Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753652AbdLSVpA (ORCPT <rfc822;w@1wt.eu>);
        Tue, 19 Dec 2017 16:45:00 -0500
Received: from out02.mta.xmission.com ([166.70.13.232]:51364 "EHLO
        out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751298AbdLSVo4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 19 Dec 2017 16:44:56 -0500
From: ebiederm@xmission.com (Eric W. Biederman)
To: Dave Jones <davej@codemonkey.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Linux Kernel <linux-kernel@vger.kernel.org>
References: <20171218214438.GA32728@codemonkey.org.uk>
        <20171218221541.GP21978@ZenIV.linux.org.uk>
        <20171218231013.GA9481@codemonkey.org.uk>
        <CA+55aFxkKNTukHGBBUmB+RasUAQPK3udsNw156yAyocr46cefg@mail.gmail.com>
        <20171219033926.GA26981@codemonkey.org.uk>
        <87lghy7eul.fsf@xmission.com>
        <20171219193020.GA9237@codemonkey.org.uk>
Date: Tue, 19 Dec 2017 15:44:30 -0600
In-Reply-To: <20171219193020.GA9237@codemonkey.org.uk> (Dave Jones's message
        of "Tue, 19 Dec 2017 14:30:20 -0500")
Message-ID: <878tdy5r5t.fsf@xmission.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-SPF: eid=1eRPh0-0002im-2f;;;mid=<878tdy5r5t.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=75.170.127.89;;;frm=ebiederm@xmission.com;;;spf=neutral
X-XM-AID: U2FsdGVkX1+344K5Hy44xRb1+7bOjxH2aLiAIvWAI2A=
X-SA-Exim-Connect-IP: 75.170.127.89
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
        *  0.0 TVD_RCVD_IP Message was received from an IP address
        *  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
        *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
        *      [score: 0.5000]
        * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
        *      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
        *  1.0 T_XMDrugObfuBody_08 obfuscated drug references
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ;Dave Jones <davej@codemonkey.org.uk>
X-Spam-Relay-Country: 
X-Spam-Timing: total 197 ms - load_scoreonly_sql: 0.04 (0.0%),
        signal_user_changed: 2.8 (1.4%), b_tie_ro: 1.99 (1.0%), parse: 0.97 (0.5%),
        extract_message_metadata: 14 (7.3%), get_uri_detail_list: 1.85 (0.9%),
        tests_pri_-1000: 6 (2.9%), tests_pri_-950: 1.15 (0.6%), tests_pri_-900: 0.96
        (0.5%), tests_pri_-400: 21 (10.7%), check_bayes: 20 (10.2%), b_tokenize: 6
        (3.1%), b_tok_get_all: 7 (3.6%), b_comp_prob: 2.1 (1.1%), b_tok_touch_all:
        3.0 (1.5%), b_finish: 0.60 (0.3%), tests_pri_0: 143 (72.3%),
        check_dkim_signature: 0.45 (0.2%), check_dkim_adsp: 5 (2.8%), tests_pri_500:
        4.5 (2.3%), rewrite_mail: 0.00 (0.0%)
Subject: Re: proc_flush_task oops
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1906
Lines: 51

Dave Jones <davej@codemonkey.org.uk> writes:

> On Tue, Dec 19, 2017 at 12:27:30PM -0600, Eric W. Biederman wrote:
>  > Dave Jones <davej@codemonkey.org.uk> writes:
>  > 
>  > > On Mon, Dec 18, 2017 at 03:50:52PM -0800, Linus Torvalds wrote:
>  > >
>  > >  > But I don't see what would have changed in this area recently.
>  > >  > 
>  > >  > Do you end up saving the seeds that cause crashes? Is this
>  > >  > reproducible? (Other than seeing it twoce, of course)
>  > >
>  > > Only clue so far, is every time I'm able to trigger it, the last thing
>  > > the child process that triggers it did, was an execveat.
>  > 
>  > Is there any chance the excveat might be called from a child thread?
>
> If trinity choose one of the exec syscalls, it forks off an extra child
> to do it in, on the off-chance that it succeeds, and we never return.
> https://github.com/kernelslacker/trinity/blob/master/syscall.c#L139

	extrapid = fork();
	if (extrapid == 0) {
		/* grand-child */
		char childname[]="trinity-subchild";
		prctl(PR_SET_NAME, (unsigned long) &childname);

		__do_syscall(rec, GOING_AWAY);
		/* if this was for eg. an successful execve, we should never get here.
		 * if it failed though... */
		_exit(EXIT_SUCCESS);
	}

That is interesting.


So the system call sequence is a fork which just succeeded and than an
exec.  That reduces the possibilities quite a lot.

With pids there was a recent change that just replaced the pid hash
table and the pid bitmap with and idr.  It changes the locking somewhat
and probably changes the timing so that might be the culprit.

I am trying to figure out if there is an interface that would let
ns_last_pid for a pid namespace be accessed before the first pid is
allocated and I am not seeing it.  It does not appear to be possible
to mount a proc for a pid namespace you are not currently in.

*Scratches my head*  I am not seeing anything obvious.

Eric