lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231110022720.GA3087@rlk>
Date:   Fri, 10 Nov 2023 10:27:20 +0800
From:   chenqiwu <qiwuchen55@...il.com>
To:     Oleg Nesterov <oleg@...hat.com>
Cc:     axboe@...nel.dk, keescook@...omium.org, akpm@...ux-foundation.org,
        mcgrof@...nel.org, ebiederm@...ssion.com, jannh@...gle.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] exit: dump thread info on global init exit

On Thu, Nov 09, 2023 at 12:01:30PM +0100, Oleg Nesterov wrote:
> I've just noticed we discuss this offlist. Add lkml...
> 
> On 11/09, chenqiwu wrote:
> >
> > On Wed, Nov 08, 2023 at 10:57:32AM +0100, Oleg Nesterov wrote:
> >
> > > > +	if (mmap_read_lock_killable(mm)) {
> > >
> > > why do you need _killable ?
> > >
> > I'm not sure which type lock (killable or unkillable) should be used here
> 
> killable should be used to allow to kill the task which waits for this lock.
> Who can kill the global init? Yes it is possible (but very unlikely) that
> fatal_signal_pending() is true, but I don't think this was your concern.
> 
> > if there is a lock contention, perhaps using down_read_trylock is better.
> 
> Perhaps. If we have another bug mmap_read_lock() can hang forever.
> 
Yes, but we really don't want to hang here forever if we cannot get the mmap read
lock. I think using down_read_trylock should be better, I wiil resend the patch as
V2 cc LKML to discuss the thing.

> > > > +static void dump_thread_info(struct task_struct *tsk)
> > > > +{
> > > > +	struct pt_regs *regs = task_pt_regs(tsk);
> > > > +
> > > > +	if (user_mode(regs))
> > > > +		dump_thread_maps_info(tsk);
> > > > +	show_regs(regs);
> > >
> > > This looks confusing to me...
> > >
> > > How can user_mode() return false in this case? And even if this is
> > > possible, then show_regs() should depend on user_mode() as well?
> > > I must have missed something.
> > >
> > Sure, the last global init thread cannot be exited in non-user mode.
> 
> Forgot to mention... panic() should dump the regs, so I think show_regs()
> is not needed?
> 
In fact, panic don't dump the regs. For example, the current kill init panic log from Andriod system:
[ 4.706445][T400001] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f0000
[ 4.706459][T400001] CPU: 4 PID: 1 Comm: init Tainted: G S W 5.10.136-android12-9-00005-gf9a66cbe7091-ab9177899 #1
[ 4.706464][T400001] Hardware name: MTxxxx/TCZA (DT)
[ 4.706469][T400001] Call trace:
[ 4.706482][T400001] dump_backtrace.cfi_jt+0x0/0x8
[ 4.706493][T400001] dump_stack_lvl+0xc4/0x140
[ 4.706504][T400001] panic+0x178/0x464
[ 4.706511][T400001] do_exit+0xb30/0xf9c
[ 4.706517][T400001] do_group_exit+0x130/0x1c8
[ 4.706523][T400001] do_group_exit+0x0/0x1c8
[ 4.706529][T400001] __do_sys_exit_group+0x0/0x18
[ 4.706535][T400001] __se_sys_exit_group+0x0/0x14
[ 4.706543][T400001] el0_svc_common+0xd4/0x270
[ 4.706551][T400001] el0_svc+0x28/0x88
[ 4.706559][T400001] el0_sync_handler+0x8c/0xf0
[ 4.706567][T400001] el0_sync+0x1b4/0x1c0
[ 4.706576][T400001] SMP: stopping secondary CPUs

