[CRIU] [PATCH] fsnotify: Fix nil dereference in pre_dump_one_fanotify

Andrey Vagin avagin at parallels.com
Wed Mar 12 03:37:22 PDT 2014 

On Tue, Mar 11, 2014 at 10:25:25PM +0400, Pavel Emelyanov wrote:
> On 03/11/2014 10:22 PM, Cyrill Gorcunov wrote:
> > On Tue, Mar 11, 2014 at 10:20:46PM +0400, Pavel Emelyanov wrote:
> >> On 03