Hi, after weeks of running a system(about 25 days),
the kernel will start killing some process with a refcount overflow error.
dumps look like:
10.10.8.16 [Nov 10 20:00:24] PAX: From 10.10.1.103: refcount overflow detected in: callMCH:1599, uid/euid: 0/0
10.10.8.16 [Nov 10 20:00:24] PAX: refcount overflow occured at: bad_gs+0x310d/0x7886
10.10.8.16 [Nov 10 20:00:24] BUG: using smp_processor_id() in preemptible [00000000] code: callMCH/1599
10.10.8.16 [Nov 10 20:00:24] caller is show_registers+0x2d/0x300
10.10.8.16 [Nov 10 20:00:24] Pid: 1599, comm: callMCH Tainted: P 2.6.34.13-grsec-WR4.3.0.0_cgl #28
10.10.8.16 [Nov 10 20:00:24] Call Trace:
10.10.8.16 [Nov 10 20:00:24] [<ffffffff813451a3>] debug_smp_processor_id+0xe3/0x100
10.10.8.16 [Nov 10 20:00:24] [<ffffffff810065ed>] show_registers+0x2d/0x300
10.10.8.16 [Nov 10 20:00:24] [<ffffffff815b752f>] ? printk+0xd2/0xe3
10.10.8.16 [Nov 10 20:00:24] [<ffffffff8100d8a1>] show_regs+0x11/0x30
10.10.8.16 [Nov 10 20:00:24] [<ffffffff8112c86c>] pax_report_refcount_overflow+0x6c/0xd0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81004b3e>] do_trap+0xce/0x280
10.10.8.16 [Nov 10 20:00:24] [<ffffffff815ba6e2>] ? _raw_spin_lock_irqsave+0x22/0x50
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81735f0d>] ? dcbnl_app_nest+0xe5f0d/0x138000
10.10.8.16 [Nov 10 20:00:24] [<ffffffff810051f9>] do_overflow+0x69/0x80
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81003b1b>] overflow+0x2b/0x30
10.10.8.16 [Nov 10 20:00:24] [<ffffffff815be3f7>] ? bad_gs+0x310d/0x7886
10.10.8.16 [Nov 10 20:00:24] [<ffffffff811282a8>] __fput+0x198/0x1f0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81128325>] fput+0x25/0x30
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123b98>] filp_close+0x58/0x90
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123c9c>] sys_close+0xcc/0x1c0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81002d10>] system_call_done+0x0/0x5
10.10.8.16 [Nov 10 20:00:24] CPU 0
10.10.8.16 [Nov 10 20:00:24] Modules linked in: libsas x_tables ip_tables isci logconsole(P) tipc ipmi_msghandler ipmi_si i2c_core sg i2c_i801 ipv6 ipmi_devintf sctp dummy ipmi_watchdog binfmt_misc bonding [last unloaded: scsi_wait_scan]
10.10.8.16 [Nov 10 20:00:24]
10.10.8.16 [Nov 10 20:00:24] Pid: 1599, comm: callMCH Tainted: P 2.6.34.13-grsec-WR4.3.0.0_cgl #28 ATCA-4648 /ATCA-4648
10.10.8.16 [Nov 10 20:00:24] RIP: 0010:[<ffffffff815be3f7>] [<ffffffff815be3f7>] bad_gs+0x310d/0x7886
10.10.8.16 [Nov 10 20:00:24] RSP: 0018:ffff880c40b5be98 EFLAGS: 00000a16
10.10.8.16 [Nov 10 20:00:24] RAX: ffff88184989f7c8 RBX: ffff880c41172540 RCX: 0000000000000352
10.10.8.16 [Nov 10 20:00:24] RDX: ffff880c47c95080 RSI: ffffffff85efc550 RDI: ffff880c41172540
10.10.8.16 [Nov 10 20:00:24] RBP: ffff880c40b5be98 R08: 0000000000000000 R09: 0000000000000000
10.10.8.16 [Nov 10 20:00:24] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000008
10.10.8.16 [Nov 10 20:00:24] R13: ffff880c0402be00 R14: ffff88184989f7c8 R15: ffff880c47c95080
10.10.8.16 [Nov 10 20:00:24] FS: 000003f54c8a6710(0000) GS:ffff88000a600000(0000) knlGS:0000000000000000
10.10.8.16 [Nov 10 20:00:24] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
10.10.8.16 [Nov 10 20:00:24] CR2: 00000038e960b10c CR3: 00000000018e4000 CR4: 00000000000406b0
10.10.8.16 [Nov 10 20:00:24] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
10.10.8.16 [Nov 10 20:00:24] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
10.10.8.16 [Nov 10 20:00:24] Process callMCH (pid: 1599, threadinfo ffff880c40b5a000, task ffff880c418d9640)
10.10.8.16 [Nov 10 20:00:24] Stack:
10.10.8.16 [Nov 10 20:00:24] ffff880c40b5bed8 ffffffff811282a8 ffff880c40b5bed8 ffff880c41172540
10.10.8.16 [Nov 10 20:00:24] <0> ffff880c317dd200 0000000000000000 ffff880c317dd280 ffff880c317dd210
10.10.8.16 [Nov 10 20:00:24] <0> ffff880c40b5bee8 ffffffff81128325 ffff880c40b5bf18 ffffffff81123b98
10.10.8.16 [Nov 10 20:00:24] Call Trace:
10.10.8.16 [Nov 10 20:00:24] [<ffffffff811282a8>] __fput+0x198/0x1f0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81128325>] fput+0x25/0x30
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123b98>] filp_close+0x58/0x90
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123c9c>] sys_close+0xcc/0x1c0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81002d10>] system_call_done+0x0/0x5
10.10.8.16 [Nov 10 20:00:24] Code: 30 c9 e9 2b 87 b6 ff b8 f2 ff ff ff 45 30 c9 e9 ac 8f b6 ff b8 f2 ff ff ff 45 30 d2 e9 0b 94 b6 ff b8 f2 ff ff ff e9 1a 94 b6 ff <f0> ff 80 5c 02 00 00 e9 c8 97 b6 ff f0 ff 8b c8 00 00 00 e9 89
10.10.8.16 [Nov 10 20:00:24] Call Trace:
10.10.8.16 [Nov 10 20:00:24] Call Trace:
10.10.8.16 [Nov 10 20:00:24] [<ffffffff811282a8>] __fput+0x198/0x1f0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81128325>] fput+0x25/0x30
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123b98>] filp_close+0x58/0x90
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123c9c>] sys_close+0xcc/0x1c0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81002d10>] system_call_done+0x0/0x5
10.10.8.16 [Nov 10 20:00:24] PAX: refcount overflow detected in: alarmCMH:4842, uid/euid: 0/0
10.10.8.16 [Nov 10 20:00:24] PAX: refcount overflow occured at: bad_gs+0x310d/0x7886
10.10.8.16 [Nov 10 20:00:24] BUG: using smp_processor_id() in preemptible [00000000] code: alarmCMH/4842
10.10.8.16 [Nov 10 20:00:24] caller is show_registers+0x2d/0x300
10.10.8.16 [Nov 10 20:00:24] Pid: 4842, comm: alarmCMH Tainted: P 2.6.34.13-grsec-WR4.3.0.0_cgl #28
10.10.8.16 [Nov 10 20:00:24] Call Trace:
10.10.8.16 [Nov 10 20:00:24] [<ffffffff813451a3>] debug_smp_processor_id+0xe3/0x100
10.10.8.16 [Nov 10 20:00:24] [<ffffffff810065ed>] show_registers+0x2d/0x300
10.10.8.16 [Nov 10 20:00:24] [<ffffffff815b752f>] ? printk+0xd2/0xe3
10.10.8.16 [Nov 10 20:00:24] [<ffffffff8100d8a1>] show_regs+0x11/0x30
10.10.8.16 [Nov 10 20:00:24] [<ffffffff8112c86c>] pax_report_refcount_overflow+0x6c/0xd0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81004b3e>] do_trap+0xce/0x280
10.10.8.16 [Nov 10 20:00:24] [<ffffffff815ba6e2>] ? _raw_spin_lock_irqsave+0x22/0x50
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81735f0d>] ? dcbnl_app_nest+0xe5f0d/0x138000
10.10.8.16 [Nov 10 20:00:24] [<ffffffff810051f9>] do_overflow+0x69/0x80
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81003b1b>] overflow+0x2b/0x30
10.10.8.16 [Nov 10 20:00:24] [<ffffffff815be3f7>] ? bad_gs+0x310d/0x7886
10.10.8.16 [Nov 10 20:00:24] [<ffffffff811282a8>] __fput+0x198/0x1f0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81128325>] fput+0x25/0x30
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123b98>] filp_close+0x58/0x90
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123c9c>] sys_close+0xcc/0x1c0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81002d10>] system_call_done+0x0/0x5
10.10.8.16 [Nov 10 20:00:24] CPU 1
