DETECT: Task: 'off' flag corruption for pid #329

80kk · 2024-04-03T19:53:44Z

I just started with LKRG by building it for Ubuntu 22.04 with 5.15.0-101-generic kernel. So far it seems to be working fine however I am getting everyday:

[Tue Apr  2 15:06:10 2024] LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 81271, name runc:[2:INIT]
[Tue Apr  2 15:06:10 2024] LKRG: ALERT: BLOCK: Task: Killing pid 81271, name runc:[2:INIT]

[Wed Apr  3 07:55:04 2024] LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 335824, name runc:[2:INIT]
[Wed Apr  3 07:55:04 2024] LKRG: ALERT: BLOCK: Task: Killing pid 335824, name runc:[2:INIT]

host is running Docker containers for Mailcow while none of the containers were restarted/killed it looks more like it prevent new container from starting?

The text was updated successfully, but these errors were encountered:

solardiz · 2024-04-04T11:49:28Z

Thank you for reporting this! It looks similar to #215, but we thought we had it fixed via #224. So if you're using our latest code, either the issue is completely different or our fix was somehow incomplete or inapplicable to some kernels.

80kk · 2024-04-05T08:02:24Z

@solardiz
I was looking for #215 first and indeed thought it's been resolved and this is something new. I've checked Docker logs and found only one match:

[Thu Apr  4 06:51:29 2024] LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 148205, name runc:[2:INIT]
[Thu Apr  4 06:51:29 2024] LKRG: ALERT: BLOCK: Task: Killing pid 148205, name runc:[2:INIT]

2024-04-04T06:51:30.104+02:00  common.go:121 ▶ ERROR [Job "dovecot_imapsync_runner" (c49c28b67a70)] StdOut: OCI runtime exec failed: exec failed: unable to start container process: read init-p: connection reset by peer: unknown
2024-04-04T06:51:30.104+02:00  common.go:121 ▶ ERROR [Job "dovecot_imapsync_runner" (c49c28b67a70)] Finished in "95.941657ms", failed: true, skipped: false, error: error non-zero exit code: 126

Unfortunately I can't find anything for:

[Thu Apr  4 08:39:39 2024] LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 173272, name runc:[2:INIT]
[Thu Apr  4 08:39:39 2024] LKRG: ALERT: BLOCK: Task: Killing pid 173272, name runc:[2:INIT]
[Thu Apr  4 09:00:12 2024] LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 177964, name runc:[2:INIT]
[Thu Apr  4 09:00:12 2024] LKRG: ALERT: BLOCK: Task: Killing pid 177964, name runc:[2:INIT]
[Thu Apr  4 09:00:12 2024] LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 177964, name runc:[2:INIT]
[Thu Apr  4 09:00:12 2024] LKRG: ALERT: BLOCK: Task: Killing pid 177964, name runc:[2:INIT]
[Thu Apr  4 14:29:06 2024] LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 255511, name runc:[2:INIT]
[Thu Apr  4 14:29:06 2024] LKRG: ALERT: BLOCK: Task: Killing pid 255511, name runc:[2:INIT]
[Thu Apr  4 14:35:40 2024] LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 257061, name runc:[2:INIT]
[Thu Apr  4 14:35:40 2024] LKRG: ALERT: BLOCK: Task: Killing pid 257061, name runc:[2:INIT]

What is interesting it is not failing always for dovecot_imapsync_runner:

2024-04-04T00:55:30.341+02:00  common.go:125 ▶ NOTICE [Job "dovecot_imapsync_runner" (ffa328e93e49)] Finished in "323.480958ms", failed: false, skipped: false, error: none

Adam-pi3 · 2024-04-05T08:19:24Z

Can you please try uncommenting //#define P_LKRG_TASK_OFF_DEBUG in src/modules/print_log/p_lkrg_print_log.h?

80kk · 2024-04-07T20:35:09Z

Can you please try uncommenting //#define P_LKRG_TASK_OFF_DEBUG in src/modules/print_log/p_lkrg_print_log.h?

Here is the one with debug enabled, this time with different container:

2024-04-07T21:26:44.037+02:00  common.go:121 ▶ ERROR [Job "sogo_sessions" (2e019553b677)] StdOut: OCI runtime exec failed: runc did not terminate successfully: exit status 137: unknown
2024-04-07T21:26:44.037+02:00  common.go:121 ▶ ERROR [Job "sogo_sessions" (2e019553b677)] Finished in "29.638213ms", failed: true, skipped: false, error: error non-zero exit code: 126

dmesg:

[Sun Apr  7 21:26:42 2024] LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 305793, name runc
[Sun Apr  7 21:26:42 2024] CPU: 3 PID: 305780 Comm: runc Tainted: G           OE     5.15.0-101-generic #111-Ubuntu
[Sun Apr  7 21:26:42 2024] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[Sun Apr  7 21:26:42 2024] Call Trace:
[Sun Apr  7 21:26:42 2024]  <TASK>
[Sun Apr  7 21:26:42 2024]  show_stack+0x52/0x5c
[Sun Apr  7 21:26:42 2024]  dump_stack_lvl+0x4a/0x63
[Sun Apr  7 21:26:42 2024]  dump_stack+0x10/0x16
[Sun Apr  7 21:26:42 2024]  p_ed_is_off_off.part.0+0x4a6/0x583 [lkrg]
[Sun Apr  7 21:26:42 2024]  p_set_ed_process_on.cold+0xe/0x1e [lkrg]
[Sun Apr  7 21:26:42 2024]  p_seccomp_ret+0x159/0x250 [lkrg]
[Sun Apr  7 21:26:42 2024]  ? __x64_sys_seccomp+0x18/0x20
[Sun Apr  7 21:26:42 2024]  __kretprobe_trampoline_handler+0xb4/0x140
[Sun Apr  7 21:26:42 2024]  trampoline_handler+0x41/0x60
[Sun Apr  7 21:26:42 2024]  __kretprobe_trampoline+0x2a/0x60
[Sun Apr  7 21:26:42 2024] RIP: 0010:__kretprobe_trampoline+0x0/0x60
[Sun Apr  7 21:26:42 2024] Code: 89 fc e8 e3 d7 01 00 4c 89 f2 4c 89 ee 4c 89 e7 44 0f b6 c0 31 c9 e8 8f 94 3b 00 41 5c 41 5d 41 5e 5d c3 cc cc cc cc cc cc cc <54> 9c 48 83 ec 18 57 56 52 51 50 41 50 41 51 41 52 41 53 53 55 41
[Sun Apr  7 21:26:42 2024] RSP: c390ff48:ffffacb5c390fe48 EFLAGS: 00000246
[Sun Apr  7 21:26:42 2024] RAX: fffffffffffffff2 RBX: 0000000000000000 RCX: 0000000000000000
[Sun Apr  7 21:26:42 2024] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffacb5c390fde0
[Sun Apr  7 21:26:42 2024] RBP: ffffacb5c390fe48 R08: fffffffffffffff2 R09: 0000000000000000
[Sun Apr  7 21:26:42 2024] R10: ffffacb5c390fdd0 R11: 0000000000000000 R12: ffffacb5c390ff58
[Sun Apr  7 21:26:42 2024] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[Sun Apr  7 21:26:42 2024] WARNING: kernel stack regs at 00000000e52a8d30 in runc:305780 has bad 'bp' value 0000000009276f68
[Sun Apr  7 21:26:42 2024] unwind stack type:1 next_sp:0000000000000000 mask:0x2 graph_idx:0
[Sun Apr  7 21:26:42 2024] 000000004f06a71e: ffffacb5c390fc30 (0xffffacb5c390fc30)
[Sun Apr  7 21:26:42 2024] 0000000067221f5d: ffffffff8f509c36 (show_trace_log_lvl+0x1ff/0x2ea)
[Sun Apr  7 21:26:42 2024] 00000000bf3c6b0a: ffffffff8e88f5da (__kretprobe_trampoline+0x2a/0x60)
[Sun Apr  7 21:26:42 2024] 000000008c639c2a: ffffacb5c390fe28 (0xffffacb5c390fe28)
[Sun Apr  7 21:26:42 2024] 000000006d9eb799: ffffffff8fdbddaa (.LC1+0x61d/0xae9)
[Sun Apr  7 21:26:42 2024] 0000000087139b99: 00000000c390fbd8 (0xc390fbd8)
[Sun Apr  7 21:26:42 2024] 00000000ff2d623c: 0000000000000002 (0x2)
[Sun Apr  7 21:26:42 2024] 0000000007c2e747: 0000000000000001 (0x1)
[Sun Apr  7 21:26:42 2024] 000000007795d9f1: ffffacb5c390c000 (0xffffacb5c390c000)
[Sun Apr  7 21:26:42 2024] 00000000e598bc3a: ffffacb5c3910000 (0xffffacb5c3910000)
[Sun Apr  7 21:26:42 2024] 00000000d860ab4d: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 000000008825e493: 0000000000000001 (0x1)
[Sun Apr  7 21:26:42 2024] 000000005128cfd8: ffffacb5c390c000 (0xffffacb5c390c000)
[Sun Apr  7 21:26:42 2024] 00000000dd16564d: ffffacb5c3910000 (0xffffacb5c3910000)
[Sun Apr  7 21:26:42 2024] 000000007c6ae32d: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 00000000d74b392f: 0000000000000002 (0x2)
[Sun Apr  7 21:26:42 2024] 00000000623cf7d0: ffff9bfa4f04c8c0 (0xffff9bfa4f04c8c0)
[Sun Apr  7 21:26:42 2024] 00000000efb7970d: 0000010100000000 (0x10100000000)
[Sun Apr  7 21:26:42 2024] 00000000527918f0: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 000000003841a11f: ffffacb5c390fb48 (0xffffacb5c390fb48)
[Sun Apr  7 21:26:42 2024] 000000007e6f9865: ffffffff8e88f5b0 (elfcorehdr_read+0x40/0x40)
[Sun Apr  7 21:26:42 2024] 000000003c14e538: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 00000000a10accc9: ffffacb5c390fda8 (0xffffacb5c390fda8)
[Sun Apr  7 21:26:42 2024] 00000000b5f830da: cd17869a0a6c1700 (0xcd17869a0a6c1700)
[Sun Apr  7 21:26:42 2024] 000000008bcee23f: 0000000000000046 (0x46)
[Sun Apr  7 21:26:42 2024] 0000000052f0fe85: ffff9bfa4f04c8c0 (0xffff9bfa4f04c8c0)
[Sun Apr  7 21:26:42 2024] 00000000d4a04093: ffffffff8fe327c7 (.LC2+0x181e/0x19ae)
[Sun Apr  7 21:26:42 2024] 0000000059ce5e94: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 000000005d2dfbe0: 0000000000000001 (0x1)
[Sun Apr  7 21:26:42 2024] 0000000087055647: ffffacb5c390fc50 (0xffffacb5c390fc50)
[Sun Apr  7 21:26:42 2024] 00000000cc31e566: ffffffff8f509de0 (show_stack+0x52/0x5c)
[Sun Apr  7 21:26:42 2024] 00000000e817e8a3: ffffffff8fe327c7 (.LC2+0x181e/0x19ae)
[Sun Apr  7 21:26:42 2024] 00000000993a2e2a: ffff9bfa6a22002c (0xffff9bfa6a22002c)
[Sun Apr  7 21:26:42 2024] 00000000f6e4ab3d: ffffacb5c390fc70 (0xffffacb5c390fc70)
[Sun Apr  7 21:26:42 2024] 0000000090ecf8aa: ffffffff8f55117a (dump_stack_lvl+0x4a/0x63)
[Sun Apr  7 21:26:42 2024] 000000008e087d06: ffff9bfa6a220000 (0xffff9bfa6a220000)
[Sun Apr  7 21:26:42 2024] 00000000b4d56958: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 0000000045a3b219: ffffacb5c390fc80 (0xffffacb5c390fc80)
[Sun Apr  7 21:26:42 2024] 00000000fd6f4d4a: ffffffff8f5511a3 (dump_stack+0x10/0x16)
[Sun Apr  7 21:26:42 2024] 000000002c3c0446: ffffacb5c390fcd8 (0xffffacb5c390fcd8)
[Sun Apr  7 21:26:42 2024] 00000000cdb91caa: ffffffffc0accdc8 (p_ed_is_off_off.part.0+0x4a6/0x583 [lkrg])
[Sun Apr  7 21:26:42 2024] 00000000a843ec5e: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 0000000027cbede7: ffffacb5c390fcd8 (0xffffacb5c390fcd8)
[Sun Apr  7 21:26:42 2024] 0000000020bfbbb9: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 000000007fb9bf79: ffff9bf94e8a48e8 (0xffff9bf94e8a48e8)
[Sun Apr  7 21:26:42 2024] 000000003f18b326: ffff9bfa4f04c8c0 (0xffff9bfa4f04c8c0)
[Sun Apr  7 21:26:42 2024] 00000000d5607dd6: ffff9bf94e8a48c0 (0xffff9bf94e8a48c0)
[Sun Apr  7 21:26:42 2024] 00000000264ebd4f: ffff9bfa6a220000 (0xffff9bfa6a220000)
[Sun Apr  7 21:26:42 2024] 00000000f2ff304b: ffffacb5c390fcf8 (0xffffacb5c390fcf8)
[Sun Apr  7 21:26:42 2024] 0000000022d85c76: ffffffffc0accf51 (p_set_ed_process_on.cold+0xe/0x1e [lkrg])
[Sun Apr  7 21:26:42 2024] 00000000865bbe16: ffff9bfa6a220000 (0xffff9bfa6a220000)
[Sun Apr  7 21:26:42 2024] 00000000c412f148: ffff9bfa6a240000 (0xffff9bfa6a240000)
[Sun Apr  7 21:26:42 2024] 000000008629e034: ffffacb5c390fd40 (0xffffacb5c390fd40)
[Sun Apr  7 21:26:42 2024] 00000000c439429b: ffffffffc0ac2f29 (p_seccomp_ret+0x159/0x250 [lkrg])
[Sun Apr  7 21:26:42 2024] 0000000077795c46: 0000000000000286 (0x286)
[Sun Apr  7 21:26:42 2024] 000000005ee44eda: fffffffffffffff2 (0xfffffffffffffff2)
[Sun Apr  7 21:26:42 2024] 00000000ae9aa695: ffff9bfa4f1cc710 (0xffff9bfa4f1cc710)
[Sun Apr  7 21:26:42 2024] 0000000050ac6d01: ffff9bfa4f1cc710 (0xffff9bfa4f1cc710)
[Sun Apr  7 21:26:42 2024] 00000000644c7d73: ffffffff8e9e1bc8 (__x64_sys_seccomp+0x18/0x20)
[Sun Apr  7 21:26:42 2024] 0000000037b59127: ffffacb5c390fe40 (0xffffacb5c390fe40)
[Sun Apr  7 21:26:42 2024] 000000003a951b06: ffffacb5c390fda8 (0xffffacb5c390fda8)
[Sun Apr  7 21:26:42 2024] 0000000030836a8e: ffffacb5c390fd80 (0xffffacb5c390fd80)
[Sun Apr  7 21:26:42 2024] 00000000fb878233: ffffffff8e9cf174 (__kretprobe_trampoline_handler+0xb4/0x140)
[Sun Apr  7 21:26:42 2024] 000000002f4f262e: ffffffff907dac40 (kprobe_exceptions_nb+0x20/0x20)
[Sun Apr  7 21:26:42 2024] 000000004f23a05c: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 00000000886d85fb: ffffacb5c390fda8 (0xffffacb5c390fda8)
[Sun Apr  7 21:26:42 2024] 00000000deaad7c0: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 00000000270b6b3c: ffffacb5c390fd98 (0xffffacb5c390fd98)
[Sun Apr  7 21:26:42 2024] 0000000090781241: ffffffff8e88fde1 (trampoline_handler+0x41/0x60)
[Sun Apr  7 21:26:42 2024] 000000004233f907: ffffacb5c390ff58 (0xffffacb5c390ff58)
[Sun Apr  7 21:26:42 2024] 0000000035adfde5: ffffacb5c390fda9 (0xffffacb5c390fda9)
[Sun Apr  7 21:26:42 2024] 0000000068a2a2a6: ffffffff8e88f5da (__kretprobe_trampoline+0x2a/0x60)
[Sun Apr  7 21:26:42 2024] 00000000e52a8d30: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 00000000c2717a66: ffffacb5c390ff58 (0xffffacb5c390ff58)
[Sun Apr  7 21:26:42 2024] 00000000976ab0bb: ffffacb5c390fe48 (0xffffacb5c390fe48)
[Sun Apr  7 21:26:42 2024] 000000001b34ea33: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 000000000e2c725f: ffffacb5c390fdd0 (0xffffacb5c390fdd0)
[Sun Apr  7 21:26:42 2024] 000000008bf572c7: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 0000000017d99de9: fffffffffffffff2 (0xfffffffffffffff2)
[Sun Apr  7 21:26:42 2024] 000000004ed19174: fffffffffffffff2 (0xfffffffffffffff2)
[Sun Apr  7 21:26:42 2024] 00000000cacd4cbf: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 0000000028b6bd38: ffffacb5c390fde0 (0xffffacb5c390fde0)
[Sun Apr  7 21:26:42 2024] 00000000d919959d: ffffffffffffffff (0xffffffffffffffff)
[Sun Apr  7 21:26:42 2024] 000000009295a296: ffffffff8e88f5b0 (elfcorehdr_read+0x40/0x40)
[Sun Apr  7 21:26:42 2024] 000000009e351dd1: 0000000000000010 (0x10)
[Sun Apr  7 21:26:42 2024] 00000000da958d98: 0000000000000246 (0x246)
[Sun Apr  7 21:26:42 2024] 00000000145ea44c: ffffacb5c390fe48 (0xffffacb5c390fe48)
[Sun Apr  7 21:26:42 2024] 0000000009276f68: ffffacb5c390ff48 (0xffffacb5c390ff48)
[Sun Apr  7 21:26:42 2024] 000000005fe4a743: ffffffff8f5baa9c (do_syscall_64+0x5c/0xc0)
[Sun Apr  7 21:26:42 2024] 000000004b580919: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 00000000dae81c94: ffffacb5c390ff58 (0xffffacb5c390ff58)
[Sun Apr  7 21:26:42 2024] 000000004e9a97e8: ffffacb5c390fef0 (0xffffacb5c390fef0)
[Sun Apr  7 21:26:42 2024] 00000000c2e1f82f: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 000000004d894f8f: ffffffffffffffea (0xffffffffffffffea)
[Sun Apr  7 21:26:42 2024] 00000000c447b10c: ffffffffffffffea (0xffffffffffffffea)
[Sun Apr  7 21:26:42 2024] 00000000476efdb6: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 000000009fadf62f: 0000000000000001 (0x1)
[Sun Apr  7 21:26:42 2024] 00000000ecbd5eb4: ffffacb5c390fed8 (0xffffacb5c390fed8)
[Sun Apr  7 21:26:42 2024] 000000005650ebc2: ffffffff8e96eca7 (exit_to_user_mode_prepare+0x37/0xb0)
[Sun Apr  7 21:26:42 2024] 000000008774b022: ffffacb5c390ff58 (0xffffacb5c390ff58)
[Sun Apr  7 21:26:42 2024] 00000000861e7f35: ffffacb5c390fef0 (0xffffacb5c390fef0)
[Sun Apr  7 21:26:42 2024] 00000000b9d9a719: ffffffff8f5bef45 (syscall_exit_to_user_mode+0x35/0x50)
[Sun Apr  7 21:26:42 2024] 00000000bed9d6b2: ffffffff8e9e1bc8 (__x64_sys_seccomp+0x18/0x20)
[Sun Apr  7 21:26:42 2024] 000000003db8927f: ffffacb5c390ff48 (0xffffacb5c390ff48)
[Sun Apr  7 21:26:42 2024] 00000000ad20b5d5: ffffffff8f5baaa9 (do_syscall_64+0x69/0xc0)
[Sun Apr  7 21:26:42 2024] 0000000017998500: ffffffff8f5befd7 (irqentry_exit_to_user_mode+0x17/0x20)
[Sun Apr  7 21:26:42 2024] 0000000050088124: ffffacb5c390ff18 (0xffffacb5c390ff18)
[Sun Apr  7 21:26:42 2024] 00000000149cfd92: ffffffff8f5beffd (irqentry_exit+0x1d/0x30)
[Sun Apr  7 21:26:42 2024] 000000002d711f93: ffffacb5c390ff48 (0xffffacb5c390ff48)
[Sun Apr  7 21:26:42 2024] 000000007ad24a78: ffffffff8f5be9e9 (exc_page_fault+0x89/0x170)
[Sun Apr  7 21:26:42 2024] 0000000083f49c3c: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 00000000dcffbe5b: ffffffff8f6000da (entry_SYSCALL_64_after_hwframe+0x62/0xcc)
[Sun Apr  7 21:26:42 2024] 000000001e1f3a34: 000000000000000a (0xa)
[Sun Apr  7 21:26:42 2024] 00000000582fed39: 000000c0000061a0 (0xc0000061a0)
[Sun Apr  7 21:26:42 2024] 00000000aecbb080: 0000000000099596 (0x99596)
[Sun Apr  7 21:26:42 2024] 000000000d3f177b: 0000000000000001 (0x1)
[Sun Apr  7 21:26:42 2024] 00000000caff80f0: 000000c000056d58 (0xc000056d58)
[Sun Apr  7 21:26:42 2024] 00000000748d5157: 000000c000056dc8 (0xc000056dc8)
[Sun Apr  7 21:26:42 2024] 00000000fff312c2: 0000000000000246 (0x246)
[Sun Apr  7 21:26:42 2024] 0000000011f57f8d: 0000000000000004 (0x4)
[Sun Apr  7 21:26:42 2024] 00000000a2ac5c54: 000000c000057000 (0xc000057000)
[Sun Apr  7 21:26:42 2024] 0000000071f3dd57: 000000c000056dc8 (0xc000056dc8)
[Sun Apr  7 21:26:42 2024] 00000000f7587a2c: ffffffffffffffda (0xffffffffffffffda)
[Sun Apr  7 21:26:42 2024] 00000000c28b704d: 00007efc8bf6288d (0x7efc8bf6288d)
[Sun Apr  7 21:26:42 2024] 000000003f71b2bc: 0000000000000000 ...
[Sun Apr  7 21:26:42 2024] 0000000033aaee75: 0000000000000001 (0x1)
[Sun Apr  7 21:26:42 2024] 00000000b44d136c: 0000000000000001 (0x1)
[Sun Apr  7 21:26:42 2024] 00000000009e1c66: 000000000000013d (0x13d)
[Sun Apr  7 21:26:42 2024] 00000000e9a60638: 00007efc8bf6288d (0x7efc8bf6288d)
[Sun Apr  7 21:26:42 2024] 0000000057b9c273: 0000000000000033 (0x33)
[Sun Apr  7 21:26:42 2024] 00000000cb17aaa7: 0000000000000246 (0x246)
[Sun Apr  7 21:26:42 2024] 00000000d2b4f2ba: 00007fff3b3d1828 (0x7fff3b3d1828)
[Sun Apr  7 21:26:42 2024] 000000000bfc461f: 000000000000002b (0x2b)
[Sun Apr  7 21:26:42 2024]  ? do_syscall_64+0x5c/0xc0
[Sun Apr  7 21:26:42 2024]  ? exit_to_user_mode_prepare+0x37/0xb0
[Sun Apr  7 21:26:42 2024]  ? syscall_exit_to_user_mode+0x35/0x50
[Sun Apr  7 21:26:42 2024]  ? __x64_sys_seccomp+0x18/0x20
[Sun Apr  7 21:26:42 2024]  ? do_syscall_64+0x69/0xc0
[Sun Apr  7 21:26:42 2024]  ? irqentry_exit_to_user_mode+0x17/0x20
[Sun Apr  7 21:26:42 2024]  ? irqentry_exit+0x1d/0x30
[Sun Apr  7 21:26:42 2024]  ? exc_page_fault+0x89/0x170
[Sun Apr  7 21:26:42 2024]  ? entry_SYSCALL_64_after_hwframe+0x62/0xcc
[Sun Apr  7 21:26:42 2024]  </TASK>
[Sun Apr  7 21:26:42 2024] LKRG: ALERT: BLOCK: Task: Killing pid 305793, name runc

Adam-pi3 · 2024-04-08T05:04:24Z

Thanks @80kk , could you also enable log_level to level 4 under P_LKRG_TASK_OFF_DEBUG compilation?

