WARNING in do_jobctl_trap

From: Dmitry Vyukov
Date: Tue Jan 26 2016 - 10:13:23 EST

Next message: Charles Keepax: "[PATCH] regulator: core: Clear constraints pointer after free on error path"
Previous message: Nicolas Schichan: "[PATCH] net: mv643xx_eth: fix packet corruption with TSO and tiny unaligned packets."
Next in thread: Oleg Nesterov: "Re: WARNING in do_jobctl_trap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

The following program triggers WARN_ON_ONCE(!signr) in do_jobctl_trap:

------------[ cut here ]------------
WARNING: CPU: 1 PID: 11020 at kernel/signal.c:2076 get_signal+0x125a/0x14f0()
Modules linked in:
CPU: 1 PID: 11020 Comm: syz-executor Not tainted 4.5.0-rc1+ #291
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
00000000ffffffff ffff88005b987c10 ffffffff829e798d 0000000000000000
ffff88005c0b0000 ffffffff8653d460 ffff88005b987c50 ffffffff813536d9
ffffffff81382d8a ffffffff8653d460 000000000000081c ffff88005c0b0000
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff829e798d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff813536d9>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff81353909>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[< inline >] do_jobctl_trap kernel/signal.c:2076
[<ffffffff81382d8a>] get_signal+0x125a/0x14f0 kernel/signal.c:2195
[<ffffffff811a0db3>] do_signal+0x83/0x1c90 arch/x86/kernel/signal.c:712
[<ffffffff81006685>] exit_to_usermode_loop+0x1a5/0x210
arch/x86/entry/common.c:247
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:282
[<ffffffff810084ea>] syscall_return_slowpath+0x2ba/0x340
arch/x86/entry/common.c:344
[<ffffffff86459c22>] int_ret_from_sys_call+0x25/0x9f
arch/x86/entry/entry_64.S:281
---[ end trace 8084a3d0c9430433 ]---

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/prctl.h>
#include <linux/sched.h>
#include <sched.h>
#include <pthread.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <memory.h>
#include <stdio.h>
#include <errno.h>

void *thr(void *arg)
{
switch ((long)arg) {
case 0:
ptrace(PTRACE_SEIZE, getppid(), 0, 0);
ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
break;
case 1:
break;
case 2:
kill(getpid(), SIGPIPE);
break;
}
return 0;
}

int main1(void *arg)
{
int i, fd, pid, status;
pthread_t th[3];

setpgrp();
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
fd = open("/proc/self/setgroups", O_RDWR);
write(fd, "deny", strlen("deny"));
close(fd);
fd = open("/proc/self/uid_map", O_RDWR);
write(fd, "0 0 1\n", strlen("0 0 1\n"));
close(fd);
fd = open("/proc/self/gid_map", O_RDWR);
write(fd, "0 0 1\n", strlen("0 0 1\n"));
close(fd);
pid = fork();
if (pid == 0) {
for (i = 0; i < 3; i++) {
pthread_create(&th[i], 0, thr, (void*)(long)i);
usleep(1000);
}
for (i = 0; i < 3; i++) {
pthread_create(&th[i], 0, thr, (void*)(long)i);
if (rand()%2)
usleep(rand()%1000);
}
usleep(10000);
exit(0);
}
while (waitpid(pid, &status, __WALL) != pid) {
}
exit(0);
}

int main()
{
int pid, status;
char stack[1<<20];

srand(getpid());
pid = clone(main1, &stack[sizeof(stack)-8], CLONE_NEWUSER |
CLONE_NEWPID, 0);
while (waitpid(pid, &status, __WALL) != pid) {
}
return 0;
}

On commit 92e963f50fc74041b5e9e744c330dca48e04f08d (Jan 24).

Next message: Charles Keepax: "[PATCH] regulator: core: Clear constraints pointer after free on error path"
Previous message: Nicolas Schichan: "[PATCH] net: mv643xx_eth: fix packet corruption with TSO and tiny unaligned packets."
Next in thread: Oleg Nesterov: "Re: WARNING in do_jobctl_trap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]