Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752437AbdLSTaX (ORCPT <rfc822;w@1wt.eu>);
        Tue, 19 Dec 2017 14:30:23 -0500
Received: from scorn.kernelslacker.org ([45.56.101.199]:48506 "EHLO
        scorn.kernelslacker.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751291AbdLSTaW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Dec 2017 14:30:22 -0500
Date: Tue, 19 Dec 2017 14:30:20 -0500
From: Dave Jones <davej@codemonkey.org.uk>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: proc_flush_task oops
Message-ID: <20171219193020.GA9237@codemonkey.org.uk>
Mail-Followup-To: Dave Jones <davej@codemonkey.org.uk>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Linux Kernel <linux-kernel@vger.kernel.org>
References: <20171218214438.GA32728@codemonkey.org.uk>
 <20171218221541.GP21978@ZenIV.linux.org.uk>
 <20171218231013.GA9481@codemonkey.org.uk>
 <CA+55aFxkKNTukHGBBUmB+RasUAQPK3udsNw156yAyocr46cefg@mail.gmail.com>
 <20171219033926.GA26981@codemonkey.org.uk>
 <87lghy7eul.fsf@xmission.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87lghy7eul.fsf@xmission.com>
User-Agent: Mutt/1.9.2 (2017-12-15)
X-Spam-Note: SpamAssassin invocation failed
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1396
Lines: 34

On Tue, Dec 19, 2017 at 12:27:30PM -0600, Eric W. Biederman wrote:
 > Dave Jones <davej@codemonkey.org.uk> writes:
 > 
 > > On Mon, Dec 18, 2017 at 03:50:52PM -0800, Linus Torvalds wrote:
 > >
 > >  > But I don't see what would have changed in this area recently.
 > >  > 
 > >  > Do you end up saving the seeds that cause crashes? Is this
 > >  > reproducible? (Other than seeing it twoce, of course)
 > >
 > > Only clue so far, is every time I'm able to trigger it, the last thing
 > > the child process that triggers it did, was an execveat.
 > 
 > Is there any chance the excveat might be called from a child thread?

If trinity choose one of the exec syscalls, it forks off an extra child
to do it in, on the off-chance that it succeeds, and we never return.
https://github.com/kernelslacker/trinity/blob/master/syscall.c#L139

 > That switching pids between tasks of a process during exec can get a
 > little bit tricky.
 > 
 > > Telling it to just fuzz execveat doesn't instantly trigger it, so it
 > > must be a combination of some other syscall. I'll leave a script running
 > > overnight to see if I can binary search the other syscalls in
 > > combination with it.
 > 
 > Could we have a buggy syscall that is stomping something?

Not totally impossible I guess, though I would expect that would
manifest in additional random failures, whereas this seems remarkably
consistent.

	Dave