lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <554B91A7.7020904@hurleysoftware.com>
Date:	Thu, 07 May 2015 12:24:07 -0400
From:	Peter Hurley <peter@...leysoftware.com>
To:	josh@...htriplett.org
CC:	Fengguang Wu <fengguang.wu@...el.com>,
	Iulia Manda <iulia.manda21@...il.com>,
	"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Linux Memory Management List <linux-mm@...ck.org>,
	LKP <lkp@...org>, linux-kernel@...r.kernel.org
Subject: Re: [CONFIG_MULTIUSER] BUG: unable to handle kernel paging request
 at ffffffee

On 05/07/2015 11:56 AM, josh@...htriplett.org wrote:
> On Wed, May 06, 2015 at 08:39:22PM -0400, Peter Hurley wrote:
>> On 05/06/2015 07:59 PM, josh@...htriplett.org wrote:
>>> On Wed, May 06, 2015 at 08:44:29AM -0700, Josh Triplett wrote:
>>>> On Wed, May 06, 2015 at 05:08:50PM +0800, Fengguang Wu wrote:
>>>>> FYI, the reported bug is still not fixed in linux-next 20150506.
>>>>
>>>> This isn't the same bug.  The previous one you mentioned was a userspace
>>>> assertion failure in libnih, likely caused because some part of upstart
>>>> didn't have appropriate error handling for some syscall returning
>>>> ENOSYS; that one wasn't an issue, since CONFIG_MULTIUSER=n is not
>>>> expected to boot a standard Linux distribution.
>>>>
>>>> This one, on the other hand, is a kernel panic, and does need fixing.
>>>>
>>>>> commit 2813893f8b197a14f1e1ddb04d99bce46817c84a
>>>>>
>>>>> +-----------------------------------------------------------+------------+------------+------------+
>>>>> |                                                           | c79574abe2 | 2813893f8b | cbdacaf0c1 |
>>>>> +-----------------------------------------------------------+------------+------------+------------+
>>>>> | boot_successes                                            | 60         | 0          | 0          |
>>>>> | boot_failures                                             | 0          | 22         | 1064       |
>>>>> | BUG:unable_to_handle_kernel                               | 0          | 22         | 1032       |
>>>>> | Oops                                                      | 0          | 22         | 1032       |
>>>>> | EIP_is_at_devpts_new_index                                | 0          | 22         | 1032       |
>>>>> | Kernel_panic-not_syncing:Fatal_exception                  | 0          | 22         | 1032       |
>>>>> | backtrace:do_sys_open                                     | 0          | 22         | 1032       |
>>>>> | backtrace:SyS_open                                        | 0          | 22         | 1032       |
>>>>> | WARNING:at_arch/x86/kernel/fpu/core.c:#fpu__clear()       | 0          | 0          | 32         |
>>>>> | Kernel_panic-not_syncing:Attempted_to_kill_init!exitcode= | 0          | 0          | 32         |
>>>>> +-----------------------------------------------------------+------------+------------+------------+
>>>>
>>>> Is this table saying the number of times the type of error in the first
>>>> column occurred in each commit?
>>>>
>>>> In any case, investigating.  Iulia, can you look at this as well?
>>>>
>>>> I'm digging through the call stack, and I'm having a hard time seeing
>>>> how the CONFIG_MULTIUSER patch could affect anything here.
>>>
>>> Update: it looks like init_devpts_fs is getting ERR_PTR(-EINVAL) back
>>> from kern_mount and storing that in devpts_mnt; later, devpts_new_index
>>> pokes at devpts_mnt and explodes.
>>>
>>> So, there are two separate bugs here.  On the one hand, CONFIG_MULTIUSER
>>> should not be causing kern_mount to fail with -EINVAL; tracking that
>>> down now.
>>
>> The mount failure is probably from the devpts mount options specifying
>> gid= for devpts nodes:
>>
>> devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
>>
>> The relevant code is fs/devpts/inode.c:parse_mount_options().
>> devpts also supports specifying the uid.
>>
>> To me, kern_mount() appropriately fails with -EINVAL, since the mount
>> options failed.
> 
> Except that init_devpts_fs is called at module_init time, long before
> the actual mount syscall; it appears to be creating a kernel-internal
> mount, and I don't see how mount options provided by userspace much
> later would cause the earlier kern_mount to fail.

Yeah, I realized that later; that the userspace mount is really a rebind
to that initial root kernel mount.
 
> Also, I don't see anything in parse_mount_options that should actually
> fail with CONFIG_MULTIUSER unset.

I didn't look deeper than that, but it seemed likely that it stemmed from
that. Maybe it's related to CONFIG_DEVPTS_MULTIPLE_INSTANCES (documented
in Documentation/fs/devpts.txt) and FS_USERNS_MOUNT?


>>> On the other hand, devpts and ptmx should handle the failure
>>> better, without crashing; ptmx_open should have gracefully failed back
>>> to userspace with -ENODEV or something, since ptmx doesn't make sense
>>> without devpts.  I'll send a patch for that too.
>>
>> Yeah, crashing is bad, but I don't think we should even be init'ing
>> either BSD or SysV pty drivers if there is no devpts.
> 
> Can you review the patch I sent to fix the crash, and see if it looks
> reasonable to you?

On my todo list for today.

Regards,
Peter Hurley

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