From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966451AbcAZPNU (ORCPT ); Tue, 26 Jan 2016 10:13:20 -0500 Received: from mail-wm0-f42.google.com ([74.125.82.42]:35622 "EHLO mail-wm0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932442AbcAZPNQ (ORCPT ); Tue, 26 Jan 2016 10:13:16 -0500 MIME-Version: 1.0 From: Dmitry Vyukov Date: Tue, 26 Jan 2016 16:12:54 +0100 Message-ID: Subject: WARNING in do_jobctl_trap To: Andrew Morton , Oleg Nesterov , "Amanieu d'Antras" , Richard Weinberger , Davidlohr Bueso , Vladimir Davydov , Palmer Dabbelt , Andy Lutomirski , LKML Cc: syzkaller , Kostya Serebryany , Alexander Potapenko , Sasha Levin , Eric Dumazet Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 11020 at kernel/signal.c:2076 get_signal+0x125a/0x14f0() Modules linked in: CPU: 1 PID: 11020 Comm: syz-executor Not tainted 4.5.0-rc1+ #291 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 00000000ffffffff ffff88005b987c10 ffffffff829e798d 0000000000000000 ffff88005c0b0000 ffffffff8653d460 ffff88005b987c50 ffffffff813536d9 ffffffff81382d8a ffffffff8653d460 000000000000081c ffff88005c0b0000 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x6f/0xa2 lib/dump_stack.c:50 [] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482 [] warn_slowpath_null+0x29/0x30 kernel/panic.c:515 [< inline >] do_jobctl_trap kernel/signal.c:2076 [] get_signal+0x125a/0x14f0 kernel/signal.c:2195 [] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712 [] exit_to_usermode_loop+0x1a5/0x210 arch/x86/entry/common.c:247 [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282 [] syscall_return_slowpath+0x2ba/0x340 arch/x86/entry/common.c:344 [] int_ret_from_sys_call+0x25/0x9f arch/x86/entry/entry_64.S:281 ---[ end trace 8084a3d0c9430433 ]--- // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #include #include #include #include #include #include #include #include #include void *thr(void *arg) { switch ((long)arg) { case 0: ptrace(PTRACE_SEIZE, getppid(), 0, 0); ptrace(PTRACE_INTERRUPT, getppid(), 0, 0); break; case 1: break; case 2: kill(getpid(), SIGPIPE); break; } return 0; } int main1(void *arg) { int i, fd, pid, status; pthread_t th[3]; setpgrp(); prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); fd = open("/proc/self/setgroups", O_RDWR); write(fd, "deny", strlen("deny")); close(fd); fd = open("/proc/self/uid_map", O_RDWR); write(fd, "0 0 1\n", strlen("0 0 1\n")); close(fd); fd = open("/proc/self/gid_map", O_RDWR); write(fd, "0 0 1\n", strlen("0 0 1\n")); close(fd); pid = fork(); if (pid == 0) { for (i = 0; i < 3; i++) { pthread_create(&th[i], 0, thr, (void*)(long)i); usleep(1000); } for (i = 0; i < 3; i++) { pthread_create(&th[i], 0, thr, (void*)(long)i); if (rand()%2) usleep(rand()%1000); } usleep(10000); exit(0); } while (waitpid(pid, &status, __WALL) != pid) { } exit(0); } int main() { int pid, status; char stack[1<<20]; srand(getpid()); pid = clone(main1, &stack[sizeof(stack)-8], CLONE_NEWUSER | CLONE_NEWPID, 0); while (waitpid(pid, &status, __WALL) != pid) { } return 0; } On commit 92e963f50fc74041b5e9e744c330dca48e04f08d (Jan 24).