80kk · 2024-04-08T07:58:23Z

Thanks @80kk , could you also enable log_level to level 4 under P_LKRG_TASK_OFF_DEBUG compilation?

How can I do this? The only log_level occurrence I found in this file is in:

// Signature in logs...
#define P_LKRG_SIGNATURE "LKRG: "

#define P_LOG_MIN   0
#define P_LOG_ALERT 0
#define P_LOG_ALIVE 1
#define P_LOG_FAULT 2
#define P_LOG_ISSUE 3
#define P_LOG_WATCH 4
#define P_LOG_DEBUG 5
#define P_LOG_FLOOD 6
#define P_LOG_MAX   6

#define P_LOG_STATE (0x10 | P_LOG_ALIVE)
#define P_LOG_DYING (0x20 | P_LOG_ALIVE)
#define P_LOG_FATAL (0x30 | P_LOG_FAULT)

#define p_print_log(p_level, p_fmt, p_args...)                                             \
({                                                                                         \
   int p_print_ret = 0;                                                                    \
                                                                                           \
   if (p_level == P_LOG_ALERT)                                                             \
      p_print_ret = printk(KERN_CRIT    P_LKRG_SIGNATURE "ALERT: " p_fmt "\n", ## p_args); \
   else if (P_CTRL(p_log_level) >= (p_level & 7))                                          \
   switch (p_level) {                                                                      \
   case P_LOG_ALIVE:                                                                       \

solardiz · 2024-04-08T13:30:25Z

@80kk You don't need to patch anything to adjust log_level - we have a sysctl and a module parameter of that name, so please use one of those. This is documented in README. Thank you!

80kk · 2024-04-08T19:11:18Z

@80kk You don't need to patch anything to adjust log_level - we have a sysctl and a module parameter of that name, so please use one of those. This is documented in README. Thank you!

Thanks. I misunderstood @Adam-pi3 's request.

80kk · 2024-04-09T07:57:33Z

Here is the call trace with log_level set to 4:

Apr  8 21:35:44 mail kernel: [159823.064647] LKRG: WATCH: Inserting pid 682842
Apr  8 21:35:44 mail kernel: [159823.065470] LKRG: WATCH: Updating pid 682843
Apr  8 21:35:44 mail kernel: [159823.065474] LKRG: WATCH: Inserting pid 682843
Apr  8 21:35:44 mail kernel: [159823.065495] LKRG: WATCH: Updating pid 676256
Apr  8 21:35:44 mail kernel: [159823.065531] LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 682843, name runc:[2:INIT]
Apr  8 21:35:44 mail kernel: [159823.065562] LKRG: WATCH: 'off' flag[0x0] (normalization via 0x1a15583f3ed23d1)
Apr  8 21:35:44 mail kernel: [159823.065564] LKRG: WATCH: OFF debug: normalization[0x1a15583f3ed23d1] cookie[0xa987d5b5b109859f]
Apr  8 21:35:44 mail kernel: [159823.065566] LKRG: WATCH: Process[682843 | runc:[2:INIT]] Parent[682808 | runc] has TSYNC[0] and [1] entries:
Apr  8 21:35:44 mail kernel: [159823.065569] LKRG: WATCH:  => caller[p_seccomp_ret (TSYNC child)] action[OFF] old_off[0x1a15583f3ed23d1] debug_val[1]
Apr  8 21:35:44 mail kernel: [159823.065572] CPU: 2 PID: 682836 Comm: runc:[2:INIT] Tainted: G           OE     5.15.0-101-generic #111-Ubuntu
Apr  8 21:35:44 mail kernel: [159823.065576] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
Apr  8 21:35:44 mail kernel: [159823.065578] Call Trace:
Apr  8 21:35:44 mail kernel: [159823.065580]  <TASK>
Apr  8 21:35:44 mail kernel: [159823.065582]  show_stack+0x52/0x5c
Apr  8 21:35:44 mail kernel: [159823.065594]  dump_stack_lvl+0x4a/0x63
Apr  8 21:35:44 mail kernel: [159823.065599]  dump_stack+0x10/0x16
Apr  8 21:35:44 mail kernel: [159823.065603]  p_ed_is_off_off.part.0+0x4a6/0x583 [lkrg]
Apr  8 21:35:44 mail kernel: [159823.065622]  p_set_ed_process_on.cold+0xe/0x1e [lkrg]
Apr  8 21:35:44 mail kernel: [159823.065635]  p_seccomp_ret+0x159/0x250 [lkrg]
Apr  8 21:35:44 mail kernel: [159823.065648]  ? __x64_sys_seccomp+0x18/0x20
Apr  8 21:35:44 mail kernel: [159823.065652]  __kretprobe_trampoline_handler+0xb4/0x140
Apr  8 21:35:44 mail kernel: [159823.065656]  trampoline_handler+0x41/0x60
Apr  8 21:35:44 mail kernel: [159823.065659]  __kretprobe_trampoline+0x2a/0x60
Apr  8 21:35:44 mail kernel: [159823.065661] RIP: 0010:__kretprobe_trampoline+0x0/0x60
Apr  8 21:35:44 mail kernel: [159823.065664] Code: 89 fc e8 e3 d7 01 00 4c 89 f2 4c 89 ee 4c 89 e7 44 0f b6 c0 31 c9 e8 8f 94 3b 00 41 5c 41 5d 41 5e 5d c3 cc cc cc cc cc cc cc <54> 9c 48 83 ec 18 57 56 52 51 50 41 50 41 51 41 52 41 53 53 55 41
Apr  8 21:35:44 mail kernel: [159823.065667] RSP: c39cff48:ffffacb5c39cfeb8 EFLAGS: 00000246
Apr  8 21:35:44 mail kernel: [159823.065670] RAX: fffffffffffffff2 RBX: 0000000000000000 RCX: 0000000000000000
Apr  8 21:35:44 mail kernel: [159823.065672] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffacb5c39cfe50
Apr  8 21:35:44 mail kernel: [159823.065674] RBP: ffffacb5c39cfeb8 R08: fffffffffffffff2 R09: 0000000000000000
Apr  8 21:35:44 mail kernel: [159823.065675] R10: ffffacb5c39cfe40 R11: 0000000000000000 R12: ffffacb5c39cff58
Apr  8 21:35:44 mail kernel: [159823.065677] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Apr  8 21:35:44 mail kernel: [159823.065680]  ? do_syscall_64+0x5c/0xc0
Apr  8 21:35:44 mail kernel: [159823.065684]  ? do_user_addr_fault+0x1e7/0x670
Apr  8 21:35:44 mail kernel: [159823.065688]  ? exit_to_user_mode_prepare+0x37/0xb0
Apr  8 21:35:44 mail kernel: [159823.065694]  ? irqentry_exit_to_user_mode+0x17/0x20
Apr  8 21:35:44 mail kernel: [159823.065698]  ? irqentry_exit+0x1d/0x30
Apr  8 21:35:44 mail kernel: [159823.065702]  ? exc_page_fault+0x89/0x170
Apr  8 21:35:44 mail kernel: [159823.065705]  ? entry_SYSCALL_64_after_hwframe+0x62/0xcc
Apr  8 21:35:44 mail kernel: [159823.065710]  </TASK>
Apr  8 21:35:44 mail kernel: [159823.065711] LKRG: ALERT: BLOCK: Task: Killing pid 682843, name runc:[2:INIT]
Apr  8 21:35:44 mail kernel: [159823.065800] LKRG: WATCH: Removing pid 682836
Apr  8 21:35:44 mail kernel: [159823.065893] LKRG: WATCH: Removing pid 682839
Apr  8 21:35:44 mail kernel: [159823.065914] LKRG: WATCH: Removing pid 682838

and Docker container log:

2024-04-08T21:35:44.084+02:00  common.go:121 ▶ ERROR [Job "dovecot_imapsync_runner" (290122202a13)] StdOut: OCI runtime exec failed: exec failed: unable to start container process: read init-p: connection reset by peer: unknown
2024-04-08T21:35:44.085+02:00  common.go:121 ▶ ERROR [Job "dovecot_imapsync_runner" (290122202a13)] Finished in "79.847734ms", failed: true, skipped: false, error: error non-zero exit code: 126

80kk · 2024-04-09T08:00:08Z

I don't know if that matters but as you probably already noticed this is a VM running on Proxmox. Underlying hardware is Dell PowerEdge R320.

Adam-pi3 · 2024-05-15T06:04:37Z

Sorry for late reply. I tried to repro your issue under VmWare:

Distributor ID:	Ubuntu
Description:	Ubuntu 24.04 LTS
Release:	24.04
Codename:	noble

but under the kernel 6.8.0-31-generic and I install docker, LXD and docker compose. I run mailcow via this instructions:
https://docs.mailcow.email/getstarted/install/#initialize-mailcow

and everything works fine. Is there anything specific to repro it?

80kk · 2024-05-15T12:11:57Z

Well, as I wrote in my first post:

Ubuntu 22.04 with 5.15.0-101-generic kernel

There was no 24.04 released at that time and hypervisor is Proxmox but I don't think that this is the factor. I will probably upgrade to 24.04 during this weekend and update the ticket.

80kk · 2024-05-19T08:47:43Z

Unfortunately there is no official way for upgrading to 24.04 until 24.04.1 will be released. If you think this issue is resolved in 6.8 kernel then feel free and close this ticket.

solardiz · 2024-05-19T12:04:08Z

Even if the issue is resolved or otherwise avoided in 6.8, we may still care to fix it for older kernels. LKRG supports a wide range of kernel versions.

Adam-pi3 · 2024-05-19T20:40:32Z

I spent some time to do the same test on:

Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.4 LTS
Release:	22.04
Codename:	jammy

Under the kernel 5.15.0-101-generic and I do not see that issue. I left all the containers running over the night and none of the FP was detected:

$ docker compose up -d
[+] Running 32/32
 ✔ Network mailcowdockerized_mailcow-network              Created                                                            0.4s 
 ✔ Volume "mailcowdockerized_vmail-vol-1"                 Created                                                            0.0s 
 ✔ Volume "mailcowdockerized_vmail-index-vol-1"           Created                                                            0.0s 
 ✔ Volume "mailcowdockerized_mysql-vol-1"                 Created                                                            0.0s 
 ✔ Volume "mailcowdockerized_mysql-socket-vol-1"          Created                                                            0.0s 
 ✔ Volume "mailcowdockerized_sogo-web-vol-1"              Created                                                            0.0s 
 ✔ Volume "mailcowdockerized_clamd-db-vol-1"              Created                                                            0.0s 
 ✔ Volume "mailcowdockerized_sogo-userdata-backup-vol-1"  Created                                                            0.0s 
 ✔ Volume "mailcowdockerized_postfix-vol-1"               Created                                                            0.0s 
 ✔ Volume "mailcowdockerized_crypt-vol-1"                 Created                                                            0.0s 
 ✔ Volume "mailcowdockerized_redis-vol-1"                 Created                                                            0.0s 
 ✔ Volume "mailcowdockerized_solr-vol-1"                  Created                                                            0.0s 
 ✔ Volume "mailcowdockerized_rspamd-vol-1"                Created                                                            0.0s 
 ✔ Container mailcowdockerized-netfilter-mailcow-1        Started                                                            0.1s 
 ✔ Container mailcowdockerized-memcached-mailcow-1        Started                                                            0.1s 
 ✔ Container mailcowdockerized-dockerapi-mailcow-1        Started                                                            0.1s 
 ✔ Container mailcowdockerized-unbound-mailcow-1          Healthy                                                            0.1s 
 ✔ Container mailcowdockerized-sogo-mailcow-1             Started                                                            0.1s 
 ✔ Container mailcowdockerized-olefy-mailcow-1            Started                                                            0.1s 
 ✔ Container mailcowdockerized-clamd-mailcow-1            Started                                                            0.0s 
 ✔ Container mailcowdockerized-redis-mailcow-1            Started                                                            0.1s 
 ✔ Container mailcowdockerized-mysql-mailcow-1            Started                                                            0.0s 
 ✔ Container mailcowdockerized-solr-mailcow-1             Started                                                            0.1s 
 ✔ Container mailcowdockerized-dovecot-mailcow-1          Started                                                            0.0s 
 ✔ Container mailcowdockerized-postfix-mailcow-1          Started                                                            0.0s 
 ✔ Container mailcowdockerized-ofelia-mailcow-1           Started                                                            0.0s 
 ✔ Container mailcowdockerized-rspamd-mailcow-1           Started                                                            0.0s 
 ✔ Container mailcowdockerized-php-fpm-mailcow-1          Started                                                            0.0s 
 ✔ Container mailcowdockerized-nginx-mailcow-1            Started                                                            0.0s 
 ✔ Container mailcowdockerized-acme-mailcow-1             Started                                                            0.0s 
 ✔ Container mailcowdockerized-watchdog-mailcow-1         Started                                                            0.0s 
 ✔ Container mailcowdockerized-ipv6nat-mailcow-1          Started

In the kernel logs I can see that LKRG runs fine:

[Sat May 18 23:34:52 2024] lkrg: loading out-of-tree module taints kernel.
[Sat May 18 23:34:52 2024] lkrg: module verification failed: signature and/or required key missing - tainting kernel
[Sat May 18 23:34:52 2024] LKRG: ALIVE: Loading LKRG
[Sat May 18 23:34:52 2024] Freezing user space processes ... (elapsed 0.004 seconds) done.
[Sat May 18 23:34:52 2024] OOM killer disabled.
[Sat May 18 23:34:53 2024] LKRG: ALIVE: LKRG initialized successfully
[Sat May 18 23:34:53 2024] OOM killer enabled.
[Sat May 18 23:34:53 2024] Restarting tasks ... done.

