Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp1216938ybg; Fri, 18 Oct 2019 14:00:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqz0h51ixmrvj06rkfsEXNRecoyspX/Vd9sEIUtbVkaRw27dgEoYbRZ3JHBqkekOG8MRkqh7 X-Received: by 2002:a17:906:1f44:: with SMTP id d4mr10571468ejk.16.1571432449984; Fri, 18 Oct 2019 14:00:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571432449; cv=none; d=google.com; s=arc-20160816; b=b77IpPU7lFY83M21CI+xnaGtMlKVuA+OwVuOfyDcKq1nWw2eX7WjRy1zIohPrumWmK CsGWpVyN0l8d7Al35+Y4lWb8+1q0Y/QBHiq4zeoENUkCwQHYXjxu1y1SLvGO4XApPYZ6 Dg0/Sbi0V8KCNCibFeClokFqaRI1MLyDzXj4PiRNWby+3LQbIBsQQniiVvYdZe6nYnTi XPk60RTyZcdjLO5Og+wUsop/n0yvhcqcos3K7Yp6//tPt+SBtOCZ1Vh68CDgSiUkcBkw /7cQn9B8rGI8fjd7d09k6cA9NoOMNPppFU6dVHBPxwOyNJJmHhAFM212Mf5SylpXodwG bD3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=qkPc9oPubVi+S+Sk2yyg4blYeBQvTJYrqAq+VAtuvGw=; b=tJT6rYlgloQyOKlT9ljkRdR6FBtiKXiMwSJn8qDdKtPuurovYDB96icw65BsXLLdvi KQQm17B3Sq90DJeu1+7HsZ043uTxkLTftrx9RdRrKSXb8X+qna4aZsoorAX9BYrY7Ot/ rkPo8yzYio7OeKCWXWmzkFElWOowpoeAtpBAMtvL78r61uWEXkEa7oyQ3h3QwLgJgOsL 3OrlxllefU9DQ9dSZwWwMqcQQyq+4txvE0uWPCaHQrA3jLh6L1asuXt1941bIvzPQC9x Ab1GFru+EFB0CuxYEukZfOAojMKTO8UCBNBP4wM6OlNgc0ReGJgFRvWbOxbSQ3TIDuqx rUjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b35si5108926edb.204.2019.10.18.14.00.26; Fri, 18 Oct 2019 14:00:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2406310AbfJQQ2c (ORCPT + 99 others); Thu, 17 Oct 2019 12:28:32 -0400 Received: from mx1.redhat.com ([209.132.183.28]:41872 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2392968AbfJQQ2b (ORCPT ); Thu, 17 Oct 2019 12:28:31 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E6AA6300BCE9; Thu, 17 Oct 2019 16:28:30 +0000 (UTC) Received: from localhost (unknown [10.36.118.91]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5DDC119C7F; Thu, 17 Oct 2019 16:28:30 +0000 (UTC) Date: Thu, 17 Oct 2019 17:28:29 +0100 From: "Richard W.M. Jones" To: Mike Christie Cc: syzbot , axboe@kernel.dk, josef@toxicpanda.com, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, nbd@other.debian.org, syzkaller-bugs@googlegroups.com Subject: Re: INFO: task hung in nbd_ioctl Message-ID: <20191017162829.GA3888@redhat.com> References: <000000000000b1b1ee0593cce78f@google.com> <5D93C2DD.10103@redhat.com> <20191017140330.GB25667@redhat.com> <5DA88D2F.7080907@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5DA88D2F.7080907@redhat.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Thu, 17 Oct 2019 16:28:31 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 17, 2019 at 10:47:59AM -0500, Mike Christie wrote: > On 10/17/2019 09:03 AM, Richard W.M. Jones wrote: > > On Tue, Oct 01, 2019 at 04:19:25PM -0500, Mike Christie wrote: > >> Hey Josef and nbd list, > >> > >> I had a question about if there are any socket family restrictions for nbd? > > > > In normal circumstances, in userspace, the NBD protocol would only be > > used over AF_UNIX or AF_INET/AF_INET6. > > > > There's a bit of confusion because netlink is used by nbd-client to > > configure the NBD device, setting things like block size and timeouts > > (instead of ioctl which is deprecated). I think you don't mean this > > use of netlink? > > I didn't. It looks like it is just a bad test. > > For the automated test in this thread the test created a AF_NETLINK > socket and passed it into the NBD_SET_SOCK ioctl. That is what got used > for the NBD_DO_IT ioctl. > > I was not sure if the test creator picked any old socket and it just > happened to pick one nbd never supported, or it was trying to simulate > sockets that did not support the shutdown method. > > I attached the automated test that got run (test.c). I'd say it sounds like a bad test, but I'm not familiar with syzkaller nor how / from where it generates these tests. Did someone report a bug and then syzkaller wrote this test? Rich. > > > >> The bug here is that