[LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0

[LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0

[Jan Stancek]

reproducer for:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000250

fixed in 3.9.0-0.rc5:
  commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0
  Author: Paul Moore <pmoore@redhat.com>
  Date:   Mon Mar 25 03:18:33 2013 +0000
    unix: fix a race condition in unix_release()

This reproducer should be able to trigger it easily on 4+ CPU systems
just within couple of seconds.

Signed-off-by: Jan Stancek <jstancek@redhat.com>
---
 runtest/syscalls                              |    1 +
 testcases/kernel/syscalls/.gitignore          |    1 +
 testcases/kernel/syscalls/sendmsg/sendmsg02.c |  230 +++++++++++++++++++++++++
 3 files changed, 232 insertions(+), 0 deletions(-)
 create mode 100644 testcases/kernel/syscalls/sendmsg/sendmsg02.c

diff --git a/runtest/syscalls b/runtest/syscalls
index f58b6a1..90b4542 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -908,6 +908,7 @@ sendfile08_64 sendfile08_64
 
 
 sendmsg01 sendmsg01
+sendmsg02 sendmsg02
 
 sendto01 sendto01
 
diff --git a/testcases/kernel/syscalls/.gitignore b/testcases/kernel/syscalls/.gitignore
index ce62f3f..3869193 100644
--- a/testcases/kernel/syscalls/.gitignore
+++ b/testcases/kernel/syscalls/.gitignore
@@ -721,6 +721,7 @@
 /sendfile/sendfile08
 /sendfile/sendfile08_64
 /sendmsg/sendmsg01
+/sendmsg/sendmsg02
 /sendto/sendto01
 /set_robust_list/set_robust_list01
 /set_thread_area/set_thread_area01
diff --git a/testcases/kernel/syscalls/sendmsg/sendmsg02.c b/testcases/kernel/syscalls/sendmsg/sendmsg02.c
new file mode 100644
index 0000000..8f38f2c
--- /dev/null
+++ b/testcases/kernel/syscalls/sendmsg/sendmsg02.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) 2013 Linux Test Project
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ * Further, this software is distributed without any warranty that it
+ * is free of the rightful claim of any third person regarding
+ * infringement or the like.  Any license provided herein, whether
+ * implied or otherwise, applies only to this software file.  Patent
+ * licenses, if any, provided herein do not apply to combinations of
+ * this program with other software, or any other product whatsoever.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+/*
+ * reproducer for:
+ * BUG: unable to handle kernel NULL ptr deref in selinux_socket_unix_may_send
+ * fixed in 3.9.0-0.rc5:
+ *   commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0
+ *   Author: Paul Moore <pmoore@redhat.com>
+ *   Date:   Mon Mar 25 03:18:33 2013 +0000
+ *     unix: fix a race condition in unix_release()
+ */
+
+#define _GNU_SOURCE
+#include <sys/ipc.h>
+#include <sys/stat.h>
+#include <sys/sem.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/un.h>
+#include <sys/wait.h>
+#include <errno.h>
+#include <signal.h>
+#include "config.h"
+#include "test.h"
+#include "usctest.h"
+#include "safe_macros.h"
+
+char *TCID = "sendmsg02";
+
+static int sem_id;
+static int tflag;
+static char *t_opt;
+static option_t options[] = {
+	{"s:", &tflag, &t_opt},
+	{NULL, NULL, NULL}
+};
+
+static void setup(void);
+static void cleanup(void);
+
+static void client(int id, int pipefd[])
+{
+	int fd, semval;
+	char data[] = "123456789";
+	struct iovec w;
+	struct sockaddr_un sa;
+	struct msghdr mh;
+	struct cmsghdr cmh;
+
+	close(pipefd[0]);
+
+	memset(&sa, 0, sizeof(sa));
+	sa.sun_family = AF_UNIX;
+	snprintf(sa.sun_path, sizeof(sa.sun_path), "socket_test%d", id);
+
+	w.iov_base = data;
+	w.iov_len = 10;
+
+	memset(&cmh, 0, sizeof(cmh));
+	mh.msg_control = &cmh;
+	mh.msg_controllen = sizeof(cmh);
+
+	memset(&mh, 0, sizeof(mh));
+	mh.msg_name = &sa;
+	mh.msg_namelen = sizeof(struct sockaddr_un);
+	mh.msg_iov = &w;
+	mh.msg_iovlen = 1;
+
+	do {
+		fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0);
+		write(pipefd[1], &fd, 1);
+		sendmsg(fd, &mh, MSG_NOSIGNAL);
+		close(fd);
+		semval = semctl(sem_id, 0, GETVAL);
+	} while (semval != 0);
+	close(pipefd[1]);
+}
+
+static void server(int id, int pipefd[])
+{
+	int fd, semval;
+	struct sockaddr_un sa;
+
+	close(pipefd[1]);
+
+	memset(&sa, 0, sizeof(sa));
+	sa.sun_family = AF_UNIX;
+	snprintf(sa.sun_path, sizeof(sa.sun_path), "socket_test%d", id);
+
+	do {
+		fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
+		unlink(sa.sun_path);
+		bind(fd, (struct sockaddr *) &sa, sizeof(struct sockaddr_un));
+		read(pipefd[0], &fd, 1);
+		close(fd);
+		semval = semctl(sem_id, 0, GETVAL);
+	} while (semval != 0);
+	close(pipefd[0]);
+}
+
+static void reproduce(int seconds)
+{
+	int i, status, pipefd[2];
+	int child_pairs = sysconf(_SC_NPROCESSORS_ONLN)*4;
+	int child_count = 0;
+	int *child_pids;
+	int child_pid;
+
+	child_pids = SAFE_MALLOC(cleanup, sizeof(int) * child_pairs * 2);
+
+	if (semctl(sem_id, 0, SETVAL, 1) == -1)
+		tst_brkm(TBROK | TERRNO, cleanup, "couldn't set semval to 1");
+
+	/* fork child for each client/server pair */
+	for (i = 0; i < child_pairs*2; i++) {
+		if (i%2 == 0) {
+			if (pipe(pipefd) < 0) {
+				tst_resm(TBROK | TERRNO, "pipe failed");
+				break;
+			}
+		}
+
+		child_pid = fork();
+		switch (child_pid) {
+		case -1:
+			tst_resm(TBROK | TERRNO, "fork");
+			break;
+		case 0:
+			if (i%2 == 0)
+				server(i, pipefd);
+			else
+				client(i-1, pipefd);
+			exit(0);
+		default:
+			child_pids[child_count++] = child_pid;
+		};
+
+		/* this process can close the pipe now */
+		if (i%2 == 0) {
+			close(pipefd[0]);
+			close(pipefd[1]);
+		}
+	}
+
+	/* let clients/servers run for a while, then clear semval to signal
+	 * they should stop running now */
+	if (child_count == child_pairs*2)
+		sleep(seconds);
+
+	if (semctl(sem_id, 0, SETVAL, 0) == -1) {
+		/* kill children if setting semval failed */
+		for (i = 0; i < child_count; i++)
+			kill(child_pids[i], SIGKILL);
+		tst_resm(TBROK | TERRNO, "couldn't set semval to 0");
+	}
+
+	for (i = 0; i < child_count; i++) {
+		if (waitpid(child_pids[i], &status, 0) == -1)
+			tst_resm(TBROK | TERRNO, "waitpid for %d failed",
+				child_pids[i]);
+		if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
+			tst_resm(TFAIL, "child %d returns %d", i, status);
+	}
+	free(child_pids);
+}
+
+static void help(void)
+{
+	printf("  -s NUM  Number of seconds to run.\n");
+}
+
+int main(int argc, char *argv[])
+{
+	int lc;
+	char *msg;
+	long seconds;
+
+	msg = parse_opts(argc, argv, options, &help);
+	if (msg != NULL)
+		tst_brkm(TBROK, tst_exit, "OPTION PARSING ERROR - %s", msg);
+	setup();
+
+	seconds = tflag ? SAFE_STRTOL(NULL, t_opt, 1, LONG_MAX) : 15;
+	for (lc = 0; TEST_LOOPING(lc); lc++)
+		reproduce(seconds);
+	tst_resm(TPASS, "finished after %ld seconds", seconds);
+
+	cleanup();
+	tst_exit();
+}
+
+static void setup(void)
+{
+	tst_require_root(NULL);
+	tst_tmpdir();
+
+	sem_id = semget(IPC_PRIVATE, 1, IPC_CREAT | S_IRWXU);
+	if (sem_id == -1)
+		tst_brkm(TBROK | TERRNO, NULL, "Couldn't allocate semaphore");
+
+	TEST_PAUSE;
+}
+
+static void cleanup(void)
+{
+	TEST_CLEANUP;
+	semctl(sem_id, 0, IPC_RMID);
+	tst_rmdir();
+}
-- 
1.7.1


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0

[Wanlong Gao]

On 04/15/2013 03:58 PM, Jan Stancek wrote:
> reproducer for:
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000250
> 
> fixed in 3.9.0-0.rc5:
>   commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0
>   Author: Paul Moore <pmoore@redhat.com>
>   Date:   Mon Mar 25 03:18:33 2013 +0000
>     unix: fix a race condition in unix_release()
> 
> This reproducer should be able to trigger it easily on 4+ CPU systems
> just within couple of seconds.

I didn't get panic on my v3.9-rc4 system by this test case.

# ./runltp -s sendmsg02
INFO: creating /opt/ltp/results directory

    INFO: no command files were provided. Will execute the following
          runtest scenario files:

syscalls fs fs_perms_simple fsx dio io mm ipc sched math nptl pty containers fs_bind controllers filecaps cap_bounds fcntl-locktests connectors admin_tools timers power_management_tests numa hugetlb commands hyperthreading 

If some fields are empty or look unusual you may have an old version.
Compare to the current minimal requirements in Documentation/Changes.
 
Fedora release 18 (Spherical Cow)
NAME=Fedora
VERSION="18 (Spherical Cow)"
ID=fedora
VERSION_ID=18
PRETTY_NAME="Fedora 18 (Spherical Cow)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:18"
Fedora release 18 (Spherical Cow)
Fedora release 18 (Spherical Cow)
Linux gaowanlong 3.9.0-rc4 #1 SMP Thu Mar 28 10:31:53 CST 2013 x86_64 x86_64 x86_64 GNU/Linux
 
Gnu C                  gcc (GCC) 4.7.2 20121109 (Red Hat 4.7.2-8)
Gnu make               3.82
util-linux             linux 2.22.2
mount                  linux 2.22.2 (libmount 2.22.0: selinux, debug)
modutils               12
e2fsprogs              1.42.5
PPP                    2.4.5
isdn4k-utils           3.13
Linux C Library        > libc.2.16
Dynamic linker (ldd)   2.16
Procps                 3.3.3-20120807git
Net-tools              2.0
iproute2              iproute2-ss121001
Kbd                    1.15.3wip
Sh-utils               8.17
Modules Loaded         fuse ebtable_nat ebtables bridge lockd xt_CHECKSUM stp llc iptable_mangle ip6t_REJECT ipt_MASQUERADE nf_conntrack_ipv6 iptable_nat bnep nf_defrag_ipv6 nf_conntrack_ipv4 sunrpc bluetooth nf_defrag_ipv4 nf_nat_ipv4 nf_nat xt_conntrack nf_conntrack ip6table_filter rfkill ip6_tables snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_page_alloc snd_timer vhost_net coretemp snd tun crc32c_intel macvtap ghash_clmulni_intel macvlan r8169 iTCO_wdt kvm_intel iTCO_vendor_support soundcore microcode serio_raw i2c_i801 mei kvm mii lpc_ich pcspkr mfd_core wmi uinput i915 video i2c_algo_bit drm_kms_helper drm i2c_core

free reports:
             total       used       free     shared    buffers     cached
Mem:       8024996    3635968    4389028          0      88820    2838688
-/+ buffers/cache:     708460    7316536
Swap:      4194300          0    4194300

/proc/cpuinfo
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 42
model name	: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
stepping	: 7
microcode	: 0x28
cpu MHz		: 1600.000
cache size	: 6144 KB
physical id	: 0
siblings	: 4
core id		: 0
cpu cores	: 4
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid
bogomips	: 6185.66
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 6
model		: 42
model name	: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
stepping	: 7
microcode	: 0x28
cpu MHz		: 1600.000
cache size	: 6144 KB
physical id	: 0
siblings	: 4
core id		: 1
cpu cores	: 4
apicid		: 2
initial apicid	: 2
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid
bogomips	: 6185.66
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

processor	: 2
vendor_id	: GenuineIntel
cpu family	: 6
model		: 42
model name	: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
stepping	: 7
microcode	: 0x28
cpu MHz		: 1600.000
cache size	: 6144 KB
physical id	: 0
siblings	: 4
core id		: 2
cpu cores	: 4
apicid		: 4
initial apicid	: 4
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid
bogomips	: 6185.66
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

processor	: 3
vendor_id	: GenuineIntel
cpu family	: 6
model		: 42
model name	: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
stepping	: 7
microcode	: 0x28
cpu MHz		: 1600.000
cache size	: 6144 KB
physical id	: 0
siblings	: 4
core id		: 3
cpu cores	: 4
apicid		: 6
initial apicid	: 6
fpu		: yes
fpu_exception	: yes
cpuid level	: 13
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm ida arat epb xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid
bogomips	: 6185.66
clflush size	: 64
cache_alignment	: 64
address sizes	: 36 bits physical, 48 bits virtual
power management:

remove test cases which require the block device.
You can specify it with option -b
COMMAND:    /opt/ltp/bin/ltp-pan  -e -S   -a 7867     -n 7867  -p  -f /tmp/ltp-3oA1m2ZbEN/alltests -l /opt/ltp/results/LTP_RUN_ON-2013_Apr_15-16h_17m_52s.log  -C /opt/ltp/output/LTP_RUN_ON-2013_Apr_15-16h_17m_52s.failed
INFO: Restricted to sendmsg02
LOG File: /opt/ltp/results/LTP_RUN_ON-2013_Apr_15-16h_17m_52s.log
FAILED COMMAND File: /opt/ltp/output/LTP_RUN_ON-2013_Apr_15-16h_17m_52s.failed
Running tests.......
<<<test_start>>>
tag=sendmsg02 stime=1366013872
cmdline="sendmsg02"
contacts=""
analysis=exit
<<<test_output>>>
incrementing stop
sendmsg02    1  TPASS  :  finished after 15 seconds
<<<execution_status>>>
initiation_status="ok"
duration=15 termination_type=exited termination_id=0 corefile=no
cutime=315 cstime=5436
<<<test_end>>>
INFO: ltp-pan reported all tests PASS
LTP Version: 20120903-189-g3e5f790

       ###############################################################

            Done executing testcases.
            LTP Version:  20120903-189-g3e5f790
       ###############################################################


Thanks,
Wanlong Gao


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0

[Jan Stancek]

----- Original Message -----
> From: "Wanlong Gao" <gaowanlong@cn.fujitsu.com>
> To: "Jan Stancek" <jstancek@redhat.com>
> Cc: ltp-list@lists.sourceforge.net
> Sent: Monday, 15 April, 2013 10:19:15 AM
> Subject: Re: [LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0
> 
> On 04/15/2013 03:58 PM, Jan Stancek wrote:
> > reproducer for:
> > BUG: unable to handle kernel NULL pointer dereference at 0000000000000250
> > 
> > fixed in 3.9.0-0.rc5:
> >   commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0
> >   Author: Paul Moore <pmoore@redhat.com>
> >   Date:   Mon Mar 25 03:18:33 2013 +0000
> >     unix: fix a race condition in unix_release()
> > 
> > This reproducer should be able to trigger it easily on 4+ CPU systems
> > just within couple of seconds.
> 
> I didn't get panic on my v3.9-rc4 system by this test case.

I double checked if I got that -rc right, and that looks OK:
$ git tag --contains ded34e0fe8fe8c2d595bfa30626654e4b87621e0
v3.9-rc5
v3.9-rc6
v3.9-rc7

There is a switch "-s" for how many seconds it should run. Can you try to run
it for couple of minutes, if that makes any difference?

If not, then I'm afraid it's not as reproducible as I thought it would be.

Regards,
Jan


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0

[Wanlong Gao]

On 04/15/2013 05:03 PM, Jan Stancek wrote:
> 
> ----- Original Message -----
>> From: "Wanlong Gao" <gaowanlong@cn.fujitsu.com>
>> To: "Jan Stancek" <jstancek@redhat.com>
>> Cc: ltp-list@lists.sourceforge.net
>> Sent: Monday, 15 April, 2013 10:19:15 AM
>> Subject: Re: [LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0
>>
>> On 04/15/2013 03:58 PM, Jan Stancek wrote:
>>> reproducer for:
>>> BUG: unable to handle kernel NULL pointer dereference at 0000000000000250
>>>
>>> fixed in 3.9.0-0.rc5:
>>>   commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0
>>>   Author: Paul Moore <pmoore@redhat.com>
>>>   Date:   Mon Mar 25 03:18:33 2013 +0000
>>>     unix: fix a race condition in unix_release()
>>>
>>> This reproducer should be able to trigger it easily on 4+ CPU systems
>>> just within couple of seconds.
>>
>> I didn't get panic on my v3.9-rc4 system by this test case.
> 
> I double checked if I got that -rc right, and that looks OK:
> $ git tag --contains ded34e0fe8fe8c2d595bfa30626654e4b87621e0
> v3.9-rc5
> v3.9-rc6
> v3.9-rc7

I'm sure that 3.9-rc4 don't contain this fix commit.

> 
> There is a switch "-s" for how many seconds it should run. Can you try to run
> it for couple of minutes, if that makes any difference?

I ran it for 5 minutes again but saw no difference.

Thanks,
Wanlong Gao

> 
> If not, then I'm afraid it's not as reproducible as I thought it would be.
> 
> Regards,
> Jan
> 
> 


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0

[chrubis]

Hi!
> > > reproducer for:
> > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000250
> > > 
> > > fixed in 3.9.0-0.rc5:
> > >   commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0
> > >   Author: Paul Moore <pmoore@redhat.com>
> > >   Date:   Mon Mar 25 03:18:33 2013 +0000
> > >     unix: fix a race condition in unix_release()
> > > 
> > > This reproducer should be able to trigger it easily on 4+ CPU systems
> > > just within couple of seconds.
> > 
> > I didn't get panic on my v3.9-rc4 system by this test case.
> 
> I double checked if I got that -rc right, and that looks OK:
> $ git tag --contains ded34e0fe8fe8c2d595bfa30626654e4b87621e0
> v3.9-rc5
> v3.9-rc6
> v3.9-rc7
> 
> There is a switch "-s" for how many seconds it should run. Can you try to run
> it for couple of minutes, if that makes any difference?
> 
> If not, then I'm afraid it's not as reproducible as I thought it would be.

I've tried to run it on older kernel (3.0 with SUSE patches) and had no
luck either, the test runned for five minutes. I've even tried to
increase the number of pairs.

On what hardware, kernel (kernel config), etc. is this easily
reproducible?

-- 
Cyril Hrubis
chrubis@suse.cz

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0

[chrubis]

Hi!
> 2 more random systems with Fedora 18 GOLD and kernel-3.6.10-4.fc18 hit it almost instantly too:
> Romley-EP CPU: Ivy Bridge-EP L-1, 40 CPU, Genuine Intel(R) CPU @ 2.10GHz
> HP ProLiant BL495c G5, 4 CPU, Quad-Core AMD Opteron(tm) Processor 2347 HE

Strange indeed.

Let's get this into LTP git repo already, I will try to bring down some
of my testing machines then.

-- 
Cyril Hrubis
chrubis@suse.cz

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0

[chrubis]

Hi!
> > > 2 more random systems with Fedora 18 GOLD and kernel-3.6.10-4.fc18 hit it
> > > almost instantly too:
> > > Romley-EP CPU: Ivy Bridge-EP L-1, 40 CPU, Genuine Intel(R) CPU @ 2.10GHz
> > > HP ProLiant BL495c G5, 4 CPU, Quad-Core AMD Opteron(tm) Processor 2347 HE
> > 
> > Strange indeed.
> > 
> > Let's get this into LTP git repo already, I will try to bring down some
> > of my testing machines then.
> 
> Pushed. When you tried it, did you have selinux on?

No, selinux is not turned on by default on SUSE.

And another thing that caught my eye was CONFIG_HZ_1000, as my testing
machines have CONFIG_HZ_250.

-- 
Cyril Hrubis
chrubis@suse.cz

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0

[chrubis]

Hi!
> > > > Strange indeed.
> > > > 
> > > > Let's get this into LTP git repo already, I will try to bring down some
> > > > of my testing machines then.
> > > 
> > > Pushed. When you tried it, did you have selinux on?
> > 
> > No, selinux is not turned on by default on SUSE.
> > 
> > And another thing that caught my eye was CONFIG_HZ_1000, as my testing
> > machines have CONFIG_HZ_250.
> 
> That could explain it, since it's supposed to crash in:
> 
> security/selinux/hooks.c
>   static int selinux_socket_unix_may_send()
> 
> Full backtrace (a bit mangled) can be seen here:
> http://marc.info/?l=linux-netdev&m=136390436927831&w=2

Ah, I've overlooked the name of the function it crashes in.

I will turn the selinux on and try again.

-- 
Cyril Hrubis
chrubis@suse.cz

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] [PATCH v2] sendmsg testcase for ded34e0fe8fe8c2d595bfa30626654e4b87621e0

[DAN LI]

On 04/15/2013 03:58 PM, Jan Stancek wrote:
> reproducer for:
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000250
> 
> fixed in 3.9.0-0.rc5:
>   commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0
>   Author: Paul Moore <pmoore@redhat.com>
>   Date:   Mon Mar 25 03:18:33 2013 +0000
>     unix: fix a race condition in unix_release()
> 
> This reproducer should be able to trigger it easily on 4+ CPU systems
> just within couple of seconds.
> 
> Signed-off-by: Jan Stancek <jstancek@redhat.com>
> ---
>  runtest/syscalls                              |    1 +
>  testcases/kernel/syscalls/.gitignore          |    1 +
>  testcases/kernel/syscalls/sendmsg/sendmsg02.c |  230 +++++++++++++++++++++++++
>  3 files changed, 232 insertions(+), 0 deletions(-)
>  create mode 100644 testcases/kernel/syscalls/sendmsg/sendmsg02.c
> 
> diff --git a/runtest/syscalls b/runtest/syscalls
> index f58b6a1..90b4542 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -908,6 +908,7 @@ sendfile08_64 sendfile08_64
>  
>  
>  sendmsg01 sendmsg01
> +sendmsg02 sendmsg02
>  
>  sendto01 sendto01
>  
> diff --git a/testcases/kernel/syscalls/.gitignore b/testcases/kernel/syscalls/.gitignore
> index ce62f3f..3869193 100644
> --- a/testcases/kernel/syscalls/.gitignore
> +++ b/testcases/kernel/syscalls/.gitignore
> @@ -721,6 +721,7 @@
>  /sendfile/sendfile08
>  /sendfile/sendfile08_64
>  /sendmsg/sendmsg01
> +/sendmsg/sendmsg02
>  /sendto/sendto01
>  /set_robust_list/set_robust_list01
>  /set_thread_area/set_thread_area01
> diff --git a/testcases/kernel/syscalls/sendmsg/sendmsg02.c b/testcases/kernel/syscalls/sendmsg/sendmsg02.c
> new file mode 100644
> index 0000000..8f38f2c
> --- /dev/null
> +++ b/testcases/kernel/syscalls/sendmsg/sendmsg02.c
> @@ -0,0 +1,230 @@
> +/*
> + * Copyright (C) 2013 Linux Test Project
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of version 2 of the GNU General Public
> + * License as published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it would be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> + *
> + * Further, this software is distributed without any warranty that it
> + * is free of the rightful claim of any third person regarding
> + * infringement or the like.  Any license provided herein, whether
> + * implied or otherwise, applies only to this software file.  Patent
> + * licenses, if any, provided herein do not apply to combinations of
> + * this program with other software, or any other product whatsoever.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program; if not, write the Free Software
> + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> + * 02110-1301, USA.
> + */
> +/*
> + * reproducer for:
> + * BUG: unable to handle kernel NULL ptr deref in selinux_socket_unix_may_send
> + * fixed in 3.9.0-0.rc5:
> + *   commit ded34e0fe8fe8c2d595bfa30626654e4b87621e0
> + *   Author: Paul Moore <pmoore@redhat.com>
> + *   Date:   Mon Mar 25 03:18:33 2013 +0000
> + *     unix: fix a race condition in unix_release()
> + */
> +
> +#define _GNU_SOURCE
> +#include <sys/ipc.h>
> +#include <sys/stat.h>
> +#include <sys/sem.h>
> +#include <sys/socket.h>
> +#include <sys/types.h>
> +#include <sys/un.h>
> +#include <sys/wait.h>
> +#include <errno.h>
> +#include <signal.h>
> +#include "config.h"
> +#include "test.h"
> +#include "usctest.h"
> +#include "safe_macros.h"
> +
> +char *TCID = "sendmsg02";
> +
> +static int sem_id;
> +static int tflag;
> +static char *t_opt;
> +static option_t options[] = {
> +	{"s:", &tflag, &t_opt},
> +	{NULL, NULL, NULL}
> +};
> +
> +static void setup(void);
> +static void cleanup(void);
> +
> +static void client(int id, int pipefd[])
> +{
> +	int fd, semval;
> +	char data[] = "123456789";
> +	struct iovec w;
> +	struct sockaddr_un sa;
> +	struct msghdr mh;
> +	struct cmsghdr cmh;
> +
> +	close(pipefd[0]);
> +
> +	memset(&sa, 0, sizeof(sa));
> +	sa.sun_family = AF_UNIX;
> +	snprintf(sa.sun_path, sizeof(sa.sun_path), "socket_test%d", id);
> +
> +	w.iov_base = data;
> +	w.iov_len = 10;
> +
> +	memset(&cmh, 0, sizeof(cmh));
> +	mh.msg_control = &cmh;
> +	mh.msg_controllen = sizeof(cmh);
> +
> +	memset(&mh, 0, sizeof(mh));
> +	mh.msg_name = &sa;
> +	mh.msg_namelen = sizeof(struct sockaddr_un);
> +	mh.msg_iov = &w;
> +	mh.msg_iovlen = 1;
> +
> +	do {
> +		fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0);
> +		write(pipefd[1], &fd, 1);
> +		sendmsg(fd, &mh, MSG_NOSIGNAL);
> +		close(fd);
> +		semval = semctl(sem_id, 0, GETVAL);
> +	} while (semval != 0);
> +	close(pipefd[1]);
> +}
> +
> +static void server(int id, int pipefd[])
> +{
> +	int fd, semval;
> +	struct sockaddr_un sa;
> +
> +	close(pipefd[1]);
> +
> +	memset(&sa, 0, sizeof(sa));
> +	sa.sun_family = AF_UNIX;
> +	snprintf(sa.sun_path, sizeof(sa.sun_path), "socket_test%d", id);
> +
> +	do {
> +		fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);

Hi Jan,

The two features SOCK_CLOEXEC and SOCK_NONBLOCK were introduced since Linux 2.6.27.
So, this case will meet a compile error for kernel under 2.6.27.

Could you please fix it?

Thanks,
DAN LI

> +		unlink(sa.sun_path);
> +		bind(fd, (struct sockaddr *) &sa, sizeof(struct sockaddr_un));
> +		read(pipefd[0], &fd, 1);
> +		close(fd);
> +		semval = semctl(sem_id, 0, GETVAL);
> +	} while (semval != 0);
> +	close(pipefd[0]);
> +}
> +
> +static void reproduce(int seconds)
> +{
> +	int i, status, pipefd[2];
> +	int child_pairs = sysconf(_SC_NPROCESSORS_ONLN)*4;
> +	int child_count = 0;
> +	int *child_pids;
> +	int child_pid;
> +
> +	child_pids = SAFE_MALLOC(cleanup, sizeof(int) * child_pairs * 2);
> +
> +	if (semctl(sem_id, 0, SETVAL, 1) == -1)
> +		tst_brkm(TBROK | TERRNO, cleanup, "couldn't set semval to 1");
> +
> +	/* fork child for each client/server pair */
> +	for (i = 0; i < child_pairs*2; i++) {
> +		if (i%2 == 0) {
> +			if (pipe(pipefd) < 0) {
> +				tst_resm(TBROK | TERRNO, "pipe failed");
> +				break;
> +			}
> +		}
> +
> +		child_pid = fork();
> +		switch (child_pid) {
> +		case -1:
> +			tst_resm(TBROK | TERRNO, "fork");
> +			break;
> +		case 0:
> +			if (i%2 == 0)
> +				server(i, pipefd);
> +			else
> +				client(i-1, pipefd);
> +			exit(0);
> +		default:
> +			child_pids[child_count++] = child_pid;
> +		};
> +
> +		/* this process can close the pipe now */
> +		if (i%2 == 0) {
> +			close(pipefd[0]);
> +			close(pipefd[1]);
> +		}
> +	}
> +
> +	/* let clients/servers run for a while, then clear semval to signal
> +	 * they should stop running now */
> +	if (child_count == child_pairs*2)
> +		sleep(seconds);
> +
> +	if (semctl(sem_id, 0, SETVAL, 0) == -1) {
> +		/* kill children if setting semval failed */
> +		for (i = 0; i < child_count; i++)
> +			kill(child_pids[i], SIGKILL);
> +		tst_resm(TBROK | TERRNO, "couldn't set semval to 0");
> +	}
> +
> +	for (i = 0; i < child_count; i++) {
> +		if (waitpid(child_pids[i], &status, 0) == -1)
> +			tst_resm(TBROK | TERRNO, "waitpid for %d failed",
> +				child_pids[i]);
> +		if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)
> +			tst_resm(TFAIL, "child %d returns %d", i, status);
> +	}
> +	free(child_pids);
> +}
> +
> +static void help(void)
> +{
> +	printf("  -s NUM  Number of seconds to run.\n");
> +}
> +
> +int main(int argc, char *argv[])
> +{
> +	int lc;
> +	char *msg;
> +	long seconds;
> +
> +	msg = parse_opts(argc, argv, options, &help);
> +	if (msg != NULL)
> +		tst_brkm(TBROK, tst_exit, "OPTION PARSING ERROR - %s", msg);
> +	setup();
> +
> +	seconds = tflag ? SAFE_STRTOL(NULL, t_opt, 1, LONG_MAX) : 15;
> +	for (lc = 0; TEST_LOOPING(lc); lc++)
> +		reproduce(seconds);
> +	tst_resm(TPASS, "finished after %ld seconds", seconds);
> +
> +	cleanup();
> +	tst_exit();
> +}
> +
> +static void setup(void)
> +{
> +	tst_require_root(NULL);
> +	tst_tmpdir();
> +
> +	sem_id = semget(IPC_PRIVATE, 1, IPC_CREAT | S_IRWXU);
> +	if (sem_id == -1)
> +		tst_brkm(TBROK | TERRNO, NULL, "Couldn't allocate semaphore");
> +
> +	TEST_PAUSE;
> +}
> +
> +static void cleanup(void)
> +{
> +	TEST_CLEANUP;
> +	semctl(sem_id, 0, IPC_RMID);
> +	tst_rmdir();
> +}
> 



------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list