From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1V3W8g-0006Zy-Ar for user-mode-linux-devel@lists.sourceforge.net; Sun, 28 Jul 2013 18:56:18 +0000 Received: from mout.gmx.net ([212.227.17.21]) by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1V3W8e-0001vY-3w for user-mode-linux-devel@lists.sourceforge.net; Sun, 28 Jul 2013 18:56:18 +0000 Received: from [80.171.226.78] ([80.171.226.78]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MVNWU-1UaHUC0kNq-00YezH for ; Sun, 28 Jul 2013 20:56:10 +0200 Message-ID: <51F56949.3010505@gmx.de> Date: Sun, 28 Jul 2013 20:56:09 +0200 From: =?UTF-8?B?VG9yYWxmIEbDtnJzdGVy?= MIME-Version: 1.0 References: <20130728175828.GA15020@redhat.com> In-Reply-To: <20130728175828.GA15020@redhat.com> List-Id: The user-mode Linux development list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: user-mode-linux-devel-bounces@lists.sourceforge.net Subject: [uml-devel] Fwd: Re: fuzz tested user mode linux core dumps in fs/lockd/clntproc.c:131 To: trinity@vger.kernel.org Cc: "user-mode-linux-devel@lists.sourceforge.net" CkhpIERhdmUsCgpqdXN0IGZvciB0aGUgcmVjb3JkIG9mIHlvdXIgdHJpbml0eSBzY29yZWQgY2Fy ZCAtIHRoZSBmb2xsb3dpbmcgYnVnIHdhcwpmb3VuZCB3aXRoIHRoZSBoZWxwIG9mIHlvdXIgdG9v bC4KCgotLS0tLS0tLSBPcmlnaW5hbCBNZXNzYWdlIC0tLS0tLS0tClN1YmplY3Q6IFJlOiBmdXp6 IHRlc3RlZCB1c2VyIG1vZGUgbGludXggY29yZSBkdW1wcyBpbgpmcy9sb2NrZC9jbG50cHJvYy5j OjEzMQpEYXRlOiBTdW4sIDI4IEp1bCAyMDEzIDE5OjU4OjI4ICswMjAwCkZyb206IE9sZWcgTmVz dGVyb3YgPG9sZWdAcmVkaGF0LmNvbT4KVG86IFRvcmFsZiBGw7Zyc3RlciA8dG9yYWxmLmZvZXJz dGVyQGdteC5kZT4sICAgICAgICBBbmRyZXkgVmFnaW4KPGF2YWdpbkBvcGVudnoub3JnPgpDQzog U2VyZ2UgRS4gSGFsbHluIDxzZXJ1ZUB1cy5pYm0uY29tPiwgICAgICAgIEVyaWMgVy4gQmllZGVy bWFuCjxlYmllZGVybUB4bWlzc2lvbi5jb20+LCAgICAgICAgQWwgVmlybyA8dmlyb0B6ZW5pdi5s aW51eC5vcmcudWs+LAogIExpbnV4IE5GUyBtYWlsaW5nIGxpc3QgPGxpbnV4LW5mc0B2Z2VyLmtl cm5lbC5vcmc+CgpPbiAwNy8yOCwgVG9yYWxmIEbDtnJzdGVyIHdyb3RlOgo+Cj4gVGhlIGF0dGFj aGVkIHBhdGNoIHdvcmtzIC0gYXBwbGllZCBvbiB0b3Agb2YgY3VycmVudCBnaXQgLQo+IGF0IGxl YXN0IHRoZSBpc3N1ZSBjYW5ub3QgYmUgcmVwcm9kdWNlZCB0aGVuLgoKVGhhbmtzIFRvcmFsZi4K CkknbGwgd3JpdGUgdGhlIGNoYW5nZWxvZyBhbmQgc2VuZCB0aGUgcGF0Y2ggdG9tb3Jyb3cuCgpB bmRyZXksIGFueSBjaGFuY2UgeW91IGNhbiBjaGVjayB0aGF0IHdpdGggdGhpcyBwYXRjaCBmcmVl