I try to create an NULL pointer in Andriod init code with my patch. From the test log,
we can see the user registers and decode pc/lr with section info easily:
[    4.535666] <6>.(6)[1:init]init-1: Dump maps info start
[    4.536327] <6>.(6)[1:init]5582f61000-558308e000 r-xp 000ab000 /system/bin/init
[    4.537252] <6>.(6)[1:init]7fa7001000-7fa7002000 r-xp 00001000 /system/lib64/libsquashfs_utils.so
[    4.538370] <6>.(6)[1:init]7fa7048000-7fa7066000 r-xp 00008000 /system/lib64/liblzma.so
[    4.539378] <6>.(6)[1:init]7fa7081000-7fa7082000 r-xp 00001000 /system/lib64/libpackagelistparser.so
[    4.540590] <6>.(6)[1:init]7fa70e3000-7fa7111000 r-xp 00023000 /system/lib64/libpcre2.so
[    4.541608] <6>.(6)[1:init]7fa7153000-7fa716f000 r-xp 00013000 /system/lib64/libjsoncpp.so
[    4.542644] <6>.(6)[1:init]7fa7182000-7fa7183000 r-xp 00002000 /system/lib64/libcgrouprc.so
[    4.543700] <6>.(6)[1:init]7fa71c4000-7fa71c8000 r-xp 00004000 /system/lib64/libsparse.so
[    4.544725] <6>.(6)[1:init]7fa7207000-7fa7212000 r-xp 00007000 /system/lib64/libfec.so
[    4.545719] <6>.(6)[1:init]7fa7241000-7fa7242000 r-xp 00001000 /system/lib64/libcrypto_utils.so
[    4.546809] <6>.(6)[1:init]7fa72d9000-7fa734c000 r-xp 00059000 /system/lib64/libcrypto.so
[    4.547848] <6>.(6)[1:init]7fa734c000-7fa7397000 --xp 000cc000 /system/lib64/libcrypto.so
[    4.548873] <6>.(6)[1:init]7fa7397000-7fa7399000 r-xp 00117000 /system/lib64/libbase.so
[    4.571715] <6>.(6)[1:init]7fa858a000-7fa85a3000 r-xp 0000a000 /system/lib64/libbacktrace.so
[    4.573583] <6>.(6)[1:init]7fa9897000-7fa997c000 r-xp 00037000 /system/bin/linker64
[    4.574543] <6>.(6)[1:init]init-1: Dump maps info end
[    4.575180] <6>.(6)[1:init]CPU: 6 PID: 1 Comm: init Tainted: G S      W         4.19.191-02983-ga8a102dc29ef-dirty #4
[    4.576516] <6>.(6)[1:init]Hardware name: MTxxxxV/CZ (DT)
[    4.577198] <6>.(6)[1:init]pstate: 60001000 (nZCv daif -PAN -UAO)
[    4.577962] <6>.(6)[1:init]pc : 0000005582fa54b4
[    4.578542] <6>.(6)[1:init]lr : 0000005582fa54b0
[    4.579123] <6>.(6)[1:init]sp : 0000007fd11ba7b0
[    4.579709] <6>.(6)[1:init]x29: 0000007fd11ba7c0 x28: 63726f662e746f6f
[    4.580540] <6>.(6)[1:init]x27: 0000007fa8712010 x26: 0000005582ed76e0
[    4.581371] <6>.(6)[1:init]x25: 6c616d726f6e5f65 x24: 6264696f72646e61
[    4.582201] <6>.(6)[1:init]x23: 313d746f6f625f6c x22: b400007eb700cdf7
[    4.583030] <6>.(6)[1:init]x21: 0000007fa8712010 x20: 0000000000000002
[    4.583867] <6>.(6)[1:init]x19: 0000007fa998b7f8 x18: 0000007fa8852000
[    4.584697] <6>.(6)[1:init]x17: 0000007fa743cb70 x16: 0000007fa7ea97d0
[    4.585528] <6>.(6)[1:init]x15: 0000000000000010 x14: 0000000000000000
[    4.586358] <6>.(6)[1:init]x13: 7265746e696f7020 x12: 0000fffffffff3ff
[    4.587187] <6>.(6)[1:init]x11: 000000000000000d x10: 0000000000000160
[    4.588025] <6>.(6)[1:init]x9 : 591ec1e81c3d3cdb x8 : 591ec1e81c3d3cdb
[    4.588855] <6>.(6)[1:init]x7 : 000000000000000a x6 : 000000000000000a
[    4.589686] <6>.(6)[1:init]x5 : 0000007fd11ba1e8 x4 : 0000000000000128
[    4.590516] <6>.(6)[1:init]x3 : 0000007fd11ba718 x2 : 0000007e5700c190
[    4.591345] <6>.(6)[1:init]x1 : 0000007fa74d87cc x0 : 0000007fa74d87cc
[    5.076262] <6>-(6)[1:init]Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000005
[    5.076262] <6>
[    5.077606] <6>-(6)[1:init]SMP: stopping secondary CPUs
[    5.087741] <6>-(6)[1:init]Kernel Offset: 0x2f87c00000 from 0xffffff8008000000
[    5.088647] <6>-(6)[1:init]PHYS_OFFSET: 0xffffffdd40000000
[    5.089336] <6>-(6)[1:init]Modules linked in:
[    5.094708] <6>-(6)[1:init]CPU: 6 PID: 1 Comm: init Tainted: G S      W         4.19.191-02983-ga8a102dc29ef-dirty #4
[    5.096037] <6>-(6)[1:init]Hardware name: MTxxxxV/CZ (DT)
[    5.096715] <6>-(6)[1:init]Call trace:
[    5.097191] <6>-(6)[1:init] dump_backtrace+0x0/0x158
[    5.097815] <6>-(6)[1:init] show_stack+0x14/0x1c
[    5.098398] <6>-(6)[1:init] dump_stack+0xb8/0xf0
[    5.098980] <6>-(6)[1:init] mrdump_common_die+0x170/0x214
[    5.099658] <6>-(6)[1:init] ipanic+0xa8/0xd4
[    5.100197] <6>-(6)[1:init] atomic_notifier_call_chain+0x4c/0x84
[    5.100952] <6>-(6)[1:init] panic+0x15c/0x2a0
[    5.101501] <6>-(6)[1:init] dump_thread_info+0x0/0x230
[    5.102146] <6>-(6)[1:init] do_group_exit+0x88/0x9c
[    5.102761] <6>-(6)[1:init] get_signal+0x7d0/0x980
[    5.103364] <6>-(6)[1:init] do_notify_resume+0x164/0x2448
[    5.104042] <6>-(6)[1:init] work_pending+0x8/0x10

Qiwu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