lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+ZPL9pgvpanXVtYKW8LukzwLp6ajfPSuteQj2oGGkfCJQ@mail.gmail.com>
Date:   Fri, 18 Nov 2016 10:16:15 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Jiri Kosina <jikos@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        "linux-mm@...ck.org" <linux-mm@...ck.org>
Cc:     syzkaller <syzkaller@...glegroups.com>
Subject: mm, floppy: unkillable task faulting on fd0

Hello,

The following program produces unkillable tasks blocked at the following stack:

[<ffffffff8184c44b>] wait_on_page_bit+0x1eb/0x2a0 mm/filemap.c:802
[<     inline     >] wait_on_page_locked ./include/linux/pagemap.h:508
[<ffffffff81862fa7>] filemap_fault+0x17c7/0x1e50 mm/filemap.c:2201
[<ffffffff819423cc>] __do_fault+0x33c/0x8a0 mm/memory.c:2864
[<     inline     >] do_read_fault mm/memory.c:3191
[<ffffffff81953521>] do_fault+0xbb1/0x28d0 mm/memory.c:3326
[<     inline     >] handle_pte_fault mm/memory.c:3527
[<     inline     >] __handle_mm_fault mm/memory.c:3614
[<ffffffff81956ddb>] handle_mm_fault+0x159b/0x2cd0 mm/memory.c:3651
[<ffffffff812fc2eb>] __do_page_fault+0x4fb/0xb60 arch/x86/mm/fault.c:1397
[<ffffffff812fcb19>] trace_do_page_fault+0x159/0x830 arch/x86/mm/fault.c:1490
[<ffffffff812eb6fc>] do_async_page_fault+0x7c/0xd0 arch/x86/kernel/kvm.c:265
[<ffffffff88148cd8>] async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1015
[<ffffffff81aadf93>] getname_flags+0x113/0x580 fs/namei.c:148
[<ffffffff81aaf112>] user_path_at_empty+0x32/0x50 fs/namei.c:2556
[<     inline     >] SYSC_readlinkat fs/stat.c:327
[<     inline     >] SyS_readlinkat fs/stat.c:315
[<     inline     >] SYSC_readlink fs/stat.c:352
[<ffffffff81a8295c>] SyS_readlink+0x12c/0x3f0 fs/stat.c:349
[<ffffffff88147885>] entry_SYSCALL_64_fastpath+0x23/0xc6
arch/x86/entry/entry_64.S:209


Before hang kernel prints:
[  404.042351] floppy0: disk absent or changed during operation
[  404.044187] floppy0: disk absent or changed during operation
[  404.058637] floppy0: disk absent or changed during operation
[  404.060152] floppy0: do_fd_request: timeout handler died.  old
request running


On commit a25f0944ba9b1d8a6813fd6f1a86f1bd59ac25a6 (Nov 13).

Run this program in a loop:

// autogenerated by syzkaller (http://github.com/google/syzkaller)

#include <pthread.h>
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

int fd;

void* thr(void* arg)
{
  if (rand() % 2)
    usleep(rand() % 1000);
  switch ((long)arg) {
  case 0:
    fd = syscall(__NR_open, "/dev/fd0", 0x900ul);
    break;
  case 1:
    syscall(__NR_mmap, 0x20009000ul, 0x1000ul, 0x4ul, 0x12ul, fd, 0x0ul);
    break;
  case 2:
    syscall(__NR_mmap, 0x20009000ul, 0x1000ul, 0x4ul, 0x12ul, fd, 0x0ul);
    break;
  case 3:
    syscall(__NR_readlink, 0x20009000ul, 0x20009000ul, 0x100ul);
    break;
  case 4:
    syscall(__NR_readlink, 0x20009000ul, 0x20009000ul, 0x100ul);
    break;
  }
  return 0;
}

int main()
{
  long i;
  pthread_t th[5];

  fd = syscall(__NR_open, "/dev/fd0", 0x900ul);
  syscall(__NR_mmap, 0x20009000ul, 0x1000ul, 0x4ul, 0x12ul, fd, 0x0ul);

  srand(getpid());
  for (i = 0; i < 5; i++)
    pthread_create(&th[i], 0, thr, (void*)i);
  for (i = 0; i < 5; i++)
    pthread_join(th[i], 0);
  return 0;
}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