From patchwork Tue Nov 22 10:07:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Berg X-Patchwork-Id: 1707746 X-Patchwork-Delegate: richard@nod.at Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=z1+nYIVX; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=sipsolutions.net header.i=@sipsolutions.net header.a=rsa-sha256 header.s=mail header.b=h2kxzZt5; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4NGg5b2zmVz23nl for ; Tue, 22 Nov 2022 21:11:31 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=g8SmPXZh0kSlENkQTk+yy/Du9QzuSyPCCqTDmFT5AAA=; b=z1+nYIVX/WuqJu pWaUEzV10dM1k58nknx9k4Aq/IJ4adezgJV1p0WQDol4CplFGGg9pO2/dBxqz/KhRH+Sk3O1ne6Y1 sSJr+4N8AgcnKcq+0JR5TTU/7g9rnTIe3/KvpjfrF///GZhugjae8TnbN6IAOquG6HvdggRd5BK7I WxeAsGUFDopcqZwyc8b/isLWjvdE8fnKtz7vJSCeZO9JOBI5P3Qnj9eglmlScVda5iWB6JNC0tuxJ 6csjJ6TXBsVI/YVn2mg9pG4ZfoqJ+Kg96Xe6NpITNJcxjwa8rGP81CoFDTHQ4a2ikng/Yzt3yTFhS ElpQPm+oyOlbIlWndDTw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oxQFM-007fyH-6j; Tue, 22 Nov 2022 10:11:20 +0000 Received: from s3.sipsolutions.net ([2a01:4f8:191:4433::2] helo=sipsolutions.net) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oxQF1-007feo-Op for linux-um@lists.infradead.org; Tue, 22 Nov 2022 10:11:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sipsolutions.net; s=mail; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Content-Type:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-To: Resent-Cc:Resent-Message-ID; bh=utAvEKQ+jPHNcrosqX7HWwVjeA1rAK1oeYCrGOYxwl4=; t=1669111857; x=1670321457; b=h2kxzZt5szfw92eEjl4MxVWSLZmn6dVIkWNrqI5AWlUKid3 RKkjr1ZrxigJIvifkX9Bi+0Ip63FEdOeu3aj75q8PSKvBFAwjTUlps6Ic9RS/gD4TBaQ3/0DzaBcg 3EJ7FuLb8qlh88ftpR9Mm9XbFkI/E+V/09whvn3LvcKfy4EJgkOBX5GFPvdYqR47Sr06a+ZG4dw8T 3jDqbMD69/Pa/owAowgb3+/53rLvrR3vLmHycqw9FJqvxz40VMxiIvpjkhsiRcGaf6dkwIYId2dY8 TM2NjiGAH8rl08hjxiv5g2QkfktwFxqPCwGCbyFlzVc39IbgvPp3I1yvm6uJNf8Q==; Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from ) id 1oxQEu-006IGn-2y; Tue, 22 Nov 2022 11:10:53 +0100 From: benjamin@sipsolutions.net To: linux-um@lists.infradead.org Cc: Benjamin Berg Subject: [PATCH v2 26/28] um: Die if a child dies unexpectedly in seccomp mode Date: Tue, 22 Nov 2022 11:07:57 +0100 Message-Id: <20221122100759.208290-27-benjamin@sipsolutions.net> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221122100759.208290-1-benjamin@sipsolutions.net> References: <20221122100759.208290-1-benjamin@sipsolutions.net> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221122_021059_884260_0DAEE2F6 X-CRM114-Status: GOOD ( 16.28 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Benjamin Berg When in seccomp mode, we would hang forever on the futex if a child has died unexpectedly. In contrast, ptrace mode will notice it and kill the corresponding thread when it fails to run it. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: linux-um@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-um" Errors-To: linux-um-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Benjamin Berg When in seccomp mode, we would hang forever on the futex if a child has died unexpectedly. In contrast, ptrace mode will notice it and kill the corresponding thread when it fails to run it. Fix this issue by simply printing a message and aborting. In this case something from the outside (e.g. OOM killer) has interferred with the machine and it is reasonable to not try to recover. Signed-off-by: Benjamin Berg --- arch/um/include/shared/os.h | 1 + arch/um/os-Linux/process.c | 40 +++++++++++++++++++++++++++++++++++++ arch/um/os-Linux/signal.c | 7 +++++++ 3 files changed, 48 insertions(+) diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h index d1f1dedad83b..07683f45d7e1 100644 --- a/arch/um/include/shared/os.h +++ b/arch/um/include/shared/os.h @@ -192,6 +192,7 @@ extern void get_host_cpu_features( extern int create_mem_file(unsigned long long len); /* process.c */ +void os_check_child_lost(void); extern unsigned long os_process_pc(int pid); extern int os_process_parent(int pid); extern void os_alarm_process(int pid); diff --git a/arch/um/os-Linux/process.c b/arch/um/os-Linux/process.c index e52dd37ddadc..db98fc79d9e2 100644 --- a/arch/um/os-Linux/process.c +++ b/arch/um/os-Linux/process.c @@ -17,6 +17,7 @@ #include #include #include +#include #define ARBITRARY_ADDR -1 #define FAILURE_PID -1 @@ -102,9 +103,18 @@ void os_stop_process(int pid) void os_kill_process(int pid, int reap_child) { + sigset_t chld; + + /* Block SIGCHLD so that we can reap it before the handler runs. */ + sigemptyset(&chld); + sigaddset(&chld, SIGCHLD); + sigprocmask(SIG_BLOCK, &chld, NULL); + kill(pid, SIGKILL); if (reap_child) CATCH_EINTR(waitpid(pid, NULL, __WALL)); + + sigprocmask(SIG_UNBLOCK, &chld, NULL); } /* Kill off a ptraced child by all means available. kill it normally first, @@ -114,11 +124,39 @@ void os_kill_process(int pid, int reap_child) void os_kill_ptraced_process(int pid, int reap_child) { + sigset_t chld; + + /* Block SIGCHLD so that we can reap it before the handler runs. */ + sigemptyset(&chld); + sigaddset(&chld, SIGCHLD); + sigprocmask(SIG_BLOCK, &chld, NULL); + kill(pid, SIGKILL); ptrace(PTRACE_KILL, pid); ptrace(PTRACE_CONT, pid); if (reap_child) CATCH_EINTR(waitpid(pid, NULL, __WALL)); + + sigprocmask(SIG_UNBLOCK, &chld, NULL); +} + +void os_check_child_lost(void) +{ + int status; + pid_t pid; + + /* + * Check if we can reap a child. + * Any expected kills will clean up without this handler being fired. + */ + pid = waitpid(-1, &status, WNOHANG); + if (pid <= 0) + return; + + os_warn("Child %d died unexpectedly with status %d, cannot recover in seccomp mode!\r\n", + pid, status); + /* Kill ourselves including all children. */ + killpg(os_getpid(), SIGABRT); } /* Don't use the glibc version, which caches the result in TLS. It misses some @@ -283,5 +321,7 @@ void init_new_thread_signals(void) set_handler(SIGBUS); signal(SIGHUP, SIG_IGN); set_handler(SIGIO); + if (using_seccomp) + set_handler(SIGCHLD); signal(SIGWINCH, SIG_IGN); } diff --git a/arch/um/os-Linux/signal.c b/arch/um/os-Linux/signal.c index 24a403a70a02..d8c92e04c873 100644 --- a/arch/um/os-Linux/signal.c +++ b/arch/um/os-Linux/signal.c @@ -108,6 +108,11 @@ static void timer_real_alarm_handler(mcontext_t *mc) timer_handler(SIGALRM, NULL, ®s); } +static void sig_child_handler(int sig, struct siginfo *unused_si, mcontext_t *mc) +{ + os_check_child_lost(); +} + void timer_alarm_handler(int sig, struct siginfo *unused_si, mcontext_t *mc) { int enabled; @@ -169,6 +174,8 @@ static void (*handlers[_NSIG])(int sig, struct siginfo *si, mcontext_t *mc) = { [SIGIO] = sig_handler, [SIGWINCH] = sig_handler, + /* SIGCHLD is only registered in seccomp mode. */ + [SIGCHLD] = sig_child_handler, [SIGALRM] = timer_alarm_handler, [SIGUSR1] = sigusr1_handler,