WARNING in do_jobctl_trap
27 views
Skip to first unread message
Dmitry Vyukov
Jan 26, 2016, 10:13:14 AM1/26/16
to Andrew Morton, Oleg Nesterov, Amanieu d'Antras, Richard Weinberger, Davidlohr Bueso, Vladimir Davydov, Palmer Dabbelt, Andy Lutomirski, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
Hello,
The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 11020 at kernel/signal.c:2076 get_signal+0x125a/0x14f0()
Modules linked in:
CPU: 1 PID: 11020 Comm: syz-executor Not tainted 4.5.0-rc1+ #291
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88005b987c10 ffffffff829e798d 0000000000000000
ffff88005c0b0000 ffffffff8653d460 ffff88005b987c50 ffffffff813536d9
ffffffff81382d8a ffffffff8653d460 000000000000081c ffff88005c0b0000
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff829e798d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff813536d9>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff81353909>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[< inline >] do_jobctl_trap kernel/signal.c:2076
[<ffffffff81382d8a>] get_signal+0x125a/0x14f0 kernel/signal.c:2195
[<ffffffff811a0db3>] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
[<ffffffff81006685>] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:247
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
[<ffffffff86459c22>] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
---[ end trace 8084a3d0c9430433 ]---
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/prctl.h>
#include <linux/sched.h>
#include <sched.h>
#include <pthread.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <memory.h>
#include <stdio.h>
#include <errno.h>
void *thr(void *arg)
{
switch ((long)arg) {
case 0:
ptrace(PTRACE_SEIZE, getppid(), 0, 0);
ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
break;
case 1:
break;
case 2:
kill(getpid(), SIGPIPE);
break;
}
return 0;
}
int main1(void *arg)
{
int i, fd, pid, status;
pthread_t th[3];
setpgrp();
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
fd = open("/proc/self/setgroups", O_RDWR);
write(fd, "deny", strlen("deny"));
close(fd);
fd = open("/proc/self/uid_map", O_RDWR);
write(fd, "0 0 1\n", strlen("0 0 1\n"));
close(fd);
fd = open("/proc/self/gid_map", O_RDWR);
write(fd, "0 0 1\n", strlen("0 0 1\n"));
close(fd);
pid = fork();
if (pid == 0) {
for (i = 0; i < 3; i++) {
pthread_create(&th[i], 0, thr, (void*)(long)i);
usleep(1000);
}
for (i = 0; i < 3; i++) {
pthread_create(&th[i], 0, thr, (void*)(long)i);
if (rand()%2)
usleep(rand()%1000);
}
usleep(10000);
exit(0);
}
while (waitpid(pid, &status, __WALL) != pid) {
}
exit(0);
}
int main()
{
int pid, status;
char stack[1<<20];
srand(getpid());
pid = clone(main1, &stack[sizeof(stack)-8], CLONE_NEWUSER |
CLONE_NEWPID, 0);
while (waitpid(pid, &status, __WALL) != pid) {
}
return 0;
}
On commit 92e963f50fc74041b5e9e744c330dca48e04f08d (Jan 24).
The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 11020 at kernel/signal.c:2076 get_signal+0x125a/0x14f0()
Modules linked in:
CPU: 1 PID: 11020 Comm: syz-executor Not tainted 4.5.0-rc1+ #291
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88005b987c10 ffffffff829e798d 0000000000000000
ffff88005c0b0000 ffffffff8653d460 ffff88005b987c50 ffffffff813536d9
ffffffff81382d8a ffffffff8653d460 000000000000081c ffff88005c0b0000
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff829e798d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff813536d9>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff81353909>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[< inline >] do_jobctl_trap kernel/signal.c:2076
[<ffffffff81382d8a>] get_signal+0x125a/0x14f0 kernel/signal.c:2195
[<ffffffff811a0db3>] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
[<ffffffff81006685>] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:247
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
[<ffffffff86459c22>] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
---[ end trace 8084a3d0c9430433 ]---
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/prctl.h>
#include <linux/sched.h>
#include <sched.h>
#include <pthread.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <memory.h>
#include <stdio.h>
#include <errno.h>
void *thr(void *arg)
{
switch ((long)arg) {
case 0:
ptrace(PTRACE_SEIZE, getppid(), 0, 0);
ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
break;
case 1:
break;
case 2:
kill(getpid(), SIGPIPE);
break;
}
return 0;
}
int main1(void *arg)
{
int i, fd, pid, status;
pthread_t th[3];
setpgrp();
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
fd = open("/proc/self/setgroups", O_RDWR);
write(fd, "deny", strlen("deny"));
close(fd);
fd = open("/proc/self/uid_map", O_RDWR);
write(fd, "0 0 1\n", strlen("0 0 1\n"));
close(fd);
fd = open("/proc/self/gid_map", O_RDWR);
write(fd, "0 0 1\n", strlen("0 0 1\n"));
close(fd);
pid = fork();
if (pid == 0) {
for (i = 0; i < 3; i++) {
pthread_create(&th[i], 0, thr, (void*)(long)i);
usleep(1000);
}
for (i = 0; i < 3; i++) {
pthread_create(&th[i], 0, thr, (void*)(long)i);
if (rand()%2)
usleep(rand()%1000);
}
usleep(10000);
exit(0);
}
while (waitpid(pid, &status, __WALL) != pid) {
}
exit(0);
}
int main()
{
int pid, status;
char stack[1<<20];
srand(getpid());
pid = clone(main1, &stack[sizeof(stack)-8], CLONE_NEWUSER |
CLONE_NEWPID, 0);
while (waitpid(pid, &status, __WALL) != pid) {
}
return 0;
}
On commit 92e963f50fc74041b5e9e744c330dca48e04f08d (Jan 24).
Oleg Nesterov
Jan 26, 2016, 3:52:49 PM1/26/16
to Dmitry Vyukov, Andrew Morton, Amanieu d'Antras, Richard Weinberger, Davidlohr Bueso, Vladimir Davydov, Palmer Dabbelt, Andy Lutomirski, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
On 01/26, Dmitry Vyukov wrote:
>
> Hello,
>
> The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:
Can't reproduce, but most probably I understand the problem... I'll try to
>
> Hello,
>
> The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:
make the simplified test-case tomorrow, it should work if I am right.
Does it work for you reliably? If yes, any chance you can try the patch
below?
Oleg.
--- x/kernel/ptrace.c
+++ x/kernel/ptrace.c
@@ -73,11 +73,11 @@ void __ptrace_unlink(struct task_struct *child)
{
BUG_ON(!child->ptrace);
- child->ptrace = 0;
child->parent = child->real_parent;
list_del_init(&child->ptrace_entry);
spin_lock(&child->sighand->siglock);
+ child->ptrace = 0;
/*
* Clear all pending traps and TRAPPING. TRAPPING should be
Oleg Nesterov
Jan 27, 2016, 11:05:03 AM1/27/16
to Dmitry Vyukov, Andrew Morton, Amanieu d'Antras, Richard Weinberger, Davidlohr Bueso, Vladimir Davydov, Palmer Dabbelt, Andy Lutomirski, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
On 01/26, Oleg Nesterov wrote:
>
> On 01/26, Dmitry Vyukov wrote:
> >
> > Hello,
> >
> > The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:
>
> Can't reproduce, but most probably I understand the problem... I'll try to
> make the simplified test-case tomorrow, it should work if I am right.
This triggers the same problem immediately:
>
> On 01/26, Dmitry Vyukov wrote:
> >
> > Hello,
> >
> > The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:
>
> Can't reproduce, but most probably I understand the problem... I'll try to
> make the simplified test-case tomorrow, it should work if I am right.
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
void test(void)
{
for (;;) {
if (fork()) {
wait(NULL);
continue;
}
ptrace(PTRACE_SEIZE, getppid(), 0, 0);
ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
_exit(0);
ptrace(PTRACE_SEIZE, getppid(), 0, 0);
ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
}
}
int main(void)
{
int np;
for (np = 0; np < 8; ++np)
if (!fork())
test();
while (wait(NULL) > 0)
;
return 0;
}
and just in case, your test-case works too if I run
perl -e 'fork; fork; fork; 1 while 1' &
in the background, it has too many delays to work on the idle system.
> Does it work for you reliably? If yes, any chance you can try the patch
> below?
>
> Oleg.
>
> --- x/kernel/ptrace.c
> +++ x/kernel/ptrace.c
> @@ -73,11 +73,11 @@ void __ptrace_unlink(struct task_struct *child)
> {
> BUG_ON(!child->ptrace);
>
> - child->ptrace = 0;
> child->parent = child->real_parent;
> list_del_init(&child->ptrace_entry);
>
> spin_lock(&child->sighand->siglock);
> + child->ptrace = 0;
>
> /*
> * Clear all pending traps and TRAPPING. TRAPPING should be
Oleg.
Dmitry Vyukov
Mar 10, 2016, 1:34:19 PM3/10/16
to Oleg Nesterov, Andrew Morton, Amanieu d'Antras, Richard Weinberger, Davidlohr Bueso, Vladimir Davydov, Palmer Dabbelt, Andy Lutomirski, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
I am running with the __ptrace_unlink fix since then, and did not see any bugs.
Please mail it a proper patch.
Oleg Nesterov
Mar 14, 2016, 3:45:08 PM3/14/16
to Dmitry Vyukov, Andrew Morton, Amanieu d'Antras, Richard Weinberger, Davidlohr Bueso, Vladimir Davydov, Palmer Dabbelt, Andy Lutomirski, LKML, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
Hi Dmitry,
On 03/10, Dmitry Vyukov wrote:
>
> I am running with the __ptrace_unlink fix since then, and did not see any bugs.
> Please mail it a proper patch.
Yes, thanks, will do in a minute... Hopefully I'll (re)send more fixes for the
problems found by syzkaller this week.
Oleg.
On 03/10, Dmitry Vyukov wrote:
>
> I am running with the __ptrace_unlink fix since then, and did not see any bugs.
> Please mail it a proper patch.
problems found by syzkaller this week.
Oleg.
Reply all
Reply to author
Forward
0 new messages