[Crash-utility] Heads up -- live system "failure" on later x86_64 Fedora kernels

Dave Anderson anderson at redhat.com
Thu Apr 26 20:27:38 UTC 2007 

If you see this when running on live 2.6.19 or later Fedora x86_64 kernels:

  # crash

  crash 4.0-3.22
  Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007  Red Hat, Inc.
  Copyright (C) 2004, 2005, 2006  IBM Corporation
  Copyright (C) 1999-2006  Hewlett-Packard Co
  Copyright (C) 2005, 2006  Fujitsu Limited
  Copyright (C) 2006, 2007  VA Linux Systems Japan K.K.
  Copyright (C) 2005  NEC Corporation
  Copyright (C) 1999, 2002  Silicon Graphics, Inc.
  Copyright (C) 1999, 2000, 2001, 2002  Mission Critical Linux, Inc.
  This program is free software, covered by the GNU General Public License,
  and you are welcome to change it and/or distribute copies of it under
  certain conditions.  Enter "help copying" to see the conditions.
  This program has absolutely no warranty.  Enter "help warranty" for details.

  GNU gdb 6.1
  Copyright 2004 Free Software Foundation, Inc.
  GDB is free software, covered by the GNU General Public License, and you are
  welcome to change it and/or distribute copies of it under certain conditions.
  Type "show copying" to see the conditions.
  There is absolutely no warranty for GDB.  Type "show warranty" for details.
  This GDB was configured as "x86_64-unknown-linux-gnu"...

  crash: read error: kernel virtual address: ffffffff8062a180  type: "xtime"

  #

It's not a crash bug.  And it can be worked around by entering:

  # crash /dev/mem

The problem is with the intermingling of upstream and Red Hat kernels,
where in the 2.6.18+ timeframe, Andi Kleen made the x86_64 e820
map __initdata.  That's OK for upstream kernels, because the x86_64
e820 map is not used during runtime.

But because Red Hat kernels impose a restriction on /dev/mem
to only allow access to the first 256 pages of RAM, an x86_64
version of page_is_ram() is also necessary for Red Hat kernels.
Furthermore, for live system analysis, I had to create a Red Hat
"/dev/crash" driver to access live kernel memory, and it also uses
page_is_ram() as a memory qualifier -- which ends up looking at
reallocated garbage data as the e820 map, and fails.

Interestingly enough, the bug opens the flood-gates for /dev/mem
because of this:

 /*
   * devmem_is_allowed() checks to see if /dev/mem access to a certain address is
   * valid. The argument is a physical page number.
   *
   *
   * On x86-64, access has to be given to the first megabyte of ram because that area
   * contains bios code and data regions used by X and dosemu and similar apps.
   * Access has to be given to non-kernel-ram areas as well, these contain the PCI
   * mmio resources as well as potential bios/acpi data regions.
   */
  int devmem_is_allowed(unsigned long pagenr)
  {
          if (pagenr <= 256)
                  return 1;
          if (!page_is_ram(pagenr))
                  return 1;
          return 0;
  }

If a page frame above 256 is requested it's only supposed to be
acceptible it if it's *not* RAM -- but since page_is_ram() is failing,
*anything* is accepted.

And so this inadvertantly allows /dev/mem to be used by crash,
as is done for non-Red Hat kernels.

Conceivably there could be a scenario where the garbage data
may contain something that would cause page_is_ram() to
return successfully, in which case even using the crash /dev/mem
command line argument could potentially cause crash to fail.  But in
that case, there is no workaround.

In any case, the bug will be fixed in subsequent Fedora kernels.

Dave

More information about the Crash-utility mailing list