10.10.8.16 [Nov 10 20:00:24] Modules linked in: libsas x_tables ip_tables isci logconsole(P) tipc ipmi_msghandler ipmi_si i2c_core sg i2c_i801 ipv6 ipmi_devintf sctp dummy ipmi_watchdog binfmt_misc bonding [last unloaded: scsi_wait_scan]
10.10.8.16 [Nov 10 20:00:24]
10.10.8.16 [Nov 10 20:00:24] Pid: 4842, comm: alarmCMH Tainted: P 2.6.34.13-grsec-WR4.3.0.0_cgl #28 ATCA-4648 /ATCA-4648
10.10.8.16 [Nov 10 20:00:24] RIP: 0010:[<ffffffff815be3f7>] [<ffffffff815be3f7>] bad_gs+0x310d/0x7886
10.10.8.16 [Nov 10 20:00:24] RSP: 0018:ffff880c403fbe98 EFLAGS: 00000a16
10.10.8.16 [Nov 10 20:00:24] RAX: ffff88184989f7c8 RBX: ffff880c40fe2840 RCX: 0000000000000359
10.10.8.16 [Nov 10 20:00:24] RDX: ffff880c47c95080 RSI: ffffffff85efc550 RDI: ffff880c40fe2840
10.10.8.16 [Nov 10 20:00:24] RBP: ffff880c403fbe98 R08: 0000000000000000 R09: 0000000000000000
10.10.8.16 [Nov 10 20:00:24] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000008
10.10.8.16 [Nov 10 20:00:24] R13: ffff880c016ec6c0 R14: ffff88184989f7c8 R15: ffff880c47c95080
10.10.8.16 [Nov 10 20:00:24] FS: 000003601cdf6710(0000) GS:ffff88000a620000(0000) knlGS:0000000000000000
10.10.8.16 [Nov 10 20:00:24] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
10.10.8.16 [Nov 10 20:00:24] CR2: 00000038e960b10c CR3: 00000000018e5000 CR4: 00000000000406b0
10.10.8.16 [Nov 10 20:00:24] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
10.10.8.16 [Nov 10 20:00:24] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
10.10.8.16 [Nov 10 20:00:24] Process alarmCMH (pid: 4842, threadinfo ffff880c403fa000, task ffff880c403f9600)
10.10.8.16 [Nov 10 20:00:24] Stack:
10.10.8.16 [Nov 10 20:00:24] ffff880c403fbed8 ffffffff811282a8 ffff880c403fbed8 ffff880c40fe2840
10.10.8.16 [Nov 10 20:00:24] <0> ffff880c317ddd00 0000000000000000 ffff880c317ddd80 ffff880c317ddd10
10.10.8.16 [Nov 10 20:00:24] <0> ffff880c403fbee8 ffffffff81128325 ffff880c403fbf18 ffffffff81123b98
10.10.8.16 [Nov 10 20:00:24] Call Trace:
10.10.8.16 [Nov 10 20:00:24] [<ffffffff811282a8>] __fput+0x198/0x1f0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81128325>] fput+0x25/0x30
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123b98>] filp_close+0x58/0x90
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123c9c>] sys_close+0xcc/0x1c0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81002d10>] system_call_done+0x0/0x5
10.10.8.16 [Nov 10 20:00:24] Code: 30 c9 e9 2b 87 b6 ff b8 f2 ff ff ff 45 30 c9 e9 ac 8f b6 ff b8 f2 ff ff ff 45 30 d2 e9 0b 94 b6 ff b8 f2 ff ff ff e9 1a 94 b6 ff <f0> ff 80 5c 02 00 00 e9 c8 97 b6 ff f0 ff 8b c8 00 00 00 e9 89
10.10.8.16 [Nov 10 20:00:24] Call Trace:
10.10.8.16 [Nov 10 20:00:24] [<ffffffff811282a8>] __fput+0x198/0x1f0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81128325>] fput+0x25/0x30
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123b98>] filp_close+0x58/0x90
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81123c9c>] sys_close+0xcc/0x1c0
10.10.8.16 [Nov 10 20:00:24] [<ffffffff81002d10>] system_call_done+0x0/0x5
10.10.8.16 [Nov 10 20:00:26] Deleting interface #8 bond0:7, 10.10.8.24#123, interface stats: received=0, sent=0, dropped=0, active_time=2484030 secs
10.10.8.16 [Nov 10 20:00:26] Deleting interface #7 bond0:3, 10.10.8.33#123, interface stats: received=0, sent=0, dropped=0, active_time=2484030 secs
10.10.8.16 [Nov 10 20:00:28] mapping inconsistent, handle=0.8.0.0-0.0
10.10.8.16 [Nov 10 20:00:28] mapping inconsistent, handle=0.8.0.0-1.0
10.10.8.16 [Nov 10 20:00:28] mapping inconsistent, handle=0.9.0.0-0.0
10.10.8.16 [Nov 10 20:00:28] mapping inconsistent, handle=0.9.0.0-1.0
10.10.8.16 [Nov 10 20:00:38] PAX: refcount overflow detected in: alarmCMH:1775, uid/euid: 0/0
10.10.8.16 [Nov 10 20:00:38] PAX: refcount overflow occured at: bad_gs+0x310d/0x7886
10.10.8.16 [Nov 10 20:00:38] BUG: using smp_processor_id() in preemptible [00000000] code: alarmCMH/1775
10.10.8.16 [Nov 10 20:00:38] caller is show_registers+0x2d/0x300
10.10.8.16 [Nov 10 20:00:38] Pid: 1775, comm: alarmCMH Tainted: P 2.6.34.13-grsec-WR4.3.0.0_cgl #28
10.10.8.16 [Nov 10 20:00:38] Call Trace:
10.10.8.16 [Nov 10 20:00:38] [<ffffffff813451a3>] debug_smp_processor_id+0xe3/0x100
10.10.8.16 [Nov 10 20:00:38] [<ffffffff810065ed>] show_registers+0x2d/0x300
10.10.8.16 [Nov 10 20:00:38] [<ffffffff815b752f>] ? printk+0xd2/0xe3
10.10.8.16 [Nov 10 20:00:38] [<ffffffff8100d8a1>] show_regs+0x11/0x30
10.10.8.16 [Nov 10 20:00:38] [<ffffffff8112c86c>] pax_report_refcount_overflow+0x6c/0xd0
10.10.8.16 [Nov 10 20:00:38] [<ffffffff81004b3e>] do_trap+0xce/0x280
10.10.8.16 [Nov 10 20:00:38] [<ffffffff81334633>] ? gr_log_resource+0xe3/0x1b0
10.10.8.16 [Nov 10 20:00:38] [<ffffffff81735f0d>] ? dcbnl_app_nest+0xe5f0d/0x138000
10.10.8.16 [Nov 10 20:00:38] [<ffffffff810051f9>] do_overflow+0x69/0x80
10.10.8.16 [Nov 10 20:00:38] [<ffffffff81003b1b>] overflow+0x2b/0x30
10.10.8.16 [Nov 10 20:00:38] [<ffffffff815be3f7>] ? bad_gs+0x310d/0x7886
10.10.8.16 [Nov 10 20:00:38] [<ffffffff811282a8>] __fput+0x198/0x1f0
10.10.8.16 [Nov 10 20:00:38] [<ffffffff81128325>] fput+0x25/0x30
10.10.8.16 [Nov 10 20:00:38] [<ffffffff81123b98>] filp_close+0x58/0x90
10.10.8.16 [Nov 10 20:00:38] [<ffffffff81123c9c>] sys_close+0xcc/0x1c0
10.10.8.16 [Nov 10 20:00:38] [<ffffffff81002d10>] system_call_done+0x0/0x5
10.10.8.16 [Nov 10 20:00:38] CPU 17
10.10.8.16 [Nov 10 20:00:38] Modules linked in: libsas x_tables ip_tables isci logconsole(P) tipc ipmi_msghandler ipmi_si i2c_core sg i2c_i801 ipv6 ipmi_devintf sctp dummy ipmi_watchdog binfmt_misc bonding [last unloaded: scsi_wait_scan]
refcount overflow
4 posts
• Page 1 of 1
refcount overflow
by lkm5425 » Mon Dec 09, 2013 3:39 am
- lkm5425
- Posts: 2
- Joined: Mon Dec 09, 2013 3:28 am
Re: refcount overflow
by PaX Team » Mon Dec 09, 2013 7:42 am
this is a very old kernel that we stopped supporting and have since fixed several refcount overflow problems (mostly false positives) so please try a newer kernel first. to be on the safe side though if you still have the corresponding vmlinux then send it to me and i'll take a look (and if you applied any patches on top of grsec, i'll need them as well).
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
Re: refcount overflow
by lkm5425 » Wed Dec 18, 2013 2:14 am
I found problem by below code 
thx for your answer.
--------------------------------------------------
#include <stdio.h>
#include <sys/epoll.h>
int main(int argc, char * argv[])
{
int fd = 0;
while(1)
{
fd = epoll_create(1);
close(fd);
}
return 0;
}
thx for your answer.
--------------------------------------------------
#include <stdio.h>
#include <sys/epoll.h>
int main(int argc, char * argv[])
{
int fd = 0;
while(1)
{
fd = epoll_create(1);
close(fd);
}
return 0;
}
- lkm5425
- Posts: 2
- Joined: Mon Dec 09, 2013 3:28 am
Re: refcount overflow
by PaX Team » Wed Dec 18, 2013 8:07 pm
this doesn't trigger anything for me on 3.12 so i guess the underlying problem has been fixed since.
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
4 posts
• Page 1 of 1