lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 17 Feb 2014 16:51:37 +0400
From:	Vladimir Davydov <vdavydov@...allels.com>
To:	LKML <linux-kernel@...r.kernel.org>
CC:	Jan Kara <jack@...e.cz>, Wu Fengguang <fengguang.wu@...el.com>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Unkillable R-state process stuck in sendfile

Hi,

While running trinity syscall fuzzer I noticed that sometimes it does
not get killed immediately, even by SIGKILL - it takes several minutes
before it exits. What is interesting it "hangs" in R-state consuming
100% of CPU time. Analyzing its trace I found that it loops in
sendfile(2) with the out fd pointing to an evenfd object, i.e. it does
something like this:

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/eventfd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <limits.h>
#include <err.h>

#define SIZE            INT_MAX

int main()
{
        int in_fd, out_fd;
        ssize_t ret;

        in_fd = open("tmpfile", O_RDWR|O_CREAT, 0666);
        if (in_fd < 0)
                err(1, "open");
        if (ftruncate64(in_fd, SIZE) < 0)
                err(1, "ftruncate");
        out_fd = eventfd(0, 0);
        if (out_fd < 0)
                err(1, "eventfd");
        ret = sendfile64(out_fd, in_fd, NULL, SIZE);
        if (ret < 0)
                err(1, "sendfile");
}

This program will ignore SIGKILL for 2-5 minutes depending on how fast
the host processor is. This happens, because eventfd_write does not
check for pending signals when making progress (not waiting), neither
does file read.

I'm not sure if this is actually bad and should be fixed, but perhaps
it's worth making do_generic_file_read() check for fatal signals pending
and break the read loop if so?

FWIW, generic_perform_write() isn't prone to this problem, because
recently it was made interruptible by a fatal signal - see commit
a50527b19c62c ("fs: Make write(2) interruptible by a fatal signal").

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