Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
MIME-Version: 1.0
In-Reply-To: <20171106143138.GA17423@redhat.com>
References: <94eb2c058c80ea49ed055cc8695e@google.com> <CACT4Y+Y-Zi+30FtfNJk5UUeO5RaTs2WNrDz2cKnXbAUyWvfgCQ@mail.gmail.com>
 <20171031163451.GA30223@redhat.com> <CACT4Y+Yex9wRJc_5TV+7gGmkNq0twbkCwzoPJOKtr_eFPB=vPQ@mail.gmail.com>
 <20171102170138.GA13663@redhat.com> <CACT4Y+ZA17tmCEFbkewkP2uZ+ZN0pLjEDZYdHG0gvpsYqUnVDA@mail.gmail.com>
 <20171106112508.lun6eftpj5icnvdy@cedar> <20171106143138.GA17423@redhat.com>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Tue, 7 Nov 2017 18:31:12 +0100
Message-ID: <CACT4Y+YfCFkj16WUe-s8yuCvroG1JL-hvbuB5TNQ4r=V2w6Gmw@mail.gmail.com>
Subject: Re: WARNING in task_participate_group_stop
To:     Oleg Nesterov <oleg@redhat.com>
Cc:     Jamie Iles <jamie.iles@oracle.com>,
        syzbot 
        <bot+c9f0eb0d2a5576ece331a767528e6b52b4ff1815@syzkaller.appspotmail.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Arvind Yadav <arvind.yadav.cs@gmail.com>,
        Mark Brown <broonie@kernel.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        =?UTF-8?B?RnLDqWTDqXJpYyBXZWlzYmVja2Vy?= <fweisbec@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        mchehab@kernel.org, Ingo Molnar <mingo@kernel.org>,
        mpe@ellerman.id.au, syzkaller-bugs@googlegroups.com,
        Al Viro <viro@zeniv.linux.org.uk>, Kyle Huey <me@kylehuey.com>,
        Kees Cook <keescook@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Mon, Nov 6, 2017 at 3:31 PM, Oleg Nesterov <oleg@redhat.com> wrote:
> On 11/06, Jamie Iles wrote:
>>
>> I'm unable to reproduce the warning in qemu with SMP (on a 32 CPU VM).
>
> Neither me. Perhaps because I tried this test-case on the minimal system
> with /bin/sh running as init process.
>
>> Instead I get the following instant traceback which is different to what
>> you report when run as root:
>>
>> [   45.018469] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000013
>> [   45.018469]
>> [   45.019669] CPU: 19 PID: 1 Comm: systemd Not tainted 4.14.0-rc8 #7
>> [   45.021094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
>> [   45.022768] Call Trace:
>> [   45.023076]  dump_stack+0x12e/0x188
>> [   45.023481]  panic+0x1e4/0x417
>
> This is fine and hopefully confirms the theory. let me quote my previous email:
>
>                 line 111    r[8] = syscall(__NR_ptrace, 0x10ul, r[7]);
>
>         this is PTRACE_ATTACH
>
>                 line 115        syscall(__NR_ptrace, 0x4200ul, r[7], 0x40000012ul, 0x100012ul);
>
>         this is PTRACE_SETOPTIONS and "data" includes PTRACE_O_EXITKILL.
>
>         r[7] is initialized at
>
>                 line 110      r[7] = *(uint32_t*)0x20f9cffc;
>
>         so if it is eq to 1 then it can attach to init and in this case the problem
>         can be explained by the wrong SIGNAL_UNKILLABLE/SIGKILL logic.
>
> So, if it is eq to 1 then init will be killed after the child process created
> by loop() function exits (see PTRACE_O_EXITKILL above).
>
> This is correct, only the warning is not.
>
> For example, this command does ptrace(PTRACE_SEIZE, 1,0, PTRACE_O_EXITKILL)
>
>         # perl -e 'syscall 101, 0x4206, 1, 0, 0x100000'
>
> and crashes the kernel the same way, this is correct.


Oleg, I've tested the patch and I don't see the WARNING with it. Only
attempt to kill init, which is fine, we test inside of pid namespace
and test process is not able to reach init.

Tested-by: Dmitry Vyukov <dvyukov@google.com>

From 1583327554334917573@xxx Mon Nov 06 14:33:43 +0000 2017
X-GM-THRID: 1582711532474407023
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread