Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2597596pxb;
        Tue, 9 Mar 2021 06:33:10 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzjFa/IFDC30UyoVE/fPiZ34a1QKZ0u9f7pLsdnBqTSsaaA2VNB7Ac030eiPVf52LBZmE9C
X-Received: by 2002:a17:906:3899:: with SMTP id q25mr20438288ejd.157.1615300390757;
        Tue, 09 Mar 2021 06:33:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1615300390; cv=none;
        d=google.com; s=arc-20160816;
        b=yti10RPNK6qnX9wfS1JusuQp+wMzoVVnbU/i5wb854Jhn7mCYbXcF8nmB2WgBXdglK
         GsyOHNpmG8tgESK6eSX8Mvjc5yrzm8ANlAimhMC0miIztVgTbjCyZUpaRz1gNPEd3mIe
         LK4q77e6iZ+KR63WKU8mxbKDaFoBfa1dkCfdgGZmQT5F29nUmWzjtjJRP9eKEVP1H7CJ
         O+8v5Wt6boGM0cgZwLZZSwzDzOdtKLIJXENYahhDnKDhqCvA+iahYZGrCZtSI5QVfCwb
         0GK6e0UQY+jCIaezomx1ximRJq59yo/REwE33yjsOpsJjd/Uvu5zQ7BFOzZKYBtazyDz
         AtYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=JTMO0KQfoqp3dQRyWMIbOewW6+UnMUbroFfJAtJ998I=;
        b=UZ/pLQrck8QZivRnt5Zkb+3Y+C8UfBUID9DiGh/7e7AFFTD+ui5u9lTWKNVhdPZD0j
         f4kqpdoeX5uwGNxxz9GO7tp3PTLrGAbj3XLJYZgnFxkrpU0hxGM4F99wrZYM8j8E8eVf
         +FVV1dWuxVL/NsDZuJqcH9hnEa/KBCUi8wIxNS4TA5fdtnRG9leeG/E+9dHkJ0C2rKr7
         U5VC8xzb30MFlxF9SFtqA8yrKIwyWCtLqC60mFNE4iaoW5KRqPBVqT/BlCQqwyDnfr0D
         PX24BZBZ1zKxbiIvke2sydIWmMZYLPMArBrxUErCGRfmzEa5nMQvfBrLpHP98joEteu4
         tJdA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g5si10343748edj.194.2021.03.09.06.32.47;
        Tue, 09 Mar 2021 06:33:10 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231278AbhCIOap (ORCPT <rfc822;lyj496332184@gmail.com>
        + 99 others); Tue, 9 Mar 2021 09:30:45 -0500
Received: from zeniv-ca.linux.org.uk ([142.44.231.140]:57348 "EHLO
        zeniv-ca.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230325AbhCIOa3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 9 Mar 2021 09:30:29 -0500
Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94 #2 (Red Hat Linux))
        id 1lJdIm-004JBQ-G7; Tue, 09 Mar 2021 14:25:36 +0000
Date:   Tue, 9 Mar 2021 14:25:36 +0000
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     Palash Oswal <oswalpalash@gmail.com>
Cc:     akpm@linux-foundation.org, dave@stgolabs.net,
        Kees Cook <keescook@chromium.org>,
        linux-kernel@vger.kernel.org, mingo@kernel.org,
        peterz@infradead.org, rppt@linux.vnet.ibm.com, sds@tycho.nsa.gov,
        syzkaller-bugs@googlegroups.com
Subject: Re: kernel panic: Attempted to kill init!
Message-ID: <YEeFYMcdPVNrKRJT@zeniv-ca.linux.org.uk>
References: <CAGyP=7dpTbbj39uO37YrNMg9h4Nzmkszc3MoZg9n8ALir_A52g@mail.gmail.com>
 <YEZcVKbPzfMVK2aK@zeniv-ca.linux.org.uk>
 <CAGyP=7fHhyrTP-u0tqCy5ZHzZN0v_0dAoj6dCHnFuBbqtfnBmQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGyP=7fHhyrTP-u0tqCy5ZHzZN0v_0dAoj6dCHnFuBbqtfnBmQ@mail.gmail.com>
Sender: Al Viro <viro@ftp.linux.org.uk>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 09, 2021 at 11:29:14AM +0530, Palash Oswal wrote:

> I observe the following result(notice the segfault in systemd):
> root@sandbox:~# ./repro
> [    9.457767] got to 221
> [    9.457791] got to 183
> [    9.459144] got to 201
> [    9.459471] got to 208
> [    9.459773] got to 210
> [    9.462602] got to 270
> [    9.488551] systemd[1]: segfault at 7ffe59fd7fb8 ip
> 000055be8f20b466 sp 00007ffe59fd7fc0 error 6 in
> systemd[55be8f15f000+ed000]
> [    9.490723] Code: 00 00 00 00 41 57 41 56 41 55 41 54 55 53 89 fd
> 48 81 ec 48 01 00 00 64 48 8b 04 25 28 00 00 00 48 89 84 24 38 01 00
> 00 31 c0 <e8> f5 bf f7 ff 83 f8 01 0f 84 b7 00 00 00 48 8d 9c 240
> [    9.492637] Kernel panic - not syncing: Attempted to kill init!
> exitcode=0x0000000b

Lovely.  So something in that sequence of syscalls manages to trigger
segfault in unrelated process.  What happens if you put it to sleep
right after open_by_handle_at() (e.g. by read(2) from fd 0, etc.)?