WARNING in do_jobctl_trap

WARNING in do_jobctl_trap

[Dmitry Vyukov]

Hello,

The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:

------------[ cut here ]------------
WARNING: CPU: 1 PID: 11020 at kernel/signal.c:2076 get_signal+0x125a/0x14f0()
Modules linked in:
CPU: 1 PID: 11020 Comm: syz-executor Not tainted 4.5.0-rc1+ #291
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 00000000ffffffff ffff88005b987c10 ffffffff829e798d 0000000000000000
 ffff88005c0b0000 ffffffff8653d460 ffff88005b987c50 ffffffff813536d9
 ffffffff81382d8a ffffffff8653d460 000000000000081c ffff88005c0b0000
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff829e798d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
 [<ffffffff813536d9>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
 [<ffffffff81353909>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
 [<     inline     >] do_jobctl_trap kernel/signal.c:2076
 [<ffffffff81382d8a>] get_signal+0x125a/0x14f0 kernel/signal.c:2195
 [<ffffffff811a0db3>] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
 [<ffffffff81006685>] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:247
 [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:282
 [<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
 [<ffffffff86459c22>] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
---[ end trace 8084a3d0c9430433 ]---


// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/prctl.h>
#include <linux/sched.h>
#include <sched.h>
#include <pthread.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <memory.h>
#include <stdio.h>
#include <errno.h>

void *thr(void *arg)
{
    switch ((long)arg) {
    case 0:
        ptrace(PTRACE_SEIZE, getppid(), 0, 0);
        ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
        break;
    case 1:
        break;
    case 2:
        kill(getpid(), SIGPIPE);
        break;
    }
    return 0;
}

int main1(void *arg)
{
    int i, fd, pid, status;
    pthread_t th[3];

    setpgrp();
    prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
    fd = open("/proc/self/setgroups", O_RDWR);
    write(fd, "deny", strlen("deny"));
    close(fd);
    fd = open("/proc/self/uid_map", O_RDWR);
    write(fd, "0 0 1\n", strlen("0 0 1\n"));
    close(fd);
    fd = open("/proc/self/gid_map", O_RDWR);
    write(fd, "0 0 1\n", strlen("0 0 1\n"));
    close(fd);
    pid = fork();
    if (pid == 0) {
        for (i = 0; i < 3; i++) {
            pthread_create(&th[i], 0, thr, (void*)(long)i);
            usleep(1000);
        }
        for (i = 0; i < 3; i++) {
            pthread_create(&th[i], 0, thr, (void*)(long)i);
            if (rand()%2)
                usleep(rand()%1000);
        }
        usleep(10000);
        exit(0);
    }
    while (waitpid(pid, &status, __WALL) != pid) {
    }
    exit(0);
}

int main()
{
    int pid, status;
    char stack[1<<20];

    srand(getpid());
    pid = clone(main1, &stack[sizeof(stack)-8], CLONE_NEWUSER |
CLONE_NEWPID, 0);
    while (waitpid(pid, &status, __WALL) != pid) {
    }
    return 0;
}

On commit 92e963f50fc74041b5e9e744c330dca48e04f08d (Jan 24).

Re: WARNING in do_jobctl_trap

[Oleg Nesterov]

On 01/26, Dmitry Vyukov wrote:
>
> Hello,
>
> The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:

Can't reproduce, but most probably I understand the problem... I'll try to
make the simplified test-case tomorrow, it should work if I am right.

Does it work for you reliably?  If yes, any chance you can try the patch
below?

Oleg.

--- x/kernel/ptrace.c
+++ x/kernel/ptrace.c
@@ -73,11 +73,11 @@ void __ptrace_unlink(struct task_struct *child)
 {
 	BUG_ON(!child->ptrace);
 
-	child->ptrace = 0;
 	child->parent = child->real_parent;
 	list_del_init(&child->ptrace_entry);
 
 	spin_lock(&child->sighand->siglock);
+	child->ptrace = 0;
 
 	/*
 	 * Clear all pending traps and TRAPPING.  TRAPPING should be

Re: WARNING in do_jobctl_trap

[Oleg Nesterov]

On 01/26, Oleg Nesterov wrote:
>
> On 01/26, Dmitry Vyukov wrote:
> >
> > Hello,
> >
> > The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:
>
> Can't reproduce, but most probably I understand the problem... I'll try to
> make the simplified test-case tomorrow, it should work if I am right.

