Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp98078pxf; Wed, 10 Mar 2021 01:12:07 -0800 (PST) X-Google-Smtp-Source: ABdhPJzzXWXBA8HJruzNACeeCyWOEWWjAOYxbGasjjlhJoLP/OQOt/bVLe2HDj9E6HdafwdmjjN+ X-Received: by 2002:a50:eb97:: with SMTP id y23mr2185239edr.170.1615367527125; Wed, 10 Mar 2021 01:12:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615367527; cv=none; d=google.com; s=arc-20160816; b=TRI1JUyOkx30Kc8LDe3MLU/J/6yfEphVf0kywUDUzlRJkXFgVYjYjcP61JMKMdvYKF e6G60db7WCGK4zVLMwhL58OnsKcu+9Y18KVLJGbYq79thojiZGOLtbKLbqYlKdwd5B6R lawED9ep2rIBdMQ8aASgWeHWX29kSpsDGeatJsoygZzQKQSFLb9NlWbZuDwDN9FrPhs+ 6HEQp5mOMCaT+eafNPLYtYm+U4T6HGZsWdV1OAZhos2lw66MLhBN88r1Z9w7m1m1jYQU p3wvQ04RCLs3VZIldwZe8Gx1gokOR2QUyygUVqgMGmGKMaX5owfkj9JFUGzTd+5jAP6Q +CMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Lelg7Ymcsrx96H/9Hjjx+m4usnhjyVxAi/WxnBdwd2k=; b=FdcUNdl9whrOuuLFcYMYhKpwMjOB4QE76BydMCPccrR//6uCohBesIxDxrhO6nLMc/ mBwN0wCnmMjXWEyQCGdszDtIYEqd8dpn6Erg2Jds/E+LyBj1dhCnP1QWkYOhS2ZA1aIa efxSYWHS7Yv1HlE4xQt+/uNs+VIZdJHNM2qeaj2sa6t7r5tctOOsgY1Zg1z6hZBxqJ9d 5hwlxoVgMm/cmAzNk43cC+lD5FmCpc/F0aNUew0hfSJ5aWWxW0IoTACQv8UwosIqOu+U wiBmyjOqzM5Ct/p9GgJNC2xOxPhFeGGsMRukOeSJzvcg8JwRIWhaNfkgLYFOpKjzUZcs Dy5g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=O+i3cCDD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bu13si10747993edb.498.2021.03.10.01.11.44; Wed, 10 Mar 2021 01:12:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=O+i3cCDD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232608AbhCJJIp (ORCPT + 99 others); Wed, 10 Mar 2021 04:08:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46412 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232619AbhCJJIY (ORCPT ); Wed, 10 Mar 2021 04:08:24 -0500 Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8BB21C06174A for ; Wed, 10 Mar 2021 01:08:24 -0800 (PST) Received: by mail-qt1-x831.google.com with SMTP id v3so12478642qtw.4 for ; Wed, 10 Mar 2021 01:08:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Lelg7Ymcsrx96H/9Hjjx+m4usnhjyVxAi/WxnBdwd2k=; b=O+i3cCDDegpOwRxcpOsL1eL7HO5uvDSQcvx8EPj6qeYl7MrGO1g0s2cLRvM9xN3xn+ i0Ff/gOPl+rMsC//4T1x+dqg2MPjKMoZgqVJOFAyGFVK+DX8/jRrzDnXG1qMtFzbBDw8 eAFPN2bw6r/K05PcCh7q9+G7tAK8L6OddCe3G4Gz1jW9QM+ETU78q562d6RnrxLft8HN ArNLlINMSq2SU50k5wBBkLtFQFUQsBvCz6zBVyA1/a+YNgRmNSYjPRfkSvEPs0dKeEr6 QnbedkohHNaLpVzQ2tTdUKyHbLzgsu9RQ8T3J7b3NgXtqNnHxMhNyesUi7ey5H+XXU/x /zdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Lelg7Ymcsrx96H/9Hjjx+m4usnhjyVxAi/WxnBdwd2k=; b=XstaRxVhh3fd0tgECZ9XJZ6DzbvMm7NgcUrhi36h/Trlh3DPlXDtovlGqsuFI0Szqo V5MFozl+QpFtqi2hlBW1t0BoRqMg10x4Kxw3/Uq2QS4aukov6FIp6ksiz5vLRX3nTRsI 74kLsUkVsIzypbh84glUD4LsbWfDuraySw0KS584l8KNs4o2R8FstzGP5FiOFaDMN6pu /IrzrKxaUeE4lyW30TesIHkc9uodEq63vdSpn6GTf7eyF0QwH8YS9O81kiJzOM2TTUMs