Turning off periodic write back makes exploit stable but crashes kernel in reboot

[arashkgpt]

Hi
My kernel version in a vm is 3.13.0-83-generic x86_64 (Ubuntu 14.04.3 server). I have used lib-c based root exploit. The others crash sometimes. But lib-c based root exploit works fine with executing echo 0 > /proc/sys/vm/dirty_writeback_centisecs after exploit done. Everything is fine until I reboot the server and then it crashes:(
Any help?

[unixfox]

I don't have this problem.

[Vestein]

I tried cowroot on Linux 3.18.0-kali3-586 i686and worked but is unstable until I execute:
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
Reboot worked fine.

[arashkgpt]

Thanks for answering. I checked it again with different exploits (those which are stable). It still crashes in reboot. Here are the crash dumps with kdump:

[ 388.077362] kernel BUG at /build/linux-03BQvT/linux-3.13.0/fs/ext4/inode.c:2420!
[ 388.077497] invalid opcode: 0000 [#1] SMP
[ 388.077601] Modules linked in: crct10dif_pclmul crc32_pclmul vmw_balloon aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd serio_raw vmw_vmci lp parport psmouse ahci e1000 libahci floppy mptspi mptscsih mptbase
[ 388.078190] CPU: 1 PID: 453 Comm: kworker/u256:28 Not tainted 3.13.0-83-generic #127-Ubuntu
[ 388.078426] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/20/2014
[ 388.078627] Workqueue: writeback bdi_writeback_workfn (flush-8:0)
[ 388.078755] task: ffff880135e69800 ti: ffff880135e70000 task.ti: ffff880135e70000
[ 388.078878] RIP: 0010:[] [] mpage_prepare_extent_to_map+0x2b8/0x2c0
[ 388.079027] RSP: 0018:ffff880135e719d8 EFLAGS: 00010246
[ 388.079102] RAX: 01ffff000002007d RBX: ffff880135e71a18 RCX: 0000000000000000
[ 388.079187] RDX: ffff880135e71a18 RSI: 0000000000000000 RDI: ffff8801377824a0
[ 388.079272] RBP: ffff880135e71aa8 R08: 0000000000000000 R09: 0000000000000000
[ 388.079357] R10: 0000000000000100 R11: 0000000000000210 R12: 0000000000003400
[ 388.079441] R13: 0007ffffffffffff R14: ffffea0002ec8c80 R15: ffff880135e71b50
[ 388.079527] FS: 0000000000000000(0000) GS:ffff88013a620000(0000) knlGS:0000000000000000
[ 388.079651] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 388.079729] CR2: 0000000000410000 CR3: 00000000377b5000 CR4: 00000000001407e0
[ 388.079852] Stack:
[ 388.079912] ffff880135e71a18 0000000000000000 ffff880137782498 ffff880135e71a18
[ 388.080089] 0000000000000001 0000000000000001 0000000000000000 ffffea0002ec8c80
[ 388.080265] ffff8800bba09000 ffff880135e71a68 ffffffff81288bc3 ffff880100000050
[ 388.080441] Call Trace:
[ 388.080506] [] ? jbd2__journal_start+0xf3/0x1e0
[ 388.080587] [] ? ext4_writepages+0x3c6/0xd20
[ 388.080667] [] ? __ext4_journal_start_sb+0x69/0xe0
[ 388.080749] [] ext4_writepages+0x3f2/0xd20
[ 388.080830] [] do_writepages+0x1e/0x40
[ 388.080907] [] __writeback_single_inode+0x40/0x220
[ 388.080989] [] writeback_sb_inodes+0x247/0x3e0
[ 388.081069] [] __writeback_inodes_wb+0x9f/0xd0
[ 388.081149] [] wb_writeback+0x243/0x2c0
[ 388.081228] [] ? set_worker_desc+0x76/0x90
[ 388.081307] [] bdi_writeback_workfn+0x108/0x430
[ 388.081388] [] process_one_work+0x182/0x450
[ 388.081468] [] worker_thread+0x121/0x410
[ 388.081545] [] ? rescuer_thread+0x430/0x430
[ 388.081624] [] kthread+0xd2/0xf0
[ 388.081706] [] ? kthread_create_on_node+0x1c0/0x1c0
[ 388.081787] [] ret_from_fork+0x58/0x90
[ 388.081861] [] ? kthread_create_on_node+0x1c0/0x1c0
[ 388.081940] Code: 00 00 00 48 8d bd 58 ff ff ff 89 85 48 ff ff ff e8 6e cf f1 ff 8b 85 48 ff ff ff eb ca 48 8d bd 58 ff ff ff e8 5a cf f1 ff eb 80 <0f> 0b 0f 0b 0f 1f 40 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56
[ 388.083376] RIP [] mpage_prepare_extent_to_map+0x2b8/0x2c0
[ 388.083472] RSP

At the end it writes:

[ 388.######] Fixing recursive fault but reboot is needed!