No other logs related to LKRG. However, I have a question @80kk , do you see in the logs something similar to those messages?

LKRG: ISSUE: [kretprobe] register_kretprobe() for <ovl_dentry_is_whiteout> failed! [err=-2]
LKRG: ISSUE: Can't hook 'ovl_dentry_is_whiteout'. This is expected when OverlayFS is not used.

m1lua · 2024-06-24T10:07:20Z

##339

I think yo should try this

udp: second attempt

#340

Strykar · 2024-10-24T13:55:36Z

So LKRG appears to be killing some Gnome and other apps:

~ uname -a
Linux r912 6.11.5-arch1-1 #1 SMP PREEMPT_DYNAMIC Tue, 22 Oct 2024 18:31:38 +0000 x86_64 GNU/Linux

~ sudo journalctl -b -1 | grep LKRG
Oct 23 19:39:29 r912 kernel: LKRG: ALIVE: Loading LKRG
Oct 23 19:39:29 r912 kernel: LKRG: ISSUE: [kretprobe] register_kretprobe() for <ovl_dentry_is_whiteout> failed! [err=-2]
Oct 23 19:39:29 r912 kernel: LKRG: ISSUE: Can't hook 'ovl_dentry_is_whiteout'. This is expected when OverlayFS is not used.
Oct 23 19:39:29 r912 kernel: LKRG: ALIVE: LKRG initialized successfully
Oct 24 09:38:51 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 484646, name pool-spawner
Oct 24 09:38:51 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 484646, name pool-org.gnome.
Oct 24 09:38:51 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 484645, name pool-spawner
Oct 24 09:38:51 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 484648, name pool-spawner
Oct 24 09:38:51 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 484648, name pool-org.gnome.
Oct 24 09:38:51 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 484645, name pool-org.gnome.
Oct 24 09:38:51 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 484646, name pool-spawner
Oct 24 09:38:51 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 484645, name pool-spawner
Oct 24 09:38:51 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 484646, name pool-org.gnome.
Oct 24 09:38:51 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 484645, name pool-org.gnome.
Oct 24 09:38:53 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 484789, name pool-spawner
Oct 24 09:38:53 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 484789, name pool-org.gnome.
Oct 24 09:38:53 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 484789, name pool-spawner
Oct 24 09:38:53 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 484789, name pool-org.gnome.

Oct 24 11:34:23 r912 kernel: LKRG: ALIVE: Loading LKRG
Oct 24 11:34:23 r912 kernel: LKRG: ISSUE: [kretprobe] register_kretprobe() for <ovl_dentry_is_whiteout> failed! [err=-2]
Oct 24 11:34:23 r912 kernel: LKRG: ISSUE: Can't hook 'ovl_dentry_is_whiteout'. This is expected when OverlayFS is not used.
Oct 24 11:34:23 r912 kernel: LKRG: ALIVE: LKRG initialized successfully
Oct 24 17:22:04 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 213750, name pool-spawner
Oct 24 17:22:04 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 213636, name nautilus
Oct 24 17:22:04 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 213636, name nautilus
Oct 24 17:22:04 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 213750, name pool-org.gnome.
Oct 24 17:22:04 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 213637, name nautilus
Oct 24 17:22:04 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 213750, name pool-spawner
Oct 24 17:22:04 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 213750, name pool-org.gnome.
Oct 24 17:22:04 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 213637, name pool-spawner
Oct 24 17:22:04 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 213771, name pool-spawner
Oct 24 17:22:04 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 213771, name pool-org.gnome.

solardiz · 2024-10-25T00:52:27Z

Oct 24 09:38:51 r912 kernel: LKRG: ALERT: DETECT: Task: 'off' flag corruption for pid 484646, name pool-spawner
Oct 24 09:38:51 r912 kernel: LKRG: ALERT: BLOCK: Task: Killing pid 484646, name pool-org.gnome.

The task name discrepancy here is interesting. In our code, it's p_source->p_ed_task.p_comm vs. p_source->p_ed_task.p_task->comm. We save a copy of comm in our struct p_ed_process_task and it could maybe change later, but perhaps it can only change via execve (this is not argv[0] that a program can just patch on its own, it is kernel-internal comm). So does this mean we failed to track an execve? We hook security_bprm_committed_creds and call p_update_ed_process from there, which does update the copy of comm. I thought that maybe security_bprm_committed_creds isn't called on unprivileged exec, but no, it's called unconditionally near the end of successful begin_new_exec. So does this hook somehow sometimes fail to trigger?

A mismatch in triggering of security_bprm_committing_creds vs. security_bprm_committed_creds would also explain the spurious off flag corruption. However, I'm puzzled as to why this specific mismatch would happen often yet not always.

I wonder if the below little hack would make a difference with respect to this issue:

+++ b/src/modules/exploit_detection/syscalls/exec/p_security_bprm_committed_creds/p_security_bprm_committed_creds.c
@@ -31,8 +31,8 @@ char p_security_bprm_committed_creds_kretprobe_state = 0;
 
 static struct kretprobe p_security_bprm_committed_creds_kretprobe = {
     .kp.symbol_name = "security_bprm_committed_creds",
-    .handler = p_security_bprm_committed_creds_ret,
-    .entry_handler = NULL,
+    .handler = NULL,
+    .entry_handler = p_security_bprm_committed_creds_ret,
     .data_size = sizeof(struct p_security_bprm_committed_creds_data),
 };

@Strykar and others in here who are able to reproduce the issue, I'd appreciate you trying the above. Thank you!

solardiz · 2024-10-25T01:12:20Z

That's probably not exactly it - wouldn't explain some other stuff also seen in @Strykar's logs - but I'd appreciate testing anyhow.

@Strykar @80kk What CPUs did you see this issue on?
@m1lua already mentioned this was on AMD EPYC 7261 8-Core Processor x2, so not asking again, unless this was also seen on other CPUs maybe?

solardiz · 2024-10-25T03:51:24Z

Please try the below patch/hack to see if it makes a difference:

+++ b/src/modules/exploit_detection/p_exploit_detection.c
@@ -985,6 +985,7 @@ static inline void p_validate_off_flag(struct p_ed_process *p_source, long p_val
 #if P_OVL_OVERRIDE_SYNC_MODE
 notrace int p_verify_ovl_override_sync(struct p_ed_process *p_source) {
 
+   smp_rmb();
    register unsigned long p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
 
    p_validate_off_flag(p_source,p_off,NULL);   // Validate
@@ -998,18 +999,20 @@ notrace int p_verify_ovl_override_sync(struct p_ed_process *p_source) {
 
 notrace void p_ed_is_off_off_wrap(struct p_ed_process *p_source) {
 
+   smp_rmb();
    register unsigned long p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
    p_ed_is_off_off(p_source,p_off,NULL);
 }
 
 notrace void p_ed_validate_off_flag_wrap(struct p_ed_process *p_source) {
-
+   smp_rmb();
    register unsigned long p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
    p_validate_off_flag(p_source,p_off,NULL);   // Validate
 }
 
 notrace void p_set_ed_process_on(struct p_ed_process *p_source) {
 
+   smp_rmb();
    register unsigned long p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
 
 #if defined(CONFIG_SECCOMP)
@@ -1029,6 +1032,7 @@ notrace void p_set_ed_process_on(struct p_ed_process *p_source) {
 
 notrace void p_set_ed_process_off(struct p_ed_process *p_source) {
 
+   smp_rmb();
    register unsigned long p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
 
 #if defined(CONFIG_SECCOMP)
@@ -1047,6 +1051,7 @@ notrace void p_set_ed_process_off(struct p_ed_process *p_source) {
 
 notrace void p_set_ed_process_override_on(struct p_ed_process *p_source) {
 
+   smp_rmb();
    register unsigned long p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
 
    p_validate_off_flag(p_source,p_off,NULL);   // Validate
@@ -1059,6 +1064,7 @@ notrace void p_set_ed_process_override_on(struct p_ed_process *p_source) {
 
 notrace void p_set_ed_process_override_off(struct p_ed_process *p_source) {
 
+   smp_rmb();
    register unsigned long p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
 
    p_validate_off_flag(p_source,p_off,NULL);   // Validate
@@ -1071,7 +1077,7 @@ notrace void p_reset_ed_flags(struct p_ed_process *p_source) {
 
    p_source->p_ed_task.p_off = p_global_cnt_cookie ^ p_global_off_cookie;
    p_source->p_ed_task.p_off_count = 0;
-
+   smp_wmb();
 }
 
 int p_dump_task_f(void *p_arg) {
@@ -1265,6 +1271,8 @@ static int p_cmp_creds(struct p_cred *p_orig, const struct cred *p_current_cred,
 
 static int p_cmp_tasks(struct p_ed_process *p_orig, struct task_struct *p_current, char p_kill) {
 
+   smp_rmb();
+
    const char p_opt = 1; /* for uses of the P_CMP_PTR() macro */
    int p_ret = 0, p_killed = 0;
    register long p_off = p_orig->p_ed_task.p_off ^ p_global_off_cookie;

This may produce "warning: ISO C90 forbids mixed declarations and code" - we'll address this properly if merging these changes for real.

I think the write barrier here should be unneeded because calls to p_reset_ed_flags are from places where we had a lock acquired, so we have implicit barrier on releasing the lock there. But some of the read barriers may be needed.

solardiz · 2024-10-26T00:33:32Z

Refreshing my memory on x86 memory ordering (mostly guaranteed as-is) and what the *fence instructions add on top (quite little and irrelevant), I don't see how the missing barriers could be the problem here, nor how adding them could help. But I still would like to know what CPUs the problem was seen on, just in case there's any correlation.

Strykar · 2024-11-01T12:10:49Z

@Strykar @80kk What CPUs did you see this issue on? @m1lua already mentioned this was on AMD EPYC 7261 8-Core Processor x2, so not asking again, unless this was also seen on other CPUs maybe?

AMD Ryzen 7900 (non-X) 12 core (Raphael AM5 Zen4)

m1lua · 2024-11-05T15:18:23Z

That's probably not exactly it - wouldn't explain some other stuff also seen in @Strykar's logs - but I'd appreciate testing anyhow.

@Strykar @80kk What CPUs did you see this issue on? @m1lua already mentioned this was on AMD EPYC 7261 8-Core Processor x2, so not asking again, unless this was also seen on other CPUs maybe?

it wasn't tested a lot across systems, but average solution for me was migrate_disable()/migrate_enable() in slim places.

solardiz · 2024-11-06T19:04:18Z

Still waiting to hear from @80kk on the CPU.

it wasn't tested a lot across systems, but average solution for me was migrate_disable()/migrate_enable() in slim places.

