| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150507170319.GA30497@cloud> Date: Thu, 7 May 2015 10:03:19 -0700 From: josh@...htriplett.org To: Peter Hurley <peter@...leysoftware.com> Cc: Fengguang Wu <fengguang.wu@...el.com>, Iulia Manda <iulia.manda21@...il.com>, "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>, Andrew Morton <akpm@...ux-foundation.org>, Linux Memory Management List <linux-mm@...ck.org>, LKP <lkp@...org>, linux-kernel@...r.kernel.org Subject: Re: [CONFIG_MULTIUSER] BUG: unable to handle kernel paging request at ffffffee On Thu, May 07, 2015 at 12:24:07PM -0400, Peter Hurley wrote: > On 05/07/2015 11:56 AM, josh@...htriplett.org wrote: > > On Wed, May 06, 2015 at 08:39:22PM -0400, Peter Hurley wrote: > >> On 05/06/2015 07:59 PM, josh@...htriplett.org wrote: > >>> On Wed, May 06, 2015 at 08:44:29AM -0700, Josh Triplett wrote: > >>>> On Wed, May 06, 2015 at 05:08:50PM +0800, Fengguang Wu wrote: > >>>>> FYI, the reported bug is still not fixed in linux-next 20150506. > >>>> > >>>> This isn't the same bug. The previous one you mentioned was a userspace > >>>> assertion failure in libnih, likely caused because some part of upstart > >>>> didn't have appropriate error handling for some syscall returning > >>>> ENOSYS; that one wasn't an issue, since CONFIG_MULTIUSER=n is not > >>>> expected to boot a standard Linux distribution. > >>>> > >>>> This one, on the other hand, is a kernel panic, and does need fixing. > >>>> > >>>>> commit 2813893f8b197a14f1e1ddb04d99bce46817c84a > >>>>> > >>>>> +-----------------------------------------------------------+------------+------------+------------+ > >>>>> | | c79574abe2 | 2813893f8b | cbdacaf0c1 | > >>>>> +-----------------------------------------------------------+------------+------------+------------+ > >>>>> | boot_successes | 60 | 0 | 0 | > >>>>> | boot_failures | 0 | 22 | 1064 | > >>>>> | BUG:unable_to_handle_kernel | 0 | 22 | 1032 | > >>>>> | Oops | 0 | 22 | 1032 | > >>>>> | EIP_is_at_devpts_new_index | 0 | 22 | 1032 | > >>>>> | Kernel_panic-not_syncing:Fatal_exception | 0 | 22 | 1032 | > >>>>> | backtrace:do_sys_open | 0 | 22 | 1032 | > >>>>> | backtrace:SyS_open | 0 | 22 | 1032 | > >>>>> | WARNING:at_arch/x86/kernel/fpu/core.c:#fpu__clear() | 0 | 0 | 32 | > >>>>> | Kernel_panic-not_syncing:Attempted_to_kill_init!exitcode= | 0 | 0 | 32 | > >>>>> +-----------------------------------------------------------+------------+------------+------------+ > >>>> > >>>> Is this table saying the number of times the type of error in the first > >>>> column occurred in each commit? > >>>> > >>>> In any case, investigating. Iulia, can you look at this as well? > >>>> > >>>> I'm digging through the call stack, and I'm having a hard time seeing > >>>> how the CONFIG_MULTIUSER patch could affect anything here. > >>> > >>> Update: it looks like init_devpts_fs is getting ERR_PTR(-EINVAL) back > >>> from kern_mount and storing that in devpts_mnt; later, devpts_new_index > >>> pokes at devpts_mnt and explodes. > >>> > >>> So, there are two separate bugs here. On the one hand, CONFIG_MULTIUSER > >>> should not be causing kern_mount to fail with -EINVAL; tracking that > >>> down now. > >> > >> The mount failure is probably from the devpts mount options specifying > >> gid= for devpts nodes: > >> > >> devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 > >> > >> The relevant code is fs/devpts/inode.c:parse_mount_options(). > >> devpts also supports specifying the uid. > >> > >> To me, kern_mount() appropriately fails with -EINVAL, since the mount > >> options failed. > > > > Except that init_devpts_fs is called at module_init time, long before > > the actual mount syscall; it appears to be creating a kernel-internal > > mount, and I don't see how mount options provided by userspace much > > later would cause the earlier kern_mount to fail. > > Yeah, I realized that later; that the userspace mount is really a rebind > to that initial root kernel mount. > > > Also, I don't see anything in parse_mount_options that should actually > > fail with CONFIG_MULTIUSER unset. > > I didn't look deeper than that, but it seemed likely that it stemmed from > that. Maybe it's related to CONFIG_DEVPTS_MULTIPLE_INSTANCES (documented > in Documentation/fs/devpts.txt) and FS_USERNS_MOUNT? Looks like it's actually mknod_ptmx that's failing; it's returning EINVAL from the uid_valid/gid_valid checks, which shouldn't happen. > >>> On the other hand, devpts and ptmx should handle the failure > >>> better, without crashing; ptmx_open should have gracefully failed back > >>> to userspace with -ENODEV or something, since ptmx doesn't make sense > >>> without devpts. I'll send a patch for that too. > >> > >> Yeah, crashing is bad, but I don't think we should even be init'ing > >> either BSD or SysV pty drivers if there is no devpts. > > > > Can you review the patch I sent to fix the crash, and see if it looks > > reasonable to you? > > On my todo list for today. Thanks! - Josh Triplett -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists