Bug#611534: linux-image-2.6.26-2-xen-amd64: fix for CVE-2010-3699 instead broke xen dom0 and domU if using blktap

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#611534: linux-image-2.6.26-2-xen-amd64: fix for CVE-2010-3699 instead broke xen dom0 and domU if using blktap
From: Gianluigi Tiesi <sherpya@netfarm.it>
Date: Sun, 30 Jan 2011 14:51:03 +0100
Message-id: <[🔎] 20110130135103.4384.70970.reportbug@lilith.netfarm.it>
Reply-to: Gianluigi Tiesi <sherpya@netfarm.it>, 611534@bugs.debian.org

Package: linux-image-2.6.26-2-xen-amd64
Version: 2.6.26-26lenny1
Severity: critical
Justification: breaks the whole system


I've recently updated kernels from debian security repo:
linux-image-2.6.26-2-xen-amd64 2.6.26-26lenny2
supposed to address CVE-2010-3699

but instead makes dom0 and domU unusables and even freezes dom0
this happens only if using blktap2, i.e. tap:aio in xen config,
perhaps not working by default on lenny because of a missing link
(I filled a bug ages ago)

I'm attaching some kernel logs

I had to revert back to lenny1 version


Regards


-- System Information:
Debian Release: 5.0.8
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-xen-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages linux-image-2.6.26-2-xen-amd64 depends on:
ii  initramfs-tools          0.92o           tools for generating an initramfs
ii  linux-modules-2.6.26-2-x 2.6.26-26lenny1 Linux 2.6.26 modules on AMD64

linux-image-2.6.26-2-xen-amd64 recommends no packages.

Versions of packages linux-image-2.6.26-2-xen-amd64 suggests:
ii  grub                       0.97-47lenny2 GRand Unified Bootloader (Legacy v
pn  linux-doc-2.6.26           <none>        (no description available)

-- no debconf information

Jan 30 13:57:46 falco vmunix: [   33.563652] eth0: no IPv6 routers present
Jan 30 13:57:48 falco vmunix: [   35.816480] blktap: ring-ref 8, event-channel 8, protocol 1 (x86_64-abi)
Jan 30 13:57:48 falco vmunix: [   35.819397] blktap: ring-ref 9, event-channel 9, protocol 1 (x86_64-abi)
Jan 30 13:57:53 falco vmunix: [   39.939113] vif1.0: no IPv6 routers present
Jan 30 13:58:00 falco vmunix: [   47.206907] vif2.0: no IPv6 routers present
Jan 30 13:58:28 falco vmunix: [   75.934833] BUG: unable to handle kernel paging request at ffff880072452b38
Jan 30 13:58:28 falco vmunix: [   75.934833] IP: [<ffffffff80436b6b>] _spin_lock_irqsave+0x2d/0x72
Jan 30 13:58:28 falco vmunix: [   75.934833] PGD 1f7f067 PUD 2181067 PMD 2314067 PTE 8010000072452065
Jan 30 13:58:28 falco vmunix: [   75.934833] Oops: 0003 [1] SMP 
Jan 30 13:58:28 falco vmunix: [   75.934833] CPU 0 
Jan 30 13:58:28 falco vmunix: [   75.934833] Modules linked in: xt_tcpudp xt_physdev iptable_filter ip_tables x_tables bridge netloop ipv6 loop i2c_piix4 pcspkr k8temp snd_hda_intel i2c_core snd_pcm snd_timer snd soundcore snd_page_alloc button shpchp pci_hotplug evdev ext3 jbd mbcache dm_mirror dm_log dm_snapshot dm_mod ehci_hcd ohci_hcd r8169 sd_mod thermal processor fan thermal_sys xenblktap raid1 raid0 md_mod atiixp ahci sata_nv sata_sil sata_via libata dock via82cxxx ide_core 3w_9xxx 3w_xxxx scsi_mod [last unloaded: scsi_wait_scan]
Jan 30 13:58:28 falco vmunix: [   75.934833] Pid: 2883, comm: tapdisk Not tainted 2.6.26-2-xen-amd64 #1
Jan 30 13:58:28 falco vmunix: [   75.934833] RIP: e030:[<ffffffff80436b6b>]  [<ffffffff80436b6b>] _spin_lock_irqsave+0x2d/0x72
Jan 30 13:58:28 falco vmunix: [   75.934833] RSP: e02b:ffff880032f8ddd8  EFLAGS: 00010056
Jan 30 13:58:28 falco vmunix: [   75.934833] RAX: 0000000000000100 RBX: ffff880072452b38 RCX: 0000000000000000
Jan 30 13:58:28 falco vmunix: [   75.934833] RDX: ffffffffff5f7000 RSI: 000000000000001c RDI: ffff880072452b38
Jan 30 13:58:28 falco vmunix: [   75.934833] RBP: 0000000000000000 R08: ffff880032f8db90 R09: 0000000000000000
Jan 30 13:58:28 falco vmunix: [   75.934833] R10: 0000000000000009 R11: ffff880000000000 R12: ffff880072452b00
Jan 30 13:58:28 falco vmunix: [   75.934833] R13: ffff8800724aa1d0 R14: ffff880072452b38 R15: 0000000000000016
Jan 30 13:58:28 falco vmunix: [   75.934833] FS:  00007f5c0f4106e0(0000) GS:ffffffff8053a000(0000) knlGS:0000000000000000
Jan 30 13:58:28 falco vmunix: [   75.934833] CS:  e033 DS: 0000 ES: 0000
Jan 30 13:58:28 falco vmunix: [   75.934833] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jan 30 13:58:28 falco vmunix: [   75.934833] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Jan 30 13:58:28 falco vmunix: [   75.934833] Process tapdisk (pid: 2883, threadinfo ffff880032f8c000, task ffff880071095780)
Jan 30 13:58:28 falco vmunix: [   75.934833] Stack:  0000000000000000 0000000000000000 ffff88000000001a ffff880032fb9e80
Jan 30 13:58:28 falco vmunix: [   75.934833]  ffff880072452b10 ffffffffa00d1efe 0000000000000000 ffff8800724dae40
Jan 30 13:58:28 falco vmunix: [   75.934833]  000000000000001c 0000000000003c00 0000000000000000 ffff880032fb9e80
Jan 30 13:58:28 falco vmunix: [   75.934833] Call Trace:
Jan 30 13:58:28 falco vmunix: [   75.934833]  [<ffffffffa00d1efe>] :xenblktap:make_response+0x2f/0x15d
Jan 30 13:58:28 falco vmunix: [   75.934833]  [<ffffffffa00d2552>] :xenblktap:blktap_ioctl+0x24d/0x43b
Jan 30 13:58:28 falco vmunix: [   75.934833]  [<ffffffff80296b41>] vfs_ioctl+0x55/0x6b
Jan 30 13:58:28 falco vmunix: [   75.934833]  [<ffffffff80296d9f>] do_vfs_ioctl+0x248/0x261