@m1lua Can you show the corresponding patch, please? I doubt this is exactly what changes we'll want to make, but it could give us a hint as to what the actual problem may be.

m1lua · 2024-11-08T11:27:12Z

@solardiz

diff --git a/src/modules/database/arch/x86/p_x86_metadata.c b/src/modules/database/arch/x86/p_x86_metadata.c
index 853328e..03a2b78 100644
--- a/src/modules/database/arch/x86/p_x86_metadata.c
+++ b/src/modules/database/arch/x86/p_x86_metadata.c
@@ -82,7 +82,7 @@ void p_dump_x86_metadata(void *_p_arg) {
    /*
     * Get ID and lock - no preemtion.
     */
-//   p_curr_cpu = get_cpu();
+   //p_curr_cpu = get_cpu();
    p_curr_cpu = smp_processor_id();
 
    /*
@@ -366,7 +366,7 @@ void p_dump_x86_metadata(void *_p_arg) {
    /*
     * Unlock preemtion.
     */
-//   put_cpu();
+   //put_cpu();
 
 }
 
diff --git a/src/modules/database/p_database.h b/src/modules/database/p_database.h
index 374ee1c..3e80cd0 100644
--- a/src/modules/database/p_database.h
+++ b/src/modules/database/p_database.h
@@ -190,7 +190,7 @@ int hash_from_iommu_table(void);
 #endif
 
 static inline void p_text_section_lock(void) {
-
+//static inline int p_do_text_section_lock(void) {
 #if defined(P_LKRG_CI_ARCH_STATIC_CALL_TRANSFORM_H)
    unsigned long p_text_flags;
 #endif
diff --git a/src/modules/exploit_detection/p_exploit_detection.c b/src/modules/exploit_detection/p_exploit_detection.c
index 8484385..6e2cb3a 100644
--- a/src/modules/exploit_detection/p_exploit_detection.c
+++ b/src/modules/exploit_detection/p_exploit_detection.c
@@ -512,10 +512,12 @@ static notrace inline void p_dump_addr_limit(mm_segment_t *p_addr_limit, struct
 
 notrace void p_update_ed_process(struct p_ed_process *p_source, struct task_struct *p_task, char p_stack) {
 
-   p_print_log(P_LOG_WATCH, "Updating pid %u", p_task->pid);
+   p_print_log(P_LOG_WATCH, "Updating pid %u (task_struct = %p, islocked %d)", p_task->pid, p_task, spin_is_locked(&p_task->alloc_lock));
 
    rcu_read_lock();
    get_task_struct(p_task);
+   //task_lock(p_task); // not present in stable patch 18,5
+
    /* Track process's metadata */
    p_source->p_ed_task.p_pid                      = p_task->pid;
    p_source->p_ed_task.p_cred_ptr                 = rcu_dereference(p_task->cred);
@@ -553,6 +555,8 @@ notrace void p_update_ed_process(struct p_ed_process *p_source, struct task_stru
    /* Should be last here to propagate potential glitching */
    wmb();
    p_source->p_ed_task.p_task            = p_task;
+
+   //task_unlock(p_task); // not present in stable patch 18,5
    put_task_struct(p_task);
    rcu_read_unlock();
 
@@ -876,6 +880,7 @@ notrace void p_debug_off_flag_reset(struct p_ed_process *p_source, unsigned int
       /* Increment ring-buffer pointer */
       p_source->p_ed_task.p_off_counter++;
    }
+   wmb();
 }
 
 static notrace void p_debug_off_flag_dump_ring_buffer(struct p_ed_process *p_source) {
@@ -966,8 +971,11 @@ static inline void p_ed_is_off_off(struct p_ed_process *p_source, long p_val, in
    }
 }
 
+//static unsigned long task_lock_flags;
 static inline void p_validate_off_flag(struct p_ed_process *p_source, long p_val, int *p_ret) {
 
+   //struct task_struct *curr = p_source->p_ed_task.p_task;
+
    if (likely(p_val == p_global_cnt_cookie))
       return;
 
@@ -977,7 +985,10 @@ static inline void p_validate_off_flag(struct p_ed_process *p_source, long p_val
          break;
    }
 
+   //spin_lock_irqsave(&curr->alloc_lock, task_lock_flags);
    p_ed_is_off_off(p_source, p_val, p_ret);
+   //spin_unlock_irqrestore(&curr->alloc_lock, task_lock_flags);
+
 }
 
 #if P_OVL_OVERRIDE_SYNC_MODE
@@ -1008,8 +1019,10 @@ notrace void p_ed_validate_off_flag_wrap(struct p_ed_process *p_source) {
 
 notrace void p_set_ed_process_on(struct p_ed_process *p_source) {
 
-   register unsigned long p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
+   register unsigned long p_off;
 
+   rmb();
+   p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
 #if defined(CONFIG_SECCOMP)
    if (p_source->p_ed_task.p_sec.flag_sync_thread) {
       p_set_ed_process_override_on(p_source);
@@ -1023,13 +1036,17 @@ notrace void p_set_ed_process_on(struct p_ed_process *p_source) {
 #if defined(CONFIG_SECCOMP)
    }
 #endif
+   wmb();
 }
 
 notrace void p_set_ed_process_off(struct p_ed_process *p_source) {
 
-   register unsigned long p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
+   register unsigned long p_off;
 
+   rmb();
+   p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
 #if defined(CONFIG_SECCOMP)
+   p_debug_log(P_LOG_DEBUG, "p_set_ed_process_off() is called with seccomp prologue\n");
    if (p_source->p_ed_task.p_sec.flag_sync_thread) {
       p_set_ed_process_override_off(p_source);
    } else {
@@ -1045,7 +1062,9 @@ notrace void p_set_ed_process_off(struct p_ed_process *p_source) {
 
 notrace void p_set_ed_process_override_on(struct p_ed_process *p_source) {
 
-   register unsigned long p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
+   register unsigned long p_off;
+   rmb();
+   p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
 
    p_validate_off_flag(p_source,p_off,NULL);   // Validate
    p_off -= p_global_cnt_cookie;               // Normalize
@@ -1053,23 +1072,27 @@ notrace void p_set_ed_process_override_on(struct p_ed_process *p_source) {
    p_source->p_ed_task.p_off = p_off ^ p_global_off_cookie; // Encode
    if (p_off == p_global_cnt_cookie)
       p_source->p_ed_task.p_off_count = 0;
+   wmb();
 }
 
 notrace void p_set_ed_process_override_off(struct p_ed_process *p_source) {
 
-   register unsigned long p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
+   register unsigned long p_off;
+   rmb();
+   p_off = p_source->p_ed_task.p_off ^ p_global_off_cookie; // Decode
 
    p_validate_off_flag(p_source,p_off,NULL);   // Validate
    p_off += p_global_cnt_cookie;               // Normalize
 
    p_source->p_ed_task.p_off = p_off ^ p_global_off_cookie;
+   wmb();
 }
 
 notrace void p_reset_ed_flags(struct p_ed_process *p_source) {
-
+   rmb();
    p_source->p_ed_task.p_off = p_global_cnt_cookie ^ p_global_off_cookie;
    p_source->p_ed_task.p_off_count = 0;
-
+   wmb();
 }
 
 int p_dump_task_f(void *p_arg) {
@@ -1108,7 +1131,7 @@ int p_remove_task_pid_f(pid_t p_arg) {
 
    struct p_ed_process *p_tmp;
    struct rb_root *p_root;
-
+   rmb();
    p_root = p_rb_hash_tree_lookup(p_arg);
    if ( (p_tmp = p_rb_find_ed_pid(p_root, p_arg)) == NULL) {
       // This process is not on the list!
@@ -1117,7 +1140,7 @@ int p_remove_task_pid_f(pid_t p_arg) {
 
    p_rb_del_ed_pid(p_root, p_tmp);
    p_print_log(P_LOG_WATCH, "Removing pid %u", p_arg);
-
+   wmb();
    return P_LKRG_SUCCESS;
 }
 
@@ -1131,7 +1154,15 @@ static unsigned int p_iterate_processes(int (*p_func)(void *), char p_ver) {
    p_tasks_read_lock(&p_flags);
    rcu_read_lock();
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 14, 0)
-   for_each_process_thread(p_ptmp, p_tmp) {
+   //for_each_process_thread(p_ptmp, p_tmp) {
+   for_each_process(p_ptmp) {
+      get_task_struct(p_ptmp);
+      if (!p_ptmp->mm || !p_ptmp->sighand || !p_is_ed_task(p_ptmp)) {
+         p_print_log(P_LOG_ALERT, "This process [ pid: %d ] '%s' group leader is not known for us!", task_pid_nr(p_ptmp), p_ptmp->comm);
+         put_task_struct(p_ptmp);
+         continue;
+      }
+      for_each_thread(p_ptmp, p_tmp) {
 #else
    // tasklist_lock
    do_each_thread(p_ptmp, p_tmp) {
@@ -1139,24 +1170,32 @@ static unsigned int p_iterate_processes(int (*p_func)(void *), char p_ver) {
 
       get_task_struct(p_tmp);
       /* do not touch kernel threads or the global init */
-      if (!p_is_ed_task(p_tmp)) {
+      if (!p_tmp->mm || !p_tmp->sighand || !p_is_ed_task(p_tmp)) {
          put_task_struct(p_tmp);
          continue;
       }
-
+                   // p_dump_task_f( ) callback for each thread in the process
       if ( (p_ret = p_func(p_tmp)) != 0) {
          p_err++;
          if (likely(p_ver)) {
+            p_print_log(P_LOG_ALERT, "BLOCK: Task: Killing pid %u, name %s | (allock %s) (siglock %s), (fatal is %s)",
+                    task_pid_nr(p_tmp), p_tmp->comm,
+                    spin_is_locked(&p_tmp->alloc_lock) ? "LOCKED" : "UNLOCKED",
+                    spin_is_locked(&p_tmp->sighand->siglock) ? "LOCKED" : "UNLOCKED",
+                   __fatal_signal_pending(p_tmp) ? "PENDING" : "UNPENDING");
             if (spin_is_locked(&p_tmp->sighand->siglock)) {
                p_regs_set_ip(task_pt_regs(p_tmp), -1);
             } else {
-               p_ed_kill_task_by_task(p_tmp);
+               if (!__fatal_signal_pending(p_tmp))
+                  p_ed_kill_task_by_task(p_tmp);
             }
          }
       }
       put_task_struct(p_tmp);
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 14, 0)
+      }
+      put_task_struct(p_ptmp);
    }
 #else
    // tasklist_unlock
@@ -1178,8 +1217,14 @@ static unsigned int p_iterate_lkrg_tasks_paranoid(void) {
    unsigned long p_flags;
 
    for (i=0; i<RB_HASH_SIZE; i++) {
-      p_tasks_read_lock_raw(&p_rb_hash[i].p_lock.lock);
       rcu_read_lock();
+      //p_tasks_read_lock_raw(&p_rb_hash[i].p_lock.lock);
+      if (!read_trylock(&p_rb_hash[i].p_lock.lock)) {
+         p_print_log(P_LOG_DEBUG, "CANT LOCK SHIT FOR p_rb_hash[i=%d] ! CPU %d", i, smp_processor_id());
+         rcu_read_unlock();
+         --i;
+         continue;
+      }
       for (p_node = rb_first(&p_rb_hash[i].p_tree.tree); p_node; p_node = rb_next(p_node)) {
          p_tmp = rb_entry(p_node, struct p_ed_process, p_rb);
          if ( (p_task = pid_task(find_vpid(p_tmp->p_ed_task.p_pid), PIDTYPE_PID)) != NULL) {
@@ -1188,6 +1233,7 @@ static unsigned int p_iterate_lkrg_tasks_paranoid(void) {
             if (p_is_ed_task(p_task) && p_get_task_state(p_task) != TASK_DEAD) {
                if (p_cmp_tasks(p_tmp, p_task, 0x0)) {
                   p_ret++;
+                 p_print_log(P_LOG_ALERT, "ALARM: Some shit is happennig ATM! CPU %d", smp_processor_id());
                   if (spin_is_locked(&p_task->sighand->siglock)) {
                      p_regs_set_ip(task_pt_regs(p_task), -1);
                   } else {
@@ -1198,17 +1244,18 @@ static unsigned int p_iterate_lkrg_tasks_paranoid(void) {
             put_task_struct(p_task);
          }
       }
-      rcu_read_unlock();
       p_tasks_read_unlock_raw(&p_rb_hash[i].p_lock.lock);
+      rcu_read_unlock();
    }
 
    /* Before leaving, verify current task */
+   migrate_disable();
    p_tasks_read_lock(&p_flags);
    if (p_is_ed_task(current)) {
       p_validate_task_f(current);
    }
    p_tasks_read_unlock(&p_flags);
-
+   migrate_enable();
    return p_ret;
 }
 
@@ -1431,13 +1478,14 @@ int p_validate_task_f(void *p_arg) {
    struct task_struct *p_task = (struct task_struct *)p_arg;
 
    rcu_read_lock();
+   migrate_disable();
    get_task_struct(p_task);
 
    if ( (p_tmp = p_find_ed_by_pid(task_pid_nr(p_task))) == NULL) {
       // This process is not on the list!
       if (p_get_task_state(p_task) != TASK_DEAD) {
          p_ret = P_LKRG_GENERAL_ERROR;
-         p_print_log(P_LOG_WATCH, "Can't find in internal tracking list pid %u, name %s", task_pid_nr(p_task), p_task->comm);
+         p_print_log(P_LOG_WATCH, "Can't find in internal tracking list pid %u, name %s, CPU %d", task_pid_nr(p_task), p_task->comm, smp_processor_id());
       }
       goto p_validate_task_out;
    }
@@ -1450,6 +1498,7 @@ int p_validate_task_f(void *p_arg) {
 p_validate_task_out:
 
    put_task_struct(p_task);
+   migrate_enable();
    rcu_read_unlock();
 
    return p_ret;
@@ -1545,10 +1594,11 @@ void p_ed_validate_current(void) {
 
    if (!P_CTRL(p_pint_validate))
       return;
-
+   migrate_disable();
    if (p_is_ed_task(current)) {
       p_validate_task_f(current);
    }
+   migrate_enable();
 }
 
 void p_ed_enforce_validation(void) {
@@ -1565,11 +1615,13 @@ void p_ed_enforce_validation(void) {
 
       case 2:
       case 1:
+        migrate_disable();
         p_tasks_read_lock(&p_flags);
         if (p_is_ed_task(current)) {
            p_validate_task_f(current);
         }
         p_tasks_read_unlock(&p_flags);
+        migrate_enable();
         break;
 
       case 0:
diff --git a/src/modules/exploit_detection/p_exploit_detection.h b/src/modules/exploit_detection/p_exploit_detection.h
index 1e8895c..9d20852 100644
--- a/src/modules/exploit_detection/p_exploit_detection.h
+++ b/src/modules/exploit_detection/p_exploit_detection.h
@@ -18,6 +18,8 @@
 #ifndef P_EXPLOIT_DETECTION_MAIN_H
 #define P_EXPLOIT_DETECTION_MAIN_H
 
+#include <linux/preempt.h>
+
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4,17,0) && defined(CONFIG_ARCH_HAS_SYSCALL_WRAPPER)
 
   /*
@@ -447,34 +449,47 @@ static inline void p_tasks_write_unlock_noirq(rwlock_t *p_arg) {
 }
 
 static inline void p_tasks_read_lock(unsigned long *p_flags) {
-
+   migrate_disable();
    read_lock(p_rb_hash_lock_lookup(task_pid_nr(current)));
+   //migrate_enable();
 }
 
 static inline int p_tasks_read_trylock(unsigned long *p_flags) {
 
 //   local_irq_save(*p_flags);
-   return read_trylock(p_rb_hash_lock_lookup(task_pid_nr(current))) ? 1 : ({ /* local_irq_restore(*p_flags); */ 0; });
+   int ret;
+   migrate_disable();
+   ret = read_trylock( p_rb_hash_lock_lookup(task_pid_nr(current)) ); // ? 1 : ({ /* local_irq_restore(*p_flags); */ 0; });
+   if (!ret)
+      migrate_enable();
+   return ret;
 }
 
 static inline void p_tasks_read_unlock(unsigned long *p_flags) {
-
+   //migrate_disable();
    read_unlock(p_rb_hash_lock_lookup(task_pid_nr(current)));
+   migrate_enable();
 }
 
 static inline void p_tasks_write_lock(unsigned long *p_flags) {
-
+   migrate_disable();
    write_lock_irqsave(p_rb_hash_lock_lookup(task_pid_nr(current)), *p_flags);
 }
 
 static inline int p_tasks_write_trylock(unsigned long *p_flags) {
 
-   return write_trylock_irqsave(p_rb_hash_lock_lookup(task_pid_nr(current)), *p_flags);
+   int ret;
+   migrate_disable();
+   ret = write_trylock_irqsave(p_rb_hash_lock_lookup(task_pid_nr(current)), *p_flags);
+   if (!ret)
+      migrate_enable();
+   return ret;
 }
 
 static inline void p_tasks_write_unlock(unsigned long *p_flags) {
 
    write_unlock_irqrestore(p_rb_hash_lock_lookup(task_pid_nr(current)), *p_flags);
+   migrate_enable();
 }
 
 static inline void p_tasks_write_lock_by_pid(pid_t p_arg, unsigned long *p_flags) {
diff --git a/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.c b/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.c
index 6d0e841..f4af7bd 100644
--- a/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.c
+++ b/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.c
@@ -17,7 +17,6 @@
 
 #include "../../../../p_lkrg_main.h"
 
-
 struct kmem_cache *p_ed_pids_cache = NULL;
 struct p_tasks_root p_rb_hash[RB_HASH_SIZE] __attribute__ ((aligned(L1_CACHE_BYTES)));
 
diff --git a/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.h b/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.h
index f7b0cec..d2dd8ce 100644
--- a/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.h
+++ b/src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.h
@@ -82,23 +82,27 @@ void p_delete_rb_ed_pids(void);
 
 
 static inline struct rb_root *p_rb_hash_tree_lookup(pid_t p_pid) {
+   rmb();
    return &p_rb_hash[RB_HASH_FUNC(p_pid)].p_tree.tree;
 }
 
 static inline rwlock_t *p_rb_hash_lock_lookup(pid_t p_pid) {
+   rmb();
    return &p_rb_hash[RB_HASH_FUNC(p_pid)].p_lock.lock;
 }
 
 static inline struct p_ed_process *p_find_ed_by_pid(pid_t p_arg) {
+   rmb();
    return p_rb_find_ed_pid(p_rb_hash_tree_lookup(p_arg), p_arg);
 }
 
 static inline void p_rb_init_ed_pid_node(struct rb_node *rb) {
-
+   rmb();
    rb->__rb_parent_color = 0;
    rb->rb_right = NULL;
    rb->rb_left = NULL;
    RB_CLEAR_NODE(rb);
+   wmb();
 }
 
 #endif
diff --git a/src/modules/exploit_detection/syscalls/exec/p_security_bprm_committed_creds/p_security_bprm_committed_creds.c b/src/modules/exploit_detection/syscalls/exec/p_security_bprm_committed_creds/p_security_bprm_committed_creds.c
index a3423eb..dc472d6 100644
--- a/src/modules/exploit_detection/syscalls/exec/p_security_bprm_committed_creds/p_security_bprm_committed_creds.c
+++ b/src/modules/exploit_detection/syscalls/exec/p_security_bprm_committed_creds/p_security_bprm_committed_creds.c
@@ -73,9 +73,10 @@ notrace struct inode *p_get_inode_from_task(struct task_struct *p_arg) {
 
 LKRG_DEBUG_TRACE int p_security_bprm_committed_creds_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
 
+   unsigned long p_flags;
 //   struct inode *p_inode;
    struct p_ed_process *p_tmp;
-   unsigned long p_flags;
+   struct task_struct *curr = current;
 
 /*
    p_inode = p_get_inode_from_task(current);
@@ -86,17 +87,32 @@ LKRG_DEBUG_TRACE int p_security_bprm_committed_creds_ret(struct kretprobe_instan
 */
 
    // Update process
-   p_tasks_write_lock(&p_flags);
-   if ( (p_tmp = p_find_ed_by_pid(task_pid_nr(current))) != NULL) {
+
+    get_task_struct(curr);
+    p_tasks_write_lock(&p_flags);
+    /* do not touch kernel threads or the global init */
+    if (!curr->mm || !curr->sighand || !p_is_ed_task(curr)) {
+       put_task_struct(curr);
+       goto out;
+    }
+
+    p_print_log(P_LOG_DEBUG, "CREEDS: Task: Commited creeds, pid %u, name %s | (allock %s) (siglock %s), (fatal is %s)",
+            task_pid_nr(curr), curr->comm,
+            spin_is_locked(&curr->alloc_lock) ? "LOCKED" : "UNLOCKED",
+            spin_is_locked(&curr->sighand->siglock) ? "LOCKED" : "UNLOCKED",
+           __fatal_signal_pending(curr) ? "PENDING" : "UNPENDING");
+
+   if ( (p_tmp = p_find_ed_by_pid(task_pid_nr(curr))) != NULL) {
       // This process is on the ED list - update information!
-      p_update_ed_process(p_tmp, current, 1);
+      p_update_ed_process(p_tmp, curr, 1);
 #ifdef P_LKRG_TASK_OFF_DEBUG
       p_debug_off_flag_reset(p_tmp, 40);
 #endif
       p_reset_ed_flags(p_tmp);
    }
+out:
    p_tasks_write_unlock(&p_flags);
-
+   put_task_struct(curr);
 //   p_ed_enforce_validation();
 
    return 0;
diff --git a/src/modules/exploit_detection/syscalls/exec/p_security_bprm_committing_creds/p_security_bprm_committing_creds.c b/src/modules/exploit_detection/syscalls/exec/p_security_bprm_committing_creds/p_security_bprm_committing_creds.c
index 63c9921..3e43c8a 100644
--- a/src/modules/exploit_detection/syscalls/exec/p_security_bprm_committing_creds/p_security_bprm_committing_creds.c
+++ b/src/modules/exploit_detection/syscalls/exec/p_security_bprm_committing_creds/p_security_bprm_committing_creds.c
@@ -38,24 +38,62 @@ static struct kretprobe p_security_bprm_committing_creds_kretprobe = {
     .data_size = sizeof(struct p_security_bprm_committing_creds_data),
 };
 
-
+static DEFINE_SPINLOCK(bprm_lock);
 LKRG_DEBUG_TRACE int p_security_bprm_committing_creds_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
 
    struct p_ed_process *p_tmp;
    unsigned long p_flags;
+   struct task_struct *curr;
+   bool isnoirq;
+   int preemptcnt;
+
+   migrate_disable();
+   isnoirq = irqs_disabled();
+   preemptcnt = preempt_count();
+   curr = current;
 
    p_ed_enforce_validation();
 