This triggers the same problem immediately:


	#include <unistd.h>
	#include <sys/ptrace.h>
	#include <sys/wait.h>

	void test(void)
	{
		for (;;) {
			if (fork()) {
				wait(NULL);
				continue;
			}

			ptrace(PTRACE_SEIZE, getppid(), 0, 0);
			ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
			_exit(0);
		}
	}

	int main(void)
	{
		int np;

		for (np = 0; np < 8; ++np)
			if (!fork())
				test();

		while (wait(NULL) > 0)
			;
		return 0;
	}

and just in case, your test-case works too if I run

	perl -e 'fork; fork; fork; 1 while 1' &

in the background, it has too many delays to work on the idle system.

> Does it work for you reliably?  If yes, any chance you can try the patch
> below?
>
> Oleg.
>
> --- x/kernel/ptrace.c
> +++ x/kernel/ptrace.c
> @@ -73,11 +73,11 @@ void __ptrace_unlink(struct task_struct *child)
>  {
>  	BUG_ON(!child->ptrace);
>
> -	child->ptrace = 0;
>  	child->parent = child->real_parent;
>  	list_del_init(&child->ptrace_entry);
>
>  	spin_lock(&child->sighand->siglock);
> +	child->ptrace = 0;
>
>  	/*
>  	 * Clear all pending traps and TRAPPING.  TRAPPING should be

The change above helps, but I need to think more...

Oleg.

Re: WARNING in do_jobctl_trap

[Dmitry Vyukov]

On Wed, Jan 27, 2016 at 5:04 PM, Oleg Nesterov <oleg@redhat.com> wrote:
> On 01/26, Oleg Nesterov wrote:
>>
>> On 01/26, Dmitry Vyukov wrote:
>> >
>> > Hello,
>> >
>> > The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:
>>
>> Can't reproduce, but most probably I understand the problem... I'll try to
>> make the simplified test-case tomorrow, it should work if I am right.
>
> This triggers the same problem immediately:
>
>
>         #include <unistd.h>
>         #include <sys/ptrace.h>
>         #include <sys/wait.h>
>
>         void test(void)
>         {
>                 for (;;) {
>                         if (fork()) {
>                                 wait(NULL);
>                                 continue;
>                         }
>
>                         ptrace(PTRACE_SEIZE, getppid(), 0, 0);
>                         ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
>                         _exit(0);
>                 }
>         }
>
>         int main(void)
>         {
>                 int np;
>
>                 for (np = 0; np < 8; ++np)
>                         if (!fork())
>                                 test();
>
>                 while (wait(NULL) > 0)
>                         ;
>                 return 0;
>         }
>
> and just in case, your test-case works too if I run
>
>         perl -e 'fork; fork; fork; 1 while 1' &
>
> in the background, it has too many delays to work on the idle system.
>
>> Does it work for you reliably?  If yes, any chance you can try the patch
>> below?
>>
>> Oleg.
>>
>> --- x/kernel/ptrace.c
>> +++ x/kernel/ptrace.c
>> @@ -73,11 +73,11 @@ void __ptrace_unlink(struct task_struct *child)
>>  {
>>       BUG_ON(!child->ptrace);
>>
>> -     child->ptrace = 0;
>>       child->parent = child->real_parent;
>>       list_del_init(&child->ptrace_entry);
>>
>>       spin_lock(&child->sighand->siglock);
>> +     child->ptrace = 0;
>>
>>       /*
>>        * Clear all pending traps and TRAPPING.  TRAPPING should be
>
> The change above helps, but I need to think more...


Hi Oleg,

I am running with the __ptrace_unlink fix since then, and did not see any bugs.
Please mail it a proper patch.

Re: WARNING in do_jobctl_trap

[Oleg Nesterov]

Hi Dmitry,

On 03/10, Dmitry Vyukov wrote:
>
> I am running with the __ptrace_unlink fix since then, and did not see any bugs.
> Please mail it a proper patch.

Yes, thanks, will do in a minute... Hopefully I'll (re)send more fixes for the
problems found by syzkaller this week.

Oleg.