Ysb12HmM65xPDOiXCqzWAQ6k8rvw/eGvSvoUbANo2FuyLkNmPFTFxS/DanJZaKlYbu7o EdVg== X-Gm-Message-State: AOAM530l+gWccpAfVtQ5kNXgz0OuO4zBOTAVXoRxR3mmUuie7GvqTuw7 N7NByo/LEZFOK2ru3HNdsLg5g21aGjvDQFb0+JZKfA== X-Received: by 2002:aed:2c61:: with SMTP id f88mr1774089qtd.337.1615367303536; Wed, 10 Mar 2021 01:08:23 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dmitry Vyukov Date: Wed, 10 Mar 2021 10:08:12 +0100 Message-ID: Subject: Re: kernel panic: Attempted to kill init! To: Palash Oswal Cc: Al Viro , Andrew Morton , Davidlohr Bueso , Kees Cook , LKML , Ingo Molnar , Peter Zijlstra , Mike Rapoport , Stephen Smalley , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 10, 2021 at 10:02 AM Palash Oswal wrote: > > On Tue, Mar 9, 2021 at 7:58 PM Al Viro wrote: > > Lovely. So something in that sequence of syscalls manages to trigger > > segfault in unrelated process. What happens if you put it to sleep > > right after open_by_handle_at() (e.g. by read(2) from fd 0, etc.)? > > Added read(2) call in the reproducer, and there's no longer a segfault > in systemd, but the process is still killed > syscall(__NR_open_by_handle_at, r[0], 0x20000000ul, 0x2f00ul); > + unsigned char buffer[1]; > + read(0, buffer, 1); > return 0; > > root@sandbox:~# gcc -pthread repro.c -o repro > root@sandbox:~# ./repro > [ 450.676798] got to 221 > [ 450.676881] got to 183 > [ 450.677655] got to 201 > [ 450.678042] got to 208 > [ 450.678349] got to 210 > [ 450.681404] got to 270 > [ 450.707100] Kernel panic - not syncing: Attempted to kill init! > exitcode=0x0000000b > [ 450.708393] CPU: 0 PID: 1 Comm: systemd Not tainted 5.11.2+ #22 > [ 450.709105] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.14.0-1 04/01/2014 > [ 450.710117] Call Trace: > [ 450.710440] dump_stack+0xb2/0xe4 > [ 450.710902] panic+0x196/0x502 > [ 450.711277] do_exit.cold+0x70/0x108 > [ 450.711710] do_group_exit+0x78/0x120 > [ 450.712161] get_signal+0x22e/0xd60 > [ 450.712588] arch_do_signal_or_restart+0xef/0x890 > [ 450.713165] exit_to_user_mode_prepare+0x102/0x190 > [ 450.713744] irqentry_exit_to_user_mode+0x9/0x20 > [ 450.714340] irqentry_exit+0x19/0x30 > [ 450.714817] exc_page_fault+0xc3/0x240 > [ 450.715275] ? asm_exc_page_fault+0x8/0x30 > [ 450.715805] asm_exc_page_fault+0x1e/0x30 > [ 450.716295] RIP: 0033:0x7febb8036f10 > [ 450.716738] Code: Unable to access opcode bytes at RIP 0x7febb8036ee6. > [ 450.717512] RSP: 002b:00007ffd91fec2f8 EFLAGS: 00010246 > [ 450.718139] RAX: 0000000000000000 RBX: 000055c6cc268f40 RCX: 00007febb80672e3 > [ 450.719030] RDX: 00007ffd91fec480 RSI: 00007ffd91fec5b0 RDI: 0000000000000007 > [ 450.719877] RBP: 0000000000000007 R08: 431bde82d7b634db R09: 000000000000000b > [ 450.720681] R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd927eb4d0 > [ 450.721527] R13: 0000000000000001 R14: ffffffffffffffff R15: 0000000000000002 > [ 450.722470] Kernel Offset: disabled > [ 450.722941] ---[ end Kernel panic - not syncing: Attempted to kill > init! exitcode=0x0000000b ]--- > > Added a hb at panic() and here's the backtrace from gdb: > (gdb) hb kernel/panic.c:177 > Hardware assisted breakpoint 1 at 0xffffffff82201bd7: file > kernel/panic.c, line 178. > (gdb) c > Continuing. > Thread 1 hit Breakpoint 1, panic (fmt=fmt@entry=0xffffffff82bcd850 > "Attempted to kill init! exitcode=0x%08x\n") at kernel/panic.c:178 > 178 { > (gdb) bt > #0 panic (fmt=fmt@entry=0xffffffff82bcd850 "Attempted to kill init! > exitcode=0x%08x\n") at kernel/panic.c:178 > #1 0xffffffff822025a3 in do_exit (code=code@entry=11) at kernel/exit.c:794 > #2 0xffffffff810e6e98 in do_group_exit (exit_code=11) at kernel/exit.c:922 > #3 0xffffffff810febae in get_signal > (ksig=ksig@entry=0xffffc90000013e38) at kernel/signal.c:2773 > #4 0xffffffff8104fa8f in arch_do_signal_or_restart > (regs=0xffffc90000013f58, has_signal=) at > arch/x86/kernel/signal.c:831 > #5 0xffffffff811a0602 in handle_signal_work (ti_work=, > regs=0xffffc90000013f58) at kernel/entry/common.c:147 > #6 exit_to_user_mode_loop (ti_work=, regs= out>) at kernel/entry/common.c:171 > #7 exit_to_user_mode_prepare (regs=0xffffc90000013f58) at > kernel/entry/common.c:201 > #8 0xffffffff8227a299 in irqentry_exit_to_user_mode (regs= out>) at kernel/entry/common.c:307 > #9 0xffffffff8227a2c9 in irqentry_exit > (regs=regs@entry=0xffffc90000013f58, state=..., state@entry=...) at > kernel/entry/common.c:395 > #10 0xffffffff82279c83 in exc_page_fault (regs=0xffffc90000013f58, > error_code=20) at arch/x86/mm/fault.c:1509 > #11 0xffffffff82400ade in asm_exc_page_fault () at > ./arch/x86/include/asm/idtentry.h:580 > #12 0x0000000000000002 in fixed_percpu_data () > #13 0xffffffffffffffff in ?? () > #14 0x0000000000000001 in fixed_percpu_data () > #15 0x00007ffdef6e1480 in ?? () > #16 0x0000000000000007 in fixed_percpu_data () > #17 0x000055a7e97caf40 in ?? () > #18 0x0000000000000246 in ?? () > #19 0x00000000ffffffff in ?? () > #20 0x000000000000000b in fixed_percpu_data () > #21 0x0000000000000000 in ?? () The kernel stack is not very useful in this case, it's a common faulting stack. Maybe it will shed some light if you install gdb in the image, attach it to the systemd process, then trigger the segfault and then unwind stack in the systemd process at the time of fault, dump registers, etc. However, I don't know if gdb will get the signal first, or the kernel will panic first... FWIW I can't reproduce this locally on wheezy/stretch images.