Jan 30 13:58:28 falco vmunix: [   75.934833]  [<ffffffff80296e09>] sys_ioctl+0x51/0x70
Jan 30 13:58:28 falco vmunix: [   75.934833]  [<ffffffff8020b528>] system_call+0x68/0x6d
Jan 30 13:58:28 falco vmunix: [   75.934833]  [<ffffffff8020b4c0>] system_call+0x0/0x6d
Jan 30 13:58:28 falco vmunix: [   75.934833] 
Jan 30 13:58:28 falco vmunix: [   75.934833] 
Jan 30 13:58:28 falco vmunix: [   75.934833] Code: 48 89 fb 48 83 ec 18 48 8b 15 b2 a3 0c 00 65 8b 04 25 24 00 00 00 89 c0 48 c1 e0 06 0f b6 6c 10 01 c6 44 10 01 01 b8 00 01 00 00 <f0> 66 0f c1 07 89 44 24 14 8b 44 24 14 ba 00 04 00 00 38 e0 74 
Jan 30 13:58:28 falco vmunix: [   75.943422] RIP  [<ffffffff80436b6b>] _spin_lock_irqsave+0x2d/0x72
Jan 30 13:58:28 falco vmunix: [   75.943422]  RSP <ffff880032f8ddd8>
Jan 30 13:58:28 falco vmunix: [   75.943422] CR2: ffff880072452b38
Jan 30 13:58:28 falco vmunix: [   75.943422] ---[ end trace aa759babcdf2114f ]---
Jan 30 13:58:28 falco vmunix: [   75.949127] BUG: unable to handle kernel paging request at ffff880072452e38
Jan 30 13:58:28 falco vmunix: [   75.949339] IP: [<ffffffff80436b6b>] _spin_lock_irqsave+0x2d/0x72
Jan 30 13:58:28 falco vmunix: [   75.949473] PGD 1f7f067 PUD 2181067 PMD 2314067 PTE 8010000072452065
Jan 30 13:58:28 falco vmunix: [   75.949790] Oops: 0003 [2] SMP 
Jan 30 13:58:28 falco vmunix: [   75.949981] CPU 0 
Jan 30 13:58:28 falco vmunix: [   75.950110] Modules linked in: xt_tcpudp xt_physdev iptable_filter ip_tables x_tables bridge netloop ipv6 loop i2c_piix4 pcspkr k8temp snd_hda_intel i2c_core snd_pcm snd_timer snd soundcore snd_page_alloc button shpchp pci_hotplug evdev ext3 jbd mbcache dm_mirror dm_log dm_snapshot dm_mod ehci_hcd ohci_hcd r8169 sd_mod thermal processor fan thermal_sys xenblktap raid1 raid0 md_mod atiixp ahci sata_nv sata_sil sata_via libata dock via82cxxx ide_core 3w_9xxx 3w_xxxx scsi_mod [last unloaded: scsi_wait_scan]
Jan 30 13:58:28 falco vmunix: [   75.953047] Pid: 3147, comm: tapdisk Tainted: G      D   2.6.26-2-xen-amd64 #1
Jan 30 13:58:28 falco vmunix: [   75.953047] RIP: e030:[<ffffffff80436b6b>]  [<ffffffff80436b6b>] _spin_lock_irqsave+0x2d/0x72
Jan 30 13:58:28 falco vmunix: [   75.953047] RSP: e02b:ffff880011b6bdd8  EFLAGS: 00010056
Jan 30 13:58:28 falco vmunix: [   75.953047] RAX: 0000000000000100 RBX: ffff880072452e38 RCX: 0000000000000000
Jan 30 13:58:28 falco vmunix: [   75.953047] RDX: ffffffffff5f7000 RSI: 000000000000000b RDI: ffff880072452e38
Jan 30 13:58:28 falco vmunix: [   75.953047] RBP: 0000000000000000 R08: ffff880011b6bb90 R09: 0000000000000000
Jan 30 13:58:28 falco vmunix: [   75.953047] R10: 0000000000000045 R11: ffff880000000000 R12: ffff880072452e00
Jan 30 13:58:28 falco vmunix: [   75.953047] R13: ffff880011b61d80 R14: ffff880072452e38 R15: 0000000000000000
Jan 30 13:58:28 falco vmunix: [   75.953047] FS:  00007f2a30a896e0(0000) GS:ffffffff8053a000(0000) knlGS:0000000000000000
Jan 30 13:58:28 falco vmunix: [   75.953047] CS:  e033 DS: 0000 ES: 0000
Jan 30 13:58:28 falco vmunix: [   75.953047] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jan 30 13:58:28 falco vmunix: [   75.953047] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Jan 30 13:58:28 falco vmunix: [   75.953047] Process tapdisk (pid: 3147, threadinfo ffff880011b6a000, task ffff8800735a2240)
Jan 30 13:58:28 falco vmunix: [   75.953047] Stack:  0000000000000000 0000000000000000 ffff88000000001f ffff880011b61e80
Jan 30 13:58:28 falco vmunix: [   75.953047]  ffff880072452e10 ffffffffa00d1efe 0000000000000000 ffff8800724dab40
Jan 30 13:58:28 falco vmunix: [   75.953047]  000000000000000b 0000000000000f00 0000000000000000 ffff880011b61e80
Jan 30 13:58:28 falco vmunix: [   75.953047] Call Trace:
Jan 30 13:58:28 falco vmunix: [   75.953047]  [<ffffffffa00d1efe>] :xenblktap:make_response+0x2f/0x15d
Jan 30 13:58:28 falco vmunix: [   75.953047]  [<ffffffffa00d2552>] :xenblktap:blktap_ioctl+0x24d/0x43b
Jan 30 13:58:28 falco vmunix: [   75.953047]  [<ffffffff80296b41>] vfs_ioctl+0x55/0x6b
Jan 30 13:58:28 falco vmunix: [   75.953047]  [<ffffffff80296d9f>] do_vfs_ioctl+0x248/0x261
Jan 30 13:58:28 falco vmunix: [   75.953047]  [<ffffffff80296e09>] sys_ioctl+0x51/0x70
Jan 30 13:58:28 falco vmunix: [   75.953047]  [<ffffffff8020b528>] system_call+0x68/0x6d
Jan 30 13:58:28 falco vmunix: [   75.953047]  [<ffffffff8020b4c0>] system_call+0x0/0x6d
Jan 30 13:58:28 falco vmunix: [   75.953047] 
Jan 30 13:58:28 falco vmunix: [   75.953047] 
Jan 30 13:58:28 falco vmunix: [   75.953047] Code: 48 89 fb 48 83 ec 18 48 8b 15 b2 a3 0c 00 65 8b 04 25 24 00 00 00 89 c0 48 c1 e0 06 0f b6 6c 10 01 c6 44 10 01 01 b8 00 01 00 00 <f0> 66 0f c1 07 89 44 24 14 8b 44 24 14 ba 00 04 00 00 38 e0 74 
Jan 30 13:58:28 falco vmunix: [   75.953047] RIP  [<ffffffff80436b6b>] _spin_lock_irqsave+0x2d/0x72
Jan 30 13:58:28 falco vmunix: [   75.953047]  RSP <ffff880011b6bdd8>
Jan 30 13:58:28 falco vmunix: [   75.953047] CR2: ffff880072452e38
Jan 30 13:58:28 falco vmunix: [   75.953047] ---[ end trace aa759babcdf2114f ]---
Jan 30 14:00:58 falco vmunix: [  225.356070] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
Jan 30 14:00:58 falco vmunix: [  225.356070] IP: [<ffffffff8023f817>] prepare_to_wait+0x2d/0x64
Jan 30 14:00:58 falco vmunix: [  225.356070] PGD 7202a067 PUD 724fc067 PMD 0 
Jan 30 14:00:58 falco vmunix: [  225.356070] Oops: 0002 [3] SMP 
Jan 30 14:00:58 falco vmunix: [  225.356070] CPU 1 
Jan 30 14:00:58 falco vmunix: [  225.356070] Modules linked in: xt_tcpudp xt_physdev iptable_filter ip_tables x_tables bridge netloop ipv6 loop i2c_piix4 pcspkr k8temp snd_hda_intel i2c_core snd_pcm snd_timer snd soundcore snd_page_alloc button shpchp pci_hotplug evdev ext3 jbd mbcache dm_mirror dm_log dm_snapshot dm_mod ehci_hcd ohci_hcd r8169 sd_mod thermal processor fan thermal_sys xenblktap raid1 raid0 md_mod atiixp ahci sata_nv sata_sil sata_via libata dock via82cxxx ide_core 3w_9xxx 3w_xxxx scsi_mod [last unloaded: scsi_wait_scan]
Jan 30 14:00:58 falco vmunix: [  225.360032] Pid: 23, comm: xenwatch Tainted: G      D   2.6.26-2-xen-amd64 #1
Jan 30 14:00:58 falco vmunix: [  225.360032] RIP: e030:[<ffffffff8023f817>]  [<ffffffff8023f817>] prepare_to_wait+0x2d/0x64
Jan 30 14:00:58 falco vmunix: [  225.360032] RSP: e02b:ffff880073587d10  EFLAGS: 00010046
Jan 30 14:00:58 falco vmunix: [  225.360032] RAX: 0000000000000000 RBX: ffff880073587d30 RCX: ffff880073587d48
Jan 30 14:00:58 falco vmunix: [  225.360071] RDX: ffff880072452c58 RSI: 0000000000000000 RDI: ffff880072452c50
Jan 30 14:00:58 falco vmunix: [  225.360071] RBP: ffff880072452c50 R08: ffff880073586000 R09: ffff880072b7f8c8
Jan 30 14:00:58 falco vmunix: [  225.360071] R10: ffff880081649000 R11: ffff880072b7f8c8 R12: 0000000000000002
Jan 30 14:00:58 falco vmunix: [  225.360071] R13: ffffffff8057c580 R14: ffffffff8057d1c0 R15: 0000000000000000
Jan 30 14:00:58 falco vmunix: [  225.360071] FS:  00007fdf51a646e0(0000) GS:ffffffff8053a080(0000) knlGS:0000000000000000
Jan 30 14:00:58 falco vmunix: [  225.360071] CS:  e033 DS: 0000 ES: 0000
