Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752678AbdLUOZm (ORCPT <rfc822;w@1wt.eu>);
        Thu, 21 Dec 2017 09:25:42 -0500
Received: from scorn.kernelslacker.org ([45.56.101.199]:56512 "EHLO
        scorn.kernelslacker.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752522AbdLUOZj (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 21 Dec 2017 09:25:39 -0500
Date: Thu, 21 Dec 2017 09:25:35 -0500
From: Dave Jones <davej@codemonkey.org.uk>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Linux Kernel <linux-kernel@vger.kernel.org>,
        syzkaller-bugs@googlegroups.com, Gargi Sharma <gs051095@gmail.com>,
        Oleg Nesterov <oleg@redhat.com>, Rik van Riel <riel@redhat.com>,
        Andrew Morton <akpm@linux-foundation.org>
Subject: Re: proc_flush_task oops
Message-ID: <20171221142535.GA17258@codemonkey.org.uk>
Mail-Followup-To: Dave Jones <davej@codemonkey.org.uk>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Linux Kernel <linux-kernel@vger.kernel.org>,
        syzkaller-bugs@googlegroups.com, Gargi Sharma <gs051095@gmail.com>,
        Oleg Nesterov <oleg@redhat.com>, Rik van Riel <riel@redhat.com>,
        Andrew Morton <akpm@linux-foundation.org>
References: <20171219033926.GA26981@codemonkey.org.uk>
 <87lghy7eul.fsf@xmission.com>
 <20171219193020.GA9237@codemonkey.org.uk>
 <878tdy5r5t.fsf@xmission.com>
 <87mv2e17vz.fsf@xmission.com>
 <20171220052803.GA17079@codemonkey.org.uk>
 <871sjp1cjz.fsf@xmission.com>
 <20171221031606.GA4636@codemonkey.org.uk>
 <87po78trjm.fsf@xmission.com>
 <CACVxJT_Sud7tNv23yOOqG7Uh5zFPDnz1anS7pTr0ChpCSMvZDA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACVxJT_Sud7tNv23yOOqG7Uh5zFPDnz1anS7pTr0ChpCSMvZDA@mail.gmail.com>
User-Agent: Mutt/1.9.2 (2017-12-15)
X-Spam-Note: SpamAssassin invocation failed
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1160
Lines: 31

On Thu, Dec 21, 2017 at 12:38:12PM +0200, Alexey Dobriyan wrote:
 > On 12/21/17, Eric W. Biederman <ebiederm@xmission.com> wrote:
 > > I have stared at this code, and written some test programs and I can't
 > > see what is going on.  alloc_pid by design and in implementation (as far
 > > as I can see) is always single threaded when allocating the first pid
 > > in a pid namespace.  idr_init always initialized idr_next to 0.
 > >
 > > So how we can get past:
 > >
 > > 	if (unlikely(is_child_reaper(pid))) {
 > > 		if (pid_ns_prepare_proc(ns)) {
 > > 			disable_pid_allocation(ns);
 > > 			goto out_free;
 > > 		}
 > > 	}
 > >
 > > with proc_mnt still set to NULL is a mystery to me.
 > >
 > > Is there any chance the idr code doesn't always return the lowest valid
 > > free number?  So init gets assigned something other than 1?
 > 
 > Well, this theory is easy to test (attached).

I'll give this a shot and report back when I get to the office.

 > There is a "valid" way to break the code via kernel.ns_last_pid:
 > unshare+write+fork but the reproducer doesn't seem to use it (or it does?)

that sysctl is root only, so that isn't at play here.

	Dav