X2lwY19ucygpCmRvZXNuJ3QgaGF2ZSBhbnkgcHJvYmxlbSB3aXRoIC0+c2htX2ZpbGUgPwoKZTdi MmM0MDYgc2hvdWxkIGJlIGVub3VnaCB0byBmaXggdGhhdCBsZWFrLCBidXQgaXQgd291bGQgYmUg bmljZSBpZgp5b3UgY2FuIGNvbmZpcm0uCgo+IE9uIDA3LzI3LzIwMTMgMDc6MDAgUE0sIE9sZWcg TmVzdGVyb3Ygd3JvdGU6Cj4gPiBPbiAwNy8yNywgVG9yYWxmIEbDtnJzdGVyIHdyb3RlOgo+ID4+ Cj4gPj4gSSBkbyBoYXZlIGEgdXNlciBtb2RlIGxpbnV4IGltYWdlIChzdGFibGUgMzIgYml0IEdl bnRvbyBMaW51eCApIHdoaWNoIGVycmF0aWNhbGx5IGNyYXNoZXMKPiA+PiB3aGlsZSBmdXp6IHRl c3RlZCB3aXRoIHRyaW5pdHkgaWYgdGhlIHZpY3RpbSBmaWxlcyBhcmUgbG9jYXRlZCBvbiBhIE5G UyBzaGFyZS4KPiA+Pgo+ID4+IFRoZSBiYWNrIHRyYWNlIG9mIHRoZSBjb3JlIGR1bXBzIGFsd2F5 cyBsb29rcyBsaWtlIHRoZSBhdHRhY2hlZC4KPiA+Pgo+ID4+IFRvIGJpc2VjdCBpdCBpcyBoYXJk LiBIb3dldmVyIGFmdGVyIGZldyBhdHRlbXB0cyBpbiB0aGUgbGFzdCB3ZWVrcyB0aGUgZm9sbG93 aW5nCj4gPj4gY29tbWl0IGlzIGVpdGhlciB0aGUgZmlyc3QgYmFkIGNvbW1pdCBvciBhdCBsZWFz dCB0aGUgdXBwZXIgbGltaXQgKGxlc3MgbGlrZWx5KS4KPiA+Pgo+ID4+Cj4gPj4gY29tbWl0IDhh YWM2MjcwNmFkYWFmMGZhYjAyYzQzMjc3NjE1NjFjOGJkYTk0NDgKPiA+PiBBdXRob3I6IE9sZWcg TmVzdGVyb3YgPG9sZWdAcmVkaGF0LmNvbT4KPiA+PiBEYXRlOiAgIEZyaSBKdW4gMTQgMjE6MDk6 NDkgMjAxMyArMDIwMAo+ID4+Cj4gPj4gICAgIG1vdmUgZXhpdF90YXNrX25hbWVzcGFjZXMoKSBv dXRzaWRlIG9mIGV4aXRfbm90aWZ5KCkKPiA+Pgo+ID4+ICMxNSBubG1jbG50X3NldGxvY2thcmdz IChyZXE9MHg0OGUxODg2MCwgZmw9MHg0OGYyN2M4YykgYXQgZnMvbG9ja2QvY2xudHByb2MuYzox MzEKPiA+IAo+ID4gVGhhbmtzLgo+ID4gCj4gPiBTbyBubG1jbG50X3NldGxvY2thcmdzKCktPnV0 c25hbWUoKSBjcmFzaGVzIGFuZCB3ZSBwcm9iYWJseSBuZWVkCj4gPiB0aGUgcGF0Y2ggYmVsb3cu Cj4gPiAKPiA+IEJ1dCBpcyBpdCBjb3JyZWN0PyBJIGtub3cgX2Fic29sdXRlbHlfIG5vdGhpbmcg YWJvdXQgbmZzL3N1bnJwYy9ldGMgYW5kCj4gPiBJIG5ldmVyIGxvb2tlZCBpbnRvIHRoaXMgY29k ZSBiZWZvcmUsIG1vc3QgcHJvYmFibHkgSSBhbSB3cm9uZy4KPiA+IAo+ID4gQnV0IGl0IHNlZW1z IHRoYXQgX19ubG1fYXN5bmNfY2FsbCgpIHJlbGllcyBvbiB3b3JrcXVldWVzLgo+ID4gbmxtY2xu dF9hc3luY19jYWxsKCkgZG9lcyBycGNfd2FpdF9mb3JfY29tcGxldGlvbl90YXNrKCksIGJ1dCB3 aGF0IGlmCj4gPiB0aGUgY2FsbGVyIGlzIGtpbGxlZD8KPiA+IAo+ID4gbmxtX3Jxc3QgY2FuJ3Qg Z28gYXdheSwgLT5hX2NvdW50IHdhcyBpbmNyZW1lbnRlZC4gQnV0IGNhbid0IHRoZSBjYWxsZXIK PiA+IGV4aXQgYmVmb3JlIGNhbGwtPm5hbWUgaXMgdXNlZD8gSW4gdGhpcyBjYXNlIHRoZSBtZW1v cnkgaXQgcG9pbnRzIHRvCj4gPiBjYW4gYmUgYWxyZWFkeSBmcmVlZC4KPiA+IAo+ID4gT2xlZy4K PiA+IAo+ID4gLS0tIHgva2VybmVsL2V4aXQuYwo+ID4gKysrIHgva2VybmVsL2V4aXQuYwo+ID4g QEAgLTc4Myw4ICs3ODMsOCBAQCB2b2lkIGRvX2V4aXQobG9uZyBjb2RlKQo+ID4gIAlleGl0X3No bSh0c2spOwo+ID4gIAlleGl0X2ZpbGVzKHRzayk7Cj4gPiAgCWV4aXRfZnModHNrKTsKPiA+IC0J ZXhpdF90YXNrX25hbWVzcGFjZXModHNrKTsKPiA+ICAJZXhpdF90YXNrX3dvcmsodHNrKTsKPiA+ ICsJZXhpdF90YXNrX25hbWVzcGFjZXModHNrKTsKPiA+ICAJY2hlY2tfc3RhY2tfdXNhZ2UoKTsK PiA+ICAJZXhpdF90aHJlYWQoKTsKPiA+ICAKPiA+IAo+ID4gCj4gCj4gCj4gLS0gCj4gTWZHL1Np bmNlcmVseQo+IFRvcmFsZiBGw7Zyc3Rlcgo+IHBncCBmaW5nZXIgcHJpbnQ6IDdCMUEgMDdGNCBF QzgyIDBGOTAgRDRDMiA4OTM2IDg3MkEgRTUwOCA3REI2IDlEQTMKCgoKCgotLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0KU2VlIGV2ZXJ5dGhpbmcgZnJvbSB0aGUgYnJvd3NlciB0byB0aGUgZGF0YWJhc2Ug d2l0aCBBcHBEeW5hbWljcwpHZXQgZW5kLXRvLWVuZCB2aXNpYmlsaXR5IHdpdGggYXBwbGljYXRp b24gbW9uaXRvcmluZyBmcm9tIEFwcER5bmFtaWNzCklzb2xhdGUgYm90dGxlbmVja3MgYW5kIGRp YWdub3NlIHJvb3QgY2F1c2UgaW4gc2Vjb25kcy4KU3RhcnQgeW91ciBmcmVlIHRyaWFsIG9mIEFw cER5bmFtaWNzIFBybyB0b2RheSEKaHR0cDovL3B1YmFkcy5nLmRvdWJsZWNsaWNrLm5ldC9nYW1w YWQvY2xrP2lkPTQ4ODA4ODMxJml1PS80MTQwL29zdGcuY2xrdHJrCl9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fClVzZXItbW9kZS1saW51eC1kZXZlbCBtYWls aW5nIGxpc3QKVXNlci1tb2RlLWxpbnV4LWRldmVsQGxpc3RzLnNvdXJjZWZvcmdlLm5ldApodHRw czovL2xpc3RzLnNvdXJjZWZvcmdlLm5ldC9saXN0cy9saXN0aW5mby91c2VyLW1vZGUtbGludXgt ZGV2ZWwK From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?B?VG9yYWxmIEbDtnJzdGVy?= Subject: Fwd: Re: fuzz tested user mode linux core dumps in fs/lockd/clntproc.c:131 Date: Sun, 28 Jul 2013 20:56:09 +0200 Message-ID: <51F56949.3010505@gmx.de> References: <20130728175828.GA15020@redhat.com> Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <20130728175828.GA15020@redhat.com> Sender: trinity-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="utf-8" To: trinity@vger.kernel.org Cc: "user-mode-linux-devel@lists.sourceforge.net" Hi Dave, just for the record of your trinity scored card - the following bug was found with the help of your tool. -------- Original Message -------- Subject: Re: fuzz tested user mode linux core dumps in fs/lockd/clntproc.c:131 Date: Sun, 28 Jul 2013 19:58:28 +0200 =46rom: Oleg Nesterov To: Toralf F=C3=B6rster , Andrey Vagin CC: Serge E. Hallyn , Eric W. Biederman , Al Viro , Linux NFS mailing list On 07/28, Toralf F=C3=B6rster wrote: > > The attached patch works - applied on top of current git - > at least the issue cannot be reproduced then. Thanks Toralf. I'll write the changelog and send the patch tomorrow. Andrey, any chance you can check that with this patch free_ipc_ns() doesn't have any problem with ->shm_file ? e7b2c406 should be enough to fix that leak, but it would be nice if you can confirm. > On 07/27/2013 07:00 PM, Oleg Nesterov wrote: > > On 07/27, Toralf F=C3=B6rster wrote: > >> > >> I do have a user mode linux image (stable 32 bit Gentoo Linux ) wh= ich erratically crashes > >> while fuzz tested with trinity if the victim files are located on = a NFS share. > >> > >> The back trace of the core dumps always looks like the attached. > >> > >> To bisect it is hard. However after few attempts in the last weeks= the following > >> commit is either the first bad commit or at least the upper limit = (less likely). > >> > >> > >> commit 8aac62706adaaf0fab02c4327761561c8bda9448 > >> Author: Oleg Nesterov > >> Date: Fri Jun 14 21:09:49 2013 +0200 > >> > >> move exit_task_namespaces() outside of exit_notify() > >> > >> #15 nlmclnt_setlockargs (req=3D0x48e18860, fl=3D0x48f27c8c) at fs/= lockd/clntproc.c:131 > >=20 > > Thanks. > >=20 > > So nlmclnt_setlockargs()->utsname() crashes and we probably need > > the patch below. > >=20 > > But is it correct? I know _absolutely_ nothing about nfs/sunrpc/etc= and > > I never looked into this code before, most probably I am wrong. > >=20 > > But it seems that __nlm_async_call() relies on workqueues. > > nlmclnt_async_call() does rpc_wait_for_completion_task(), but what = if > > the caller is killed? > >=20 > > nlm_rqst can't go away, ->a_count was incremented. But can't the ca= ller > > exit before call->name is used? In this case the memory it points t= o > > can be already freed. > >=20 > > Oleg. > >=20 > > --- x/kernel/exit.c > > +++ x/kernel/exit.c > > @@ -783,8 +783,8 @@ void do_exit(long code) > > exit_shm(tsk); > > exit_files(tsk); > > exit_fs(tsk); > > - exit_task_namespaces(tsk); > > exit_task_work(tsk); > > + exit_task_namespaces(tsk); > > check_stack_usage(); > > exit_thread(); > > =20 > >=20 > >=20 >=20 >=20 > --=20 > MfG/Sincerely > Toralf F=C3=B6rster > pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3