Jan 30 14:00:58 falco vmunix: [  225.360071] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jan 30 14:00:58 falco vmunix: [  225.360071] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Jan 30 14:00:58 falco vmunix: [  225.360071] Process xenwatch (pid: 23, threadinfo ffff880073586000, task ffff88007355e180)
Jan 30 14:00:58 falco vmunix: [  225.360071] Stack:  ffff880072452bc0 ffff880072452c50 ffff8800725eeda8 ffffffffa00d18d9
Jan 30 14:00:58 falco vmunix: [  225.360071]  0000000000000000 ffff88007355e180 ffffffff8023f6d9 ffff880073587d48
Jan 30 14:00:58 falco vmunix: [  225.360071]  ffff880073587d48 ffff8800725eec00 ffff880070b33800 ffff8800725eec00
Jan 30 14:00:58 falco vmunix: [  225.360071] Call Trace:
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffffa00d18d9>] ? :xenblktap:tap_blkif_free+0x5f/0x97
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff8023f6d9>] ? autoremove_wake_function+0x0/0x2e
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffffa00d10dd>] ? :xenblktap:blktap_remove+0x6e/0x8f
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff803847b4>] ? xenbus_dev_remove+0x33/0x46
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff803795e0>] ? __device_release_driver+0x74/0x97
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff80379624>] ? device_release_driver+0x21/0x2d
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff80378b11>] ? bus_remove_device+0x8d/0xa1
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff8037784b>] ? device_del+0xf8/0x15d
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff803778b9>] ? device_unregister+0x9/0x12
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffffa00d163c>] ? :xenblktap:tap_frontend_changed+0x1f9/0x227
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff80381d89>] ? xenbus_read_driver_state+0x26/0x3b
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff8038464e>] ? otherend_changed+0x42/0x87
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff803833ef>] ? xenwatch_thread+0x0/0x186
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff80382acd>] ? xenwatch_handle_callback+0x15/0x48
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff8038355c>] ? xenwatch_thread+0x16d/0x186
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff8023f6d9>] ? autoremove_wake_function+0x0/0x2e
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff8023f5ab>] ? kthread+0x47/0x74
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff802282ec>] ? schedule_tail+0x27/0x5c
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff8020be28>] ? child_rip+0xa/0x12
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff8023f564>] ? kthread+0x0/0x74
Jan 30 14:00:58 falco vmunix: [  225.360071]  [<ffffffff8020be1e>] ? child_rip+0x0/0x12
Jan 30 14:00:58 falco vmunix: [  225.360071] 
Jan 30 14:00:58 falco vmunix: [  225.360071] 
Jan 30 14:00:58 falco vmunix: [  225.360071] Code: 41 89 d4 55 48 89 fd 53 83 26 fe 48 89 f3 e8 3f 73 1f 00 48 8b 4b 18 48 89 c6 48 8d 43 18 48 39 c1 75 18 48 8b 45 08 48 8d 55 08 <48> 89 48 08 48 89 43 18 48 89 51 08 48 89 4d 08 48 85 db 74 07 
Jan 30 14:00:58 falco vmunix: [  225.360071] RIP  [<ffffffff8023f817>] prepare_to_wait+0x2d/0x64
Jan 30 14:00:58 falco vmunix: [  225.360071]  RSP <ffff880073587d10>
Jan 30 14:00:58 falco vmunix: [  225.360071] CR2: 0000000000000008
Jan 30 14:00:58 falco vmunix: [  225.360071] ---[ end trace aa759babcdf2114f ]---

Reply to:

Prev by Date: Prestiti e Finanziamenti
Next by Date: Bug#611551: linux-image-2.6.32-5-686: [EeePc] suspend to disk (hibernation) stopped working
Previous by thread: Prestiti e Finanziamenti
Next by thread: Bug#611551: linux-image-2.6.32-5-686: [EeePc] suspend to disk (hibernation) stopped working
Index(es):
- Date
- Thread