[ale] i really need some help

[Joe Steele]

It's possible that this error has nothing to do with "load_elf_interp". 
 The General Protection error occurred during execution of the kernel's 
"ip_options_compile" routine.  From what I have observed, the "Call Trace" 
 is printed by interpreting data on the stack as though it all consists of 
pointers and/or return addresses within memory.  Any pointers which happen 
to fall within the kernel's code are looked up to find the name of the 
routine which contains that address.  Unfortunately, the translation still 
occurs even if the stack data is "random" data rather than valid addresses. 

I would agree with Chris Ricker [kaboom at gatech.edu] regarding debugging the 
errors.  You might also need to consider whether you have a hardware 
problem (such as bad memory), since you say that it has been running fine 
until recently, and since the errors are not always manifested in the same 
way.

Chris Ricker is also correct about SYN flooding.  The kernel can't really 
tell if it's under attack.  All it knows is that it's getting more incoming 
connection requests than it can handle.  This might imply SYN flooding, or 
it might just be a sudden burst of connection requests.  The kernel goes on 
the defensive and starts using SYN cookies to validate the requests.  It 
also prints messages in the log every minute until the requests subside. 
 If there are a lot of pending connection requests, they would turn up in 
netstat with a TCP state of "SYN_RECV".  Another thing you can watch is 
/proc/net/sockstat which tells you the number of SYN cookies the kernel has 
sent.

-Joe

-----Original Message-----
 From:	jj at spiderentertainment.com [SMTP:jj at spiderentertainment.com]
Sent:	Sunday, October 10, 1999 1:07 PM
To:	ale at ale.org
Subject:	[ale] i really need some help


I really need some help with this, If you have read my previous
messages("Kernel message") you know where I am at.
If not this is what is happening:
The server has been running fine for a long time, only recently I have
been getting some really
strange kernel messages.

The message below is quite different from the previous one, this one has
to do with load_elf_interp ?
What is it that it is trying to do ?
My logs are spammed with this message. Before it was about SYN_FLOOD, now
about elf?
Is this server under some sort of attack ?

Since this is a production server which pumps out about 4MB per sec, and
we are bulding a spare server, but this will take a while
to get all the parts.


Oct 10 10:56:17 spiderone kernel: general protection: 0000
Oct 10 10:56:17 spiderone kernel: CPU:    0
Oct 10 10:56:17 spiderone kernel: EIP:
0010:[ip_options_compile+150/1428]
Oct 10 10:56:17 spiderone kernel: EFLAGS: 00010202
Oct 10 10:56:17 spiderone kernel: eax: 64736f2f   ebx: 037e6018   ecx:
00000000   edx: 00000000
Oct 10 10:56:17 spiderone kernel: esi: 00000000   edi: 00000100   ebp:
00000000   esp: 1c908e78
Oct 10 10:56:17 spiderone kernel: ds: 0018   es: 0018   fs: 002b   gs:
002b   ss: 0018
Oct 10 10:56:17 spiderone kernel: Process netstat (pid: 29148, process nr:
675, stackpage=1c908000)
Oct 10 10:56:17 spiderone kernel: Stack: 1e409000 0019de04 1e84a220
00000400 ffffffff 00000000 1c908eb0 0004110
0
Oct 10 10:56:17 spiderone kernel:        00000820 00130050 1d500434
659a92d1 c51f9c3e 00000000 39373032 3536203
a
Oct 10 10:56:17 spiderone kernel:        32394139 303a3144 20303530
46313543 45334339 3334303a 37302037 3030302
0
Oct 10 10:56:17 spiderone kernel: Call Trace: [load_elf_interp+96/716]
[ip_build_xmit+371/3536] [ip_options_com
pile+533/1428] [fat_ll_rw_block+41/100] [block_write+1324/1372]
[get_cpuinfo+173/752] [write_ldt+99/740]
Oct 10 10:56:17 spiderone kernel: Code: 8b 40 04 89 44 24 14 8b 54 24 14
52 31 c0 85 f6 74 06 8b 83
Oct 10 10:56:17 spiderone kernel: Aiee, killing interrupt handler

The system info is this
RH5.2 with 2.0.36
PII Dual Xion with SMP NOT enabled yet.
512 MB ram
MegaRaid, Hardware raid 5