fix kernel panic on 10-STABLE when running setrlimit_test with INVARIANTS enabled kernel
ClosedPublic
Actions

Authored by op on Aug 7 2016, 12:09 PM.

Details

Reviewers

kib
allanjude
ngie
mjg
trasz
bdrewery

Summary

I got the following kernel panic during the kyua test:

lib/libc/sys/setuid_test:setuid_root  ->  panic: mutex process lock
not owned at /usr/src/sys/kern/kern_prot.c:1991
cpuid = 1
KDB: stack backtrace:
Uptime: 2h54m9s
Dumping 223 out of 999
MB:..8%..15%..22%..36%..43%..51%..65%..72%..86%..94%
Dump complete
Consoles: userboot

The issue was easily reproducible on INVARIANTS enabled vanilla FreeBSD
10-STABLE too:

download the latest snapshot build from 10-STABLE from freebsd's ftp site
install them with enabled src distset
echo 'WITH_TESTS=' >> /etc/src.conf
echo 'options INVARIANTS' >> /usr/src/sys/amd64/conf/GENERIC
echo 'options INVARIANT_SUPPORT' >> /usr/src/sys/amd64/conf/GENERIC
cd /usr/src; make buildworld kernel installworld
reboot
pkg install kyua perl
cd /usr/tests/lib/libc/sys/
repeat 10 kyua test setrlimit_test # even with normal or root user
wait ~10 sec to get the panic

After I applied this patch - which added 3 missing backported patch to
10-STABLE from mjg, I retested with the following commands, and
working fine:

repeat 100 kyua test setrlimit_test

additionally retested with the full libc test suite 10 times.

This patch contains the following patches:

	HBSD MFC r280330: fork: assign refed credentials earlier

	Prior to this change the kernel would take p1's credentials and assign
	them tempororarily to p2. But p1 could change credentials at that time
	and in effect give us a use-after-free.

	No objections from: kib

	github-issue: #214

	(cherry picked from commit 1cd59e2b5dec1e9bf1a0f5467ca0918aa51c7c72)
	Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
	(cherry picked from commit a08d50676834c6a283ec675e1ce901020fa6ce6d)
	Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

	HBSD MFC r280331: cred: add proc_set_cred_init helper

	proc_set_cred_init can be used to set first credentials of a new
	process.

	Update proc_set_cred assertions so that it only expects already used
	processes.

	This fixes panics where p_ucred of a new process happens to be non-NULL.

	Reviewed by:	kib

	github-issue: #214

	(cherry picked from commit b6e838d488e059efc84b230c7acae9bfd1af4d5f)
	Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
	(cherry picked from commit 0fa648f58e3d892367a78e5e8264f03bc504edda)
	Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

	HBSD MFC 282567: Fix up panics when fork fails due to hitting proc limit

	The function clearning credentials on failure asserts the process is a
	zombie, which is not true when fork fails.

	Changing creds to NULL is unnecessary, but is still being done for
	consistency with other code.

	Pointy hat: mjg
	Reported by: pho

	github-issue: #214

	(cherry picked from commit 14fd588310f6ebf86bb309527a3c2c387286043c)
	Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>
	(cherry picked from commit c92af2e62868d9d541036f6d13ee06bf99807e95)
	Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

SVN-ref: r280330 r282567 r280331
Sponsored-by: HardenedBSD, opBSD
CC: FreeBSD secteam, kib@, mjg@, bdrewery@, hunger@, trasz@

Signed-off-by: Oliver Pinter <oliver.pinter@hardenedbsd.org>

sys/kern/init_main.c | 2 +-
sys/kern/kern_fork.c | 16 ++++++++--------
sys/kern/kern_prot.c | 16 ++++++++++++++--
sys/sys/ucred.h | 1 +
4 files changed, 24 insertions(+), 11 deletions(-)

Test Plan

The issue was easily reproducible on INVARIANTS enabled vanilla FreeBSD
10-STABLE too:

download the latest snapshot build from 10-STABLE from freebsd's ftp site
install them with enabled src distset
echo 'WITH_TESTS=' >> /etc/src.conf
echo 'options INVARIANTS' >> /usr/src/sys/amd64/conf/GENERIC
echo 'options INVARIANT_SUPPORT' >> /usr/src/sys/amd64/conf/GENERIC
cd /usr/src; make buildworld kernel installworld
reboot
pkg install kyua perl
cd /usr/tests/lib/libc/sys/
repeat 10 kyua test setrlimit_test # even with normal or root user
wait ~10 sec to get the panic

After I applied this patch - which added 3 missing backported patch to
10-STABLE from mjg, I retested with the following commands, and
working fine:

repeat 100 kyua test setrlimit_test

additionally retested with the full libc test suite 10 times.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

op updated this revision to Diff 19101.Aug 7 2016, 12:09 PM

op retitled this revision from to fix kernel panic on 10-STABLE when running setrlimit_test with INVARIANTS enabled kernel.

op updated this object.

op edited the test plan for this revision. (Show Details)

op added reviewers: mjg, kib, bdrewery, trasz, allanjude, ngie.

op set the repository for this revision to rS FreeBSD src repository - subversion.

Herald added a subscriber: imp. · View Herald TranscriptAug 7 2016, 12:09 PM

op added a subscriber: pho.Aug 7 2016, 12:11 PM

bdrewery updated this object.Aug 8 2016, 5:19 PM

bdrewery updated this object.Aug 8 2016, 5:35 PM

I'm handling the missing MFCs

bdrewery mentioned this in rS303843: MFC r280330,r282567:.Aug 8 2016, 6:11 PM

In D7431#154805, @bdrewery wrote:

I'm handling the missing MFCs

Note that the summary is at least misleading. The issue of failing assert is only cosmetic: the user asked for debugging kernel and there is a nit in the debugging facilities. The real change is the close of the race in the first listed HEAD revision. But that race seems to be only accessible for the root, and even then it requires some additional precautions to organize the scene. IOW, this is a routine bug fix, which is good to have, but definitely not worth bothering either secteam nor united nations.

bdrewery mentioned this in rS303846: MFC r280331:.Aug 8 2016, 6:31 PM

bdrewery accepted this revision.Aug 8 2016, 6:32 PM

bdrewery edited edge metadata.

This revision is now accepted and ready to land.Aug 8 2016, 6:32 PM

Revs MFC'd.