-   p_tasks_write_lock(&p_flags);
-   if ( (p_tmp = p_find_ed_by_pid(task_pid_nr(current))) != NULL) {
-      p_verify_addr_limit(p_tmp, current);
+   p_print_log(P_LOG_DEBUG, "p_security_bprm_committing_creds_entry(), %s, preempt %d, CPU %d", isnoirq ? "NONINTERR" : "INTER", preemptcnt, smp_processor_id());
+
+   if (!isnoirq && !preemptcnt)
+      preempt_disable();
+
+   get_task_struct(curr);
+
+   //XXX p_tasks_write_lock(&p_flags);
+    //write_lock_irqsave(
+   write_lock(p_rb_hash_lock_lookup(task_pid_nr(curr)));
+
+   /* do not touch kernel threads or the global init */
+   if (!curr->mm || !curr->sighand || !p_is_ed_task(curr)) {
+      put_task_struct(curr);
+      goto out;
+   }
+   p_print_log(P_LOG_DEBUG, "CREEDS: Task: Commiting creeds, pid %u, name %s | (allock %s) (siglock %s), (fatal is %s)",
+           task_pid_nr(curr), curr->comm,
+           spin_is_locked(&curr->alloc_lock) ? "LOCKED" : "UNLOCKED",
+           spin_is_locked(&curr->sighand->siglock) ? "LOCKED" : "UNLOCKED",
+          __fatal_signal_pending(curr) ? "PENDING" : "UNPENDING");
+
+   //p_tasks_write_lock(&p_flags);
+
+   if ( (p_tmp = p_find_ed_by_pid(task_pid_nr(curr))) != NULL) {
+      p_verify_addr_limit(p_tmp, curr);
 #ifdef P_LKRG_TASK_OFF_DEBUG
       p_debug_off_flag_off(p_tmp, 39);
 #endif
       // This process is on the ED list - set temporary 'disable' flag!
       p_set_ed_process_off(p_tmp);
    }
-   p_tasks_write_unlock(&p_flags);
+
+out:
+   //p_tasks_write_unlock(&p_flags);
+   write_unlock(p_rb_hash_lock_lookup(task_pid_nr(curr)));
+   put_task_struct(curr);
+   if (!isnoirq && !preemptcnt)
+      preempt_enable_nested();
+   migrate_enable();
 
    return 0;
 }
diff --git a/src/modules/exploit_detection/syscalls/pCFI/p___queue_work/p___queue_work.c b/src/modules/exploit_detection/syscalls/pCFI/p___queue_work/p___queue_work.c
index eaee2ae..f77e2f6 100644
--- a/src/modules/exploit_detection/syscalls/pCFI/p___queue_work/p___queue_work.c
+++ b/src/modules/exploit_detection/syscalls/pCFI/p___queue_work/p___queue_work.c
@@ -47,7 +47,7 @@ int p_pcfi___queue_work_entry(struct kretprobe_instance *p_ri, struct pt_regs *p
    unsigned long p_flags;
 
    p_ed_pcfi_cpu(0);
-
+   migrate_disable();
    if (p_is_ed_task(current)) {
       /* Do not take ED lock */
       if (p_tasks_read_trylock(&p_flags)) {
@@ -55,7 +55,7 @@ int p_pcfi___queue_work_entry(struct kretprobe_instance *p_ri, struct pt_regs *p
          p_tasks_read_unlock(&p_flags);
       }
    }
-
+   migrate_enable();
    return 0;
 }
 
diff --git a/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c b/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c
index 8c8466f..3ad25aa 100644
--- a/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c
+++ b/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c
@@ -75,7 +75,16 @@ int p_call_usermodehelper_entry(struct kretprobe_instance *p_ri, struct pt_regs
    struct subprocess_info *p_subproc = (struct subprocess_info *)p_regs_get_arg1(p_regs);
    unsigned char p_umh_allowed = 0;
    unsigned long p_flags;
-   size_t i;
+   size_t i = 0;
+   char cmdline[0x200] = {0};
+
+   if (p_subproc && p_subproc->argv) {
+      for (char **a = p_subproc->argv; *a; a++)
+         i += snprintf(cmdline + i, sizeof(cmdline) - i - 1, "%s ", *a);
+   }
+
+   migrate_disable();
+   p_print_log(P_LOG_ALERT, "[NOTICE] UMH: Attempt to execute program name '%s' from kernel space! Cmdline [ %s ]", p_subproc->path, cmdline);
 
    p_ed_enforce_validation();
 
@@ -142,6 +151,7 @@ p_call_usermodehelper_entry_not_allowed:
 
 p_call_usermodehelper_entry_out:
 
+   migrate_enable();
    return 0;
 }
 
diff --git a/src/modules/exploit_detection/syscalls/p_call_usermodehelper_exec/p_call_usermodehelper_exec.c b/src/modules/exploit_detection/syscalls/p_call_usermodehelper_exec/p_call_usermodehelper_exec.c
index b0ef63f..311ac59 100644
--- a/src/modules/exploit_detection/syscalls/p_call_usermodehelper_exec/p_call_usermodehelper_exec.c
+++ b/src/modules/exploit_detection/syscalls/p_call_usermodehelper_exec/p_call_usermodehelper_exec.c
@@ -37,6 +37,7 @@ int p_call_usermodehelper_exec_entry(struct kretprobe_instance *p_ri, struct pt_
    unsigned long p_flags;
 
    p_ed_pcfi_cpu(1);
+   migrate_disable();
 
    if (p_is_ed_task(current)) {
       p_tasks_read_lock(&p_flags);
@@ -47,6 +48,7 @@ int p_call_usermodehelper_exec_entry(struct kretprobe_instance *p_ri, struct pt_
       p_tasks_read_unlock(&p_flags);
    }
 
+   migrate_enable();
    return 0;
 }
 
diff --git a/src/modules/exploit_detection/syscalls/p_do_exit/p_do_exit.c b/src/modules/exploit_detection/syscalls/p_do_exit/p_do_exit.c
index ac67f5d..7e48f35 100644
--- a/src/modules/exploit_detection/syscalls/p_do_exit/p_do_exit.c
+++ b/src/modules/exploit_detection/syscalls/p_do_exit/p_do_exit.c
@@ -36,6 +36,7 @@ int p_do_exit_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
 
    unsigned long p_flags;
 
+   migrate_disable();
    p_debug_kprobe_log(
           "p_do_exit_entry: comm[%s] Pid:%d",current->comm,current->pid);
 
@@ -43,9 +44,10 @@ int p_do_exit_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
 
    p_tasks_write_lock(&p_flags);
    if (p_remove_task_pid_f(task_pid_nr(current))) {
-      ;// DEBUG: p_debug_log(P_LOG_DEBUG, "Can't remove pid %u, name %s", task_pid_nr(current), current->comm);
+      p_debug_log(P_LOG_DEBUG, "Can't remove pid %u, name %s", task_pid_nr(current), current->comm);
    }
    p_tasks_write_unlock(&p_flags);
+   migrate_enable();
 
    /* A dump_stack() here will give a stack backtrace */
    return 0;
diff --git a/src/modules/integrity_timer/p_integrity_timer.c b/src/modules/integrity_timer/p_integrity_timer.c
index 344c38e..6ab913c 100644
--- a/src/modules/integrity_timer/p_integrity_timer.c
+++ b/src/modules/integrity_timer/p_integrity_timer.c
@@ -115,6 +115,8 @@ void p_check_integrity(struct work_struct *p_work) {
    /* Module syncing temporary pointer */
    struct module *p_tmp_mod;
    unsigned int p_tmp = 0;
+   bool isnoirq;
+   int preemptcnt;
    int p_ret;
 
    if (unlikely(!P_CTRL(p_kint_validate)) ||
@@ -167,7 +169,7 @@ void p_check_integrity(struct work_struct *p_work) {
    /*
     * Checking all online CPUs critical data
     */
-   p_read_cpu_lock();
+   //XXX p_read_cpu_lock();
 
 //   for_each_present_cpu(p_tmp) {
    //for_each_online_cpu(p_tmp) {
@@ -198,6 +200,40 @@ void p_check_integrity(struct work_struct *p_work) {
    * on_each_cpu() might mitigate this problem a bit because has extra
    * self-balancing code for performance reasons.
    */
+
+#if 0
+/*
+ * Call a function on all processors
+ */
+static inline void on_each_cpu(smp_call_func_t func, void *info, int wait)
+{
+       on_each_cpu_cond_mask(NULL, func, info, wait, cpu_online_mask);
+}
+ * on_each_cpu_mask(): Run a function on processors specified by
+ * cpumask, which may include the local processor.
+ * @mask: The set of cpus to run on (only runs on online subset).
+ * @func: The function to run. This must be fast and non-blocking.
+ * @info: An arbitrary pointer to pass to the function.
+ * @wait: If true, wait (atomically) until function has completed
+ *        on other CPUs.
+ *
+ * If @wait is true, then returns once @func has returned.
+ *
+ * You must not call this function with disabled interrupts or from a
+ * hardware interrupt handler or from a bottom half handler.  The
+ * exception is that it may be used during early boot while
+ * early_boot_irqs_disabled is set.
+#endif
+   wake_up_all_idle_cpus();
+   rcu_read_lock();
+   migrate_disable();
+   p_read_cpu_lock();
+   isnoirq = irqs_disabled();
+   preemptcnt = preempt_count();
+   p_print_log(P_LOG_DEBUG, "p_check_integrity(), %s, preempt %d, CPU %d", isnoirq ? "NOIRQ" : "ISIRQ", preemptcnt, smp_processor_id());
+   WARN_ON_ONCE(isnoirq);
+   //WARN_ON_ONCE(!preemptcnt);
+   kick_all_cpus_sync();
    on_each_cpu(p_dump_CPU_metadata,p_tmp_cpus,true);
 
 
@@ -209,14 +245,18 @@ void p_check_integrity(struct work_struct *p_work) {
    /* Now we are safe to disable IRQs on current core */
 
    p_tmp_hash = hash_from_CPU_data(p_tmp_cpus);
+   migrate_enable();
+   rcu_read_unlock();
    p_read_cpu_unlock();
 
+
    /* Verify kprobes now */
    if (lkrg_verify_kprobes()) {
       /* I'm hacked! ;( */
       p_hack_check++;
    }
 
+   migrate_disable();
    p_text_section_lock();
 
    /*
@@ -985,6 +1025,8 @@ void p_check_integrity(struct work_struct *p_work) {
 p_check_integrity_cancel:
 
    p_text_section_unlock();
+   migrate_enable();
+
    if (p_tmp_cpus) {
       p_kzfree(p_tmp_cpus);
       p_tmp_cpus = NULL;
@@ -992,6 +1034,7 @@ p_check_integrity_cancel:
 
 p_check_integrity_tasks:
 
+   p_print_log(P_LOG_DEBUG, "INFO: p_check_integrity() going to call p_ed_enforce_validation_paranoid(), CPU %d", smp_processor_id());
    if (!p_ed_enforce_validation_paranoid()) {
       if (P_CTRL(p_heartbeat) && P_CTRL(p_pint_validate) &&
           (!P_CTRL(p_kint_validate) || (!p_manual && P_CTRL(p_kint_validate) == 1))) {
diff --git a/src/modules/kmod/p_kmod_notifier.c b/src/modules/kmod/p_kmod_notifier.c
index 586d6c7..897e022 100644
--- a/src/modules/kmod/p_kmod_notifier.c
+++ b/src/modules/kmod/p_kmod_notifier.c
@@ -65,7 +65,7 @@ static void p_module_notifier_wrapper(unsigned long p_event, struct module *p_km
 static int p_module_event_notifier(struct notifier_block *p_this, unsigned long p_event, void *p_kmod) {
 
    struct module *p_tmp = p_kmod;
-
+   unsigned long flags = 0;
    static const char * const p_mod_strings[] = {
                              "New module is LIVE",
                              "New module is COMING",
@@ -73,7 +73,7 @@ static int p_module_event_notifier(struct notifier_block *p_this, unsigned long
                              "New module is UNFORMED yet" };
 
 // STRONG_DEBUG
-   p_debug_log(P_LOG_FLOOD,
+   p_debug_log(P_LOG_DEBUG,
                "[%ld | %s | %s] Entering function <p_module_event_notifier> m[0x%lx] hd[0x%lx] s[0x%lx] n[0x%lx]",
                p_event,
                p_mod_strings[p_event],
@@ -82,11 +82,6 @@ static int p_module_event_notifier(struct notifier_block *p_this, unsigned long
                (unsigned long)p_tmp->holders_dir,
                (unsigned long)p_tmp->sect_attrs,
                (unsigned long)p_tmp->notes_attrs);
-
-   /* Inform validation routine about active module activities... */
-   mutex_lock(&p_module_activity);
-   p_module_activity_ptr = p_tmp;
-
 // DEBUG
    p_debug_log(P_LOG_DEBUG,
           "<p_module_event_notifier> !! Module activity detected [<%s>] %lu: 0x%lx",
@@ -94,12 +89,42 @@ static int p_module_event_notifier(struct notifier_block *p_this, unsigned long
           p_event,
           (unsigned long)p_kmod);
 
+   /* Inform validation routine about active module activities... */
+#if 0
+ * mutex_trylock() must not be used in interrupt context. The
+ * mutex must be released by the same task that acquired it.
+#endif
+
+   do {
+
+      local_irq_save(flags);
+      //rcu_read_lock();
+      migrate_disable();
+
+      if (mutex_trylock(&p_module_activity))
+         break;
+
+      local_irq_restore(flags);
+
+      p_debug_log(P_LOG_DEBUG, "p_module_event_notifier(), !mutex_trylock(&p_module_activity), scheduleing....\n");
+
+      local_irq_restore(flags);
+      migrate_enable();
+      //rcu_read_unlock();
+      schedule();
+
+   } while(1);
+
+   local_irq_restore(flags);
+
+   p_module_activity_ptr = p_tmp;
+
    /*
     * If module going away, we need to rebuild our database anyway
     * It does not depends on the 'blocking' flag
     */
 //   if (p_tmp->state == MODULE_STATE_GOING) { <- Linux kernel bug - might not update state value :(
-   if (p_event == MODULE_STATE_GOING) {
+   if (p_event == MODULE_STATE_GOING || p_tmp->state == MODULE_STATE_GOING) {
 
       p_read_cpu_lock();
       on_each_cpu(p_dump_CPU_metadata,p_db.p_CPU_metadata_array,true);
@@ -164,14 +189,14 @@ static int p_module_event_notifier(struct notifier_block *p_this, unsigned long
 
    if (P_CTRL(p_block_modules) && p_tmp != P_SYM(p_find_me)) {
 //      if (p_tmp->state == MODULE_STATE_COMING) { <- Linux kernel bug - might not update state value :(
-      if (p_event == MODULE_STATE_COMING) {
+      if (p_event == MODULE_STATE_COMING || p_tmp->state == MODULE_STATE_COMING) {
          /* We are not going to modify DB */
          p_module_notifier_wrapper(p_event,p_tmp);
          goto p_module_event_notifier_activity_out;
       }
    } else {
 //      if (p_tmp->state == MODULE_STATE_LIVE) { <- Linux kernel bug - might not update state value :(
-      if (p_event == MODULE_STATE_LIVE) {
+      if (p_event == MODULE_STATE_LIVE || p_tmp->state == MODULE_STATE_LIVE) {
 
          p_read_cpu_lock();
          on_each_cpu(p_dump_CPU_metadata,p_db.p_CPU_metadata_array,true);
@@ -243,6 +268,8 @@ p_module_event_notifier_activity_out:
 
    /* Inform validation routine about active module activities... */
    mutex_unlock(&p_module_activity);
+   //rcu_read_unlock();
+   migrate_enable();
 
    return NOTIFY_DONE;
 }
diff --git a/src/modules/print_log/p_lkrg_print_log.h b/src/modules/print_log/p_lkrg_print_log.h
index 3a41c3d..4b2d664 100644
--- a/src/modules/print_log/p_lkrg_print_log.h
+++ b/src/modules/print_log/p_lkrg_print_log.h
@@ -87,6 +87,7 @@
 
 // Signature in logs...
 #define P_LKRG_SIGNATURE "LKRG: "
+// [CPU: %d preempt %d IRQ %d]: "
 
 #define P_LOG_MIN   0
 #define P_LOG_ALERT 0
@@ -102,6 +103,7 @@
 #define P_LOG_DYING (0x20 | P_LOG_ALIVE)
 #define P_LOG_FATAL (0x30 | P_LOG_FAULT)
 
+#if 0
 #define p_print_log(p_level, p_fmt, p_args...)                                             \
 ({                                                                                         \
    int p_print_ret = 0;                                                                    \
@@ -140,7 +142,54 @@
    }                                                                                       \
                                                                                            \
    p_print_ret;                                                                            \
+
 })
+#else
+
+#define CPUFMT "[CPU: %.2d preempt %d IRQ %d Migration %d PID %.8d %-16s ] "
+#define CPUARG smp_processor_id(), preempt_count(), !irqs_disabled(), !current->migration_disabled, task_pid_nr(current), current->comm
+                                                                                             
+#define p_print_log(p_level, p_fmt, p_args...)                                                     \
+({                                                                                                 \
+   int p_print_ret = 0;                                                                            \
+                                                                                                   \
+   if (p_level == P_LOG_ALERT)                                                                     \
+      p_print_ret = printk(KERN_CRIT    P_LKRG_SIGNATURE "ALERT: " CPUFMT p_fmt "\n", CPUARG, ## p_args); \
+   else if (P_CTRL(p_log_level) >= (p_level & 7))                                                  \
+   switch (p_level) {                                                                              \
+   case P_LOG_ALIVE:                                                                               \
+      p_print_ret = printk(KERN_NOTICE  P_LKRG_SIGNATURE "ALIVE: " CPUFMT p_fmt "\n", CPUARG, ## p_args); \
+      break;                                                                                       \
+   case P_LOG_STATE:                                                                               \
+      p_print_ret = printk(KERN_NOTICE  P_LKRG_SIGNATURE "STATE: " CPUFMT p_fmt "\n", CPUARG, ## p_args); \
+      break;                                                                                       \
+   case P_LOG_DYING:                                                                               \
+      p_print_ret = printk(KERN_NOTICE  P_LKRG_SIGNATURE "DYING: " CPUFMT p_fmt "\n", CPUARG, ## p_args); \
+      break;                                                                                       \
+   case P_LOG_FAULT:                                                                               \
+      p_print_ret = printk(KERN_ERR     P_LKRG_SIGNATURE "FAULT: " CPUFMT p_fmt "\n", CPUARG, ## p_args); \
+      break;                                                                                       \
+   case P_LOG_FATAL:                                                                               \
+      p_print_ret = printk(KERN_ERR     P_LKRG_SIGNATURE "FATAL: " CPUFMT p_fmt "\n", CPUARG, ## p_args); \
+      break;                                                                                       \
+   case P_LOG_ISSUE:                                                                               \
+      p_print_ret = printk(KERN_WARNING P_LKRG_SIGNATURE "ISSUE: " CPUFMT p_fmt "\n", CPUARG, ## p_args); \
+      break;                                                                                       \
+   case P_LOG_WATCH:                                                                               \
+      p_print_ret = printk(KERN_INFO    P_LKRG_SIGNATURE "WATCH: " CPUFMT p_fmt "\n", CPUARG, ## p_args); \
+      break;                                                                                       \
+   case P_LOG_DEBUG:                                                                               \
+      p_print_ret = printk(KERN_DEBUG   P_LKRG_SIGNATURE "DEBUG: " CPUFMT p_fmt "\n", CPUARG, ## p_args); \
+      break;                                                                                       \
+   case P_LOG_FLOOD:                                                                               \
+      p_print_ret = printk(KERN_DEBUG   P_LKRG_SIGNATURE "FLOOD: " CPUFMT p_fmt "\n", CPUARG, ## p_args); \
+      break;                                                                                       \
+   }                                                                                               \
+                                                                                                   \
+   p_print_ret;                                                                                    \
+})                                                                                           
+
+#endif
 
 #define p_panic(p_fmt, p_args...) \
 ({ \
diff --git a/src/p_lkrg_main.c b/src/p_lkrg_main.c
index 9ed9d37..598d555 100644
--- a/src/p_lkrg_main.c
+++ b/src/p_lkrg_main.c
@@ -19,7 +19,7 @@
 
 unsigned int log_level = 3;
 unsigned int heartbeat = 0;
-unsigned int block_modules = 0;
+unsigned int block_modules = 1;
 unsigned int interval = 15;
 unsigned int kint_validate = 3;
 unsigned int kint_enforce = 2;
@@ -28,7 +28,7 @@ unsigned int pint_validate = 1;
 unsigned int pint_enforce = 1;
 unsigned int pcfi_validate = 2;
 unsigned int pcfi_enforce = 1;
-unsigned int umh_validate = 1;
+unsigned int umh_validate = 2;
 unsigned int umh_enforce = 1;
 #if defined(CONFIG_X86)
 unsigned int smep_validate = 1;
@@ -61,7 +61,7 @@ p_ro_page p_ro __p_lkrg_read_only = {
       .p_interval = 15,                   // interval
       .p_log_level = 3,                   // log_level
       .p_trigger = 0,                     // trigger
-      .p_block_modules = 0,               // block_modules
+      .p_block_modules = 1,               // block_modules
       .p_hide_lkrg = 0,                   // hide_lkrg
       .p_heartbeat = 0,                   // heartbeat
 #if defined(CONFIG_X86)
@@ -70,7 +70,7 @@ p_ro_page p_ro __p_lkrg_read_only = {
       .p_smap_validate = 1,               // smap_validate
       .p_smap_enforce = 2,                // smap_enforce
 #endif
-      .p_umh_validate = 1,                // umh_validate
+      .p_umh_validate = 2,                // umh_validate
       .p_umh_enforce = 1,                 // umh_enforce
       .p_msr_validate = 0,                // msr_validate
       .p_pcfi_validate = 2,               // pcfi_validate
diff --git a/src/p_lkrg_main.h b/src/p_lkrg_main.h
index 89eecb5..9e3bb9a 100644
--- a/src/p_lkrg_main.h
+++ b/src/p_lkrg_main.h
@@ -20,6 +20,8 @@
 
 #define P_LKRG_UNHIDE
 #define P_BOOT_DISABLE_LKRG "nolkrg"
+#define P_LKRG_DEBUG_BUILD 1
+#define P_LKRG_TASK_OFF_DEBUG 1
 
 #include <linux/kernel.h>
 #include <linux/init.h>

solardiz added the bug Something isn't working label Apr 4, 2024

m1lua mentioned this issue Jun 26, 2024

Make criticall section, while working with task_struct, safe again. #340

Closed

solardiz mentioned this issue Oct 24, 2024

False positive "seccomp filter pointer corruption" on Linux 6.11.0-1-default x86_64 Opensuse tumbleweed #354

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DETECT: Task: 'off' flag corruption for pid #329

DETECT: Task: 'off' flag corruption for pid #329

80kk commented Apr 3, 2024

solardiz commented Apr 4, 2024

80kk commented Apr 5, 2024 •

edited

Loading

Adam-pi3 commented Apr 5, 2024

80kk commented Apr 7, 2024

Adam-pi3 commented Apr 8, 2024

80kk commented Apr 8, 2024 •

edited

Loading

solardiz commented Apr 8, 2024

80kk commented Apr 8, 2024

80kk commented Apr 9, 2024

80kk commented Apr 9, 2024

Adam-pi3 commented May 15, 2024

80kk commented May 15, 2024

80kk commented May 19, 2024

solardiz commented May 19, 2024

Adam-pi3 commented May 19, 2024

m1lua commented Jun 24, 2024 •

edited

Loading

Strykar commented Oct 24, 2024

solardiz commented Oct 25, 2024

solardiz commented Oct 25, 2024

solardiz commented Oct 25, 2024

solardiz commented Oct 26, 2024

Strykar commented Nov 1, 2024 •

edited

Loading

m1lua commented Nov 5, 2024

solardiz commented Nov 6, 2024

m1lua commented Nov 8, 2024

DETECT: Task: 'off' flag corruption for pid #329

DETECT: Task: 'off' flag corruption for pid #329

Comments

80kk commented Apr 3, 2024

solardiz commented Apr 4, 2024

80kk commented Apr 5, 2024 • edited Loading

Adam-pi3 commented Apr 5, 2024

80kk commented Apr 7, 2024

Adam-pi3 commented Apr 8, 2024

80kk commented Apr 8, 2024 • edited Loading

solardiz commented Apr 8, 2024

80kk commented Apr 8, 2024

80kk commented Apr 9, 2024

80kk commented Apr 9, 2024

Adam-pi3 commented May 15, 2024

80kk commented May 15, 2024

80kk commented May 19, 2024

solardiz commented May 19, 2024

Adam-pi3 commented May 19, 2024

m1lua commented Jun 24, 2024 • edited Loading

Strykar commented Oct 24, 2024

solardiz commented Oct 25, 2024

solardiz commented Oct 25, 2024

solardiz commented Oct 25, 2024

solardiz commented Oct 26, 2024

Strykar commented Nov 1, 2024 • edited Loading

m1lua commented Nov 5, 2024

solardiz commented Nov 6, 2024

m1lua commented Nov 8, 2024

80kk commented Apr 5, 2024 •

edited

Loading

80kk commented Apr 8, 2024 •

edited

Loading

m1lua commented Jun 24, 2024 •

edited

Loading

Strykar commented Nov 1, 2024 •

edited

Loading