[grsec] kdeinit causes scheduling while atomic

Will Simoneau simoneau at ele.uri.edu
Tue Jul 18 09:58:17 EDT 2006


A scheduling while atomic just started showing up in the kernel log on
my machine, which unfortunately is running an odd combination of
non-vanilla patches. Maybe someone who knows at least some of the code
can give me some hints tracking this down? Or maybe the grsecurity folks
have an idea?

Patches applied on top of 2.6.17.6:
grsecurity-2.1.9-2.6.17.4-200607120947
suspend2-2.2.7-for-2.6.17 (without 9920-linus-basic-trace - that plus
grsecurity gives rejects on vmlinux.lds.S)

System is running Gentoo, the compiler is gcc 3.4.6 with pie & ssp
although those features are turned off when compiling a kernel by the
specs file. Userland is compiled with -fstack-protector, and I am using
SEGMEXEC for userland NX support.

I have two different traces and some PaX output, here they all are:
---cut here---
BUG: scheduling while atomic: kdeinit/0x00000002/31816
 <c0345c9c> schedule+0x53e/0x674  <c0346657> schedule_timeout+0x4d/0x9a
 <c0152a12> process_timeout+0x0/0x5  <c0145954> sched_fork+0x51/0x86
 <c01483aa> copy_process+0x614/0xdea  <c0148c66> do_fork+0x75/0x1b2
 <c019864d> vfs_write+0xec/0x16e  <c012dbf5> sys_clone+0x32/0x36
 <c012f057> syscall_call+0x7/0xb  <c012007b> init_script_binfmt+0x6/0xa
---end cut----

---cut here---
BUG: scheduling while atomic: kdeinit/0x00000002/31816
 <c0345c9c> schedule+0x53e/0x674  <c0346657> schedule_timeout+0x4d/0x9a
 <c0152a12> process_timeout+0x0/0x5  <c0145954> sched_fork+0x51/0x86
 <c01483aa> copy_process+0x614/0xdea  <c0148c66> do_fork+0x75/0x1b2
 <c012dbf5> sys_clone+0x32/0x36  <c012f057> syscall_call+0x7/0xb
 <c013007b> irq_entries_start+0xecb/0xef0 
---end cut----

---cut here---
PAX: execution attempt in: <NULL>, 00000000-00000000 00000000
PAX: terminating task: /usr/kde/3.5/bin/konqueror(konqueror):21177, uid/euid: 1000/1000, PC: 00000010, SP: 5953cf80
PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 
PAX: bytes at SP-4: 00000010 00000003 5953cfb0 00000000 0000000a 0000001c 40488ef8 0000001d 5618e6e0 40083d30 00000000 00000003 55efdb83 40189c00 56108d92 56b09377 5618e6e0 5953d000 00000006 404eadb8 55f2bef8 
---end cut----

Call of a null function pointer?

Sometimes konqueror is killed by PaX, sometimes it dies on its own (I
think with a segfault). I can reproduce this 100% of the time by firing
up Konqueror and going to www.wikipedia.org, just before the front page
loads the window dissapears and leave those traces behind. Other sites
seem to work fine. The process either segfaults or is killed by PaX
immediately after causing the scheduling while atomic.

In the terminal where I start konqueror I see this (when PaX does the
killing):

---cut here---
Try to load libthai dynamically...
Error, can't load libthai...
zsh: killed     konqueror
---end cut----

... which seems to be an old unsolved bug in qt.

Do I or anybody else have any hope of tracking this down? It almost
sounds like an interaction of multiple bugs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20060718/70f3645a/attachment.pgp


More information about the grsecurity mailing list