some socket familys do not support the > >> sock->ops->shutdown callout, and when nbd calls kernel_sock_shutdown > >> their callout returns -EOPNOTSUPP. That then leaves recv_work stuck in > >> nbd_read_stat -> sock_xmit -> sock_recvmsg. My patch added a > >> flush_workqueue call, so for socket familys like AF_NETLINK in this bug > >> we hang like we see below. > >> > >> I can just remove the flush_workqueue call in that code path since it's > >> not needed there, but it leaves the original bug my patch was hitting > >> where we leave the recv_work running which can then result in leaked > >> resources, or possible use after free crashes and you still get the hang > >> if you remove the module. > >> > >> It looks like we have used kernel_sock_shutdown for a while so I thought > >> we might never have supported sockets that did not support the callout. > >> Is that correct? If so then I can just add a check for this in > >> nbd_add_socket and fix that bug too. > > > > Rich. > > > >> On 09/30/2019 05:39 PM, syzbot wrote: > >>> Hello, > >>> > >>> syzbot found the following crash on: > >>> > >>> HEAD commit: bb2aee77 Add linux-next specific files for 20190926 > >>> git tree: linux-next > >>> console output: https://syzkaller.appspot.com/x/log.txt?x=13385ca3600000 > >>> kernel config: https://syzkaller.appspot.com/x/.config?x=e60af4ac5a01e964 > >>> dashboard link: > >>> https://syzkaller.appspot.com/bug?extid=24c12fa8d218ed26011a > >>> compiler: gcc (GCC) 9.0.0 20181231 (experimental) > >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12abc2a3600000 > >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11712c05600000 > >>> > >>> The bug was bisected to: > >>> > >>> commit e9e006f5fcf2bab59149cb38a48a4817c1b538b4 > >>> Author: Mike Christie > >>> Date: Sun Aug 4 19:10:06 2019 +0000 > >>> > >>> nbd: fix max number of supported devs > >>> > >>> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1226f3c5600000 > >>> final crash: https://syzkaller.appspot.com/x/report.txt?x=1126f3c5600000 > >>> console output: https://syzkaller.appspot.com/x/log.txt?x=1626f3c5600000 > >>> > >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: > >>> Reported-by: syzbot+24c12fa8d218ed26011a@syzkaller.appspotmail.com > >>> Fixes: e9e006f5fcf2 ("nbd: fix max number of supported devs") > >>> > >>> INFO: task syz-executor390:8778 can't die for more than 143 seconds. > >>> syz-executor390 D27432 8778 8777 0x00004004 > >>> Call Trace: > >>> context_switch kernel/sched/core.c:3384 [inline] > >>> __schedule+0x828/0x1c20 kernel/sched/core.c:4065 > >>> schedule+0xd9/0x260 kernel/sched/core.c:4132 > >>> schedule_timeout+0x717/0xc50 kernel/time/timer.c:1871 > >>> do_wait_for_common kernel/sched/completion.c:83 [inline] > >>> __wait_for_common kernel/sched/completion.c:104 [inline] > >>> wait_for_common kernel/sched/completion.c:115 [inline] > >>> wait_for_completion+0x29c/0x440 kernel/sched/completion.c:136 > >>> flush_workqueue+0x40f/0x14c0 kernel/workqueue.c:2826 > >>> nbd_start_device_ioctl drivers/block/nbd.c:1272 [inline] > >>> __nbd_ioctl drivers/block/nbd.c:1347 [inline] > >>> nbd_ioctl+0xb2e/0xc44 drivers/block/nbd.c:1387 > >>> __blkdev_driver_ioctl block/ioctl.c:304 [inline] > >>> blkdev_ioctl+0xedb/0x1c20 block/ioctl.c:606 > >>> block_ioctl+0xee/0x130 fs/block_dev.c:1954 > >>> vfs_ioctl fs/ioctl.c:47 [inline] > >>> file_ioctl fs/ioctl.c:539 [inline] > >>> do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:726 > >>> ksys_ioctl+0xab/0xd0 fs/ioctl.c:743 > >>> __do_sys_ioctl fs/ioctl.c:750 [inline] > >>> __se_sys_ioctl fs/ioctl.c:748 [inline] > >>> __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:748 > >>> do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 > >>> entry_SYSCALL_64_after_hwframe+0x49/0xbe > >>> RIP: 0033:0x4452d9 > >>> Code: Bad RIP value. > >>> RSP: 002b:00007ffde928d288 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > >>> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004452d9 > >>> RDX: 0000000000000000 RSI: 000000000000ab03 RDI: 0000000000000004 > >>> RBP: 0000000000000000 R08: 00000000004025b0 R09: 00000000004025b0 > >>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402520 > >>> R13: 00000000004025b0 R14: 0000000000000000 R15: 0000000000000000 > >>> INFO: task syz-executor390:8778 blocked for more than 143 seconds. > >>> Not tainted 5.3.0-next-20190926 #0 > >>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > >>> syz-executor390 D27432 8778 8777 0x00004004 > >>> Call Trace: > >>> context_switch kernel/sched/core.c:3384 [inline] > >>> __schedule+0x828/0x1c20 kernel/sched/core.c:4065 > >>> schedule+0xd9/0x260 kernel/sched/core.c:4132 > >>> schedule_timeout+0x717/0xc50 kernel/time/timer.c:1871 > >>> do_wait_for_common kernel/sched/completion.c:83 [inline] > >>> __wait_for_common kernel/sched/completion.c:104 [inline] > >>> wait_for_common kernel/sched/completion.c:115 [inline] > >>> wait_for_completion+0x29c/0x440 kernel/sched/completion.c:136 > >>> flush_workqueue+0x40f/0x14c0 kernel/workqueue.c:2826 > >>> nbd_start_device_ioctl drivers/block/nbd.c:1272 [inline] > >>> __nbd_ioctl drivers/block/nbd.c:1347 [inline] > >>> nbd_ioctl+0xb2e/0xc44 drivers/block/nbd.c:1387 > >>> __blkdev_driver_ioctl block/ioctl.c:304 [inline] > >>> blkdev_ioctl+0xedb/0x1c20 block/ioctl.c:606 > >>> block_ioctl+0xee/0x130 fs/block_dev.c:1954 > >>> vfs_ioctl fs/ioctl.c:47 [inline] > >>> file_ioctl fs/ioctl.c:539 [inline] > >>> do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:726 > >>> ksys_ioctl+0xab/0xd0 fs/ioctl.c:743 > >>> __do_sys_ioctl fs/ioctl.c:750 [inline] > >>> __se_sys_ioctl fs/ioctl.c:748 [inline] > >>> __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:748 > >>> do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 > >>> entry_SYSCALL_64_after_hwframe+0x49/0xbe > >>> RIP: 0033:0x4452d9 > >>> Code: Bad RIP value. > >>> RSP: 002b:00007ffde928d288 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > >>> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004452d9 > >>> RDX: 0000000000000000 RSI: 000000000000ab03 RDI: 0000000000000004 > >>> RBP: 0000000000000000 R08: 00000000004025b0 R09: 00000000004025b0 > >>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402520 > >>> R13: 00000000004025b0 R14: 0000000000000000 R15: 0000000000000000 > >>> > >>> Showing all locks held in the system: > >>> 1 lock held by khungtaskd/1066: > >>> #0: ffffffff88faad80 (rcu_read_lock){....}, at: > >>> debug_show_all_locks+0x5f/0x27e kernel/locking/lockdep.c:5337 > >>> 2 locks held by kworker/u5:0/1525: > >>> #0: ffff8880923d0d28 ((wq_completion)knbd0-recv){+.+.}, at: > >>> __write_once_size include/linux/compiler.h:226 [inline] > >>> #0: ffff8880923d0d28 ((wq_completion)knbd0-recv){+.+.}, at: > >>> arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] > >>> #0: ffff8880923d0d28 ((wq_completion)knbd0-recv){+.+.}, at: > >>> atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline] > >>> #0: ffff8880923d0d28 ((wq_completion)knbd0-recv){+.+.}, at: > >>> atomic_long_set include/asm-generic/atomic-long.h:40 [inline] > >>> #0: ffff8880923d0d28 ((wq_completion)knbd0-recv){+.+.}, at: > >>> set_work_data kernel/workqueue.c:620 [inline] > >>> #0: ffff8880923d0d28 ((wq_completion)knbd0-recv){+.+.}, at: > >>> set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline] > >>> #0: ffff8880923d0d28 ((wq_completion)knbd0-recv){+.+.}, at: > >>> process_one_work+0x88b/0x1740 kernel/workqueue.c:2240 > >>> #1: ffff8880a63b7dc0 ((work_completion)(&args->work)){+.+.}, at: > >>> process_one_work+0x8c1/0x1740 kernel/workqueue.c:2244 > >>> 1 lock held by rsyslogd/8659: > >>> 2 locks held by getty/8749: > >>> #0: ffff888098c08090 (&tty->ldisc_sem){++++}, at: > >>> ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:340 > >>> #1: ffffc90005f112e0 (&ldata->atomic_read_lock){+.+.}, at: > >>> n_tty_read+0x232/0x1c10 drivers/tty/n_tty.c:2156 > >>> 2 locks held by getty/8750: > >>> #0: ffff88808f10b090 (&tty->ldisc_sem){++++}, at: > >>> ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:340 > >>> #1: ffffc90005f2d2e0 (&ldata->atomic_read_lock){+.+.}, at: > >>> n_tty_read+0x232/0x1c10 drivers/tty/n_tty.c:2156 > >>> 2 locks held by getty/8751: > >>> #0: ffff88809a6be090 (&tty->ldisc_sem){++++}, at: > >>> ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:340 > >>> #1: ffffc90005f192e0 (&ldata->atomic_read_lock){+.+.}, at: > >>> n_tty_read+0x232/0x1c10 drivers/tty/n_tty.c:2156 > >>> 2 locks held by getty/8752: > >>> #0: ffff8880a48af090 (&tty->ldisc_sem){++++}, at: > >>> ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:340 > >>> #1: ffffc90005f352e0 (&ldata->atomic_read_lock){+.+.}, at: > >>> n_tty_read+0x232/0x1c10 drivers/tty/n_tty.c:2156 > >>> 2 locks held by getty/8753: > >>> #0: ffff88808c599090 (&tty->ldisc_sem){++++}, at: > >>> ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:340 > >>> #1: ffffc90005f212e0 (&ldata->atomic_read_lock){+.+.}, at: > >>> n_tty_read+0x232/0x1c10 drivers/tty/n_tty.c:2156 > >>> 2 locks held by getty/8754: > >>> #0: ffff88808f1a8090 (&tty->ldisc_sem){++++}, at: > >>> ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:340 > >>> #1: ffffc90005f392e0 (&ldata->atomic_read_lock){+.+.}, at: > >>> n_tty_read+0x232/0x1c10 drivers/tty/n_tty.c:2156 > >>> 2 locks held by getty/8755: > >>> #0: ffff88809ab33090 (&tty->ldisc_sem){++++}, at: > >>> ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:340 > >>> #1: ffffc90005f012e0 (&ldata->atomic_read_lock){+.+.}, at: > >>> n_tty_read+0x232/0x1c10 drivers/tty/n_tty.c:2156 > >>> > >>> ============================================= > >>> > >>> NMI backtrace for cpu 1 > >>> CPU: 1 PID: 1066 Comm: khungtaskd Not tainted 5.3.0-next-20190926 #0 > >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > >>> Google 01/01/2011 > >>> Call Trace: > >>> __dump_stack lib/dump_stack.c:77 [inline] > >>> dump_stack+0x172/0x1f0 lib/dump_stack.c:113 > >>> nmi_cpu_backtrace.cold+0x70/0xb2 lib/nmi_backtrace.c:101 > >>> nmi_trigger_cpumask_backtrace+0x23b/0x28b lib/nmi_backtrace.c:62 > >>> arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 > >>> trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] > >>> check_hung_uninterruptible_tasks kernel/hung_task.c:269 [inline] > >>> watchdog+0xc99/0x1360 kernel/hung_task.c:353 > >>> kthread+0x361/0x430 kernel/kthread.c:255 > >>> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 > >>> Sending NMI from CPU 1 to CPUs 0: > >>> NMI backtrace for cpu 0 skipped: idling at native_safe_halt+0xe/0x10 > >>> arch/x86/include/asm/irqflags.h:60 > >>> > >>> > >>> --- > >>> This bug is generated by a bot. It may contain errors. > >>> See https://goo.gl/tpsmEJ for more information about syzbot. > >>> syzbot engineers can be reached at syzkaller@googlegroups.com. > >>> > >>> syzbot will keep track of this bug report. See: > >>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > >>> For information about bisection process see: > >>> https://goo.gl/tpsmEJ#bisection > >>> syzbot can test patches for this bug, for details see: > >>> https://goo.gl/tpsmEJ#testing-patches > > > > // autogenerated by syzkaller (https://github.com/google/syzkaller) > > #define _GNU_SOURCE > > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > #include > > static __thread int skip_segv; > static __thread jmp_buf segv_env; > > static void segv_handler(int sig, siginfo_t* info, void* ctx) > { > uintptr_t addr = (uintptr_t)info->si_addr; > const uintptr_t prog_start = 1 << 20; > const uintptr_t prog_end = 100 << 20; > if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED) && > (addr < prog_start || addr > prog_end)) { > _longjmp(segv_env, 1); > } > exit(sig); > } > > static void install_segv_handler(void) > { > struct sigaction sa; > memset(&sa, 0, sizeof(sa)); > sa.sa_handler = SIG_IGN; > syscall(SYS_rt_sigaction, 0x20, &sa, NULL, 8); > syscall(SYS_rt_sigaction, 0x21, &sa, NULL, 8); > memset(&sa, 0, sizeof(sa)); > sa.sa_sigaction = segv_handler; > sa.sa_flags = SA_NODEFER | SA_SIGINFO; > sigaction(SIGSEGV, &sa, NULL); > sigaction(SIGBUS, &sa, NULL); > } > > #define NONFAILING(...) \ > { \ > __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST); \ > if (_setjmp(segv_env) == 0) { \ > __VA_ARGS__; \ > } \ > __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST); \ > } > > static void sleep_ms(uint64_t ms) > { > usleep(ms * 1000); > } > > static uint64_t current_time_ms(void) > { > struct timespec ts; > if (clock_gettime(CLOCK_MONOTONIC, &ts)) > exit(1); > return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; > } > > static bool write_file(const char* file, const char* what, ...) > { > char buf[1024]; > va_list args; > va_start(args, what); > vsnprintf(buf, sizeof(buf), what, args); > va_end(args); > buf[sizeof(buf) - 1] = 0; > int len = strlen(buf); > int fd = open(file, O_WRONLY | O_CLOEXEC); > if (fd == -1) > return false; > if (write(fd, buf, len) != len) { > int err = errno; > close(fd); > errno = err; > return false; > } > close(fd); > return true; > } > > static long syz_open_dev(volatile long a0, volatile long a1, volatile long a2) > { > if (a0 == 0xc || a0 == 0xb) { > char buf[128]; > sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, > (uint8_t)a2); > return open(buf, O_RDWR, 0); > } else { > char buf[1024]; > char* hash; > NONFAILING(strncpy(buf, (char*)a0, sizeof(buf) - 1)); > buf[sizeof(buf) - 1] = 0; > while ((hash = strchr(buf, '#'))) { > *hash = '0' + (char)(a1 % 10); > a1 /= 10; > } > return open(buf, a2, 0); > } > } > > static void kill_and_wait(int pid, int* status) > { > kill(-pid, SIGKILL); > kill(pid, SIGKILL); > int i; > for (i = 0; i < 100; i++) { > if (waitpid(-1, status, WNOHANG | __WALL) == pid) > return; > usleep(1000); > } > DIR* dir = opendir("/sys/fs/fuse/connections"); > if (dir) { > for (;;) { > struct dirent* ent = readdir(dir); > if (!ent) > break; > if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) > continue; > char abort[300]; > snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", > ent->d_name); > int fd = open(abort, O_WRONLY); > if (fd == -1) { > continue; > } > if (write(fd, abort, 1) < 0) { > } > close(fd); > } > closedir(dir); > } else { > } > while (waitpid(-1, status, __WALL) != pid) { > } > } > > static void setup_test() > { > prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); > setpgrp(); > write_file("/proc/self/oom_score_adj", "1000"); > } > > static void execute_one(void); > > #define WAIT_FLAGS __WALL > > static void loop(void) > { > int iter; > for (iter = 0; iter < 1; iter++) { > int pid = fork(); > if (pid < 0) > exit(1); > if (pid == 0) { > setup_test(); > execute_one(); > exit(0); > } > int status = 0; > uint64_t start = current_time_ms(); > for (;;) { > if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) > break; > sleep_ms(1); > if (current_time_ms() - start < 5 * 1000) > continue; > kill_and_wait(pid, &status); > break; > } > } > } > > uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; > > void execute_one(void) > { > intptr_t res = 0; > res = syscall(__NR_socket, 0x10, 2, 2); > if (res != -1) > r[0] = res; > NONFAILING(memcpy((void*)0x20000080, "/dev/nbd#\000", 10)); > res = syz_open_dev(0x20000080, 0, 0); > if (res != -1) > r[1] = res; > res = syz_open_dev(0, 0, 0); > if (res != -1) > r[2] = res; > syscall(__NR_ioctl, r[2], 0xab00, r[0]); > syscall(__NR_ioctl, r[1], 0xab03, 0); > } > int main(void) > { > syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); > install_segv_handler(); > loop(); > return 0; > } -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://fedoraproject.org/wiki/MinGW