tsk);

Thus, it is not expected for the sisips kernel module to manipulate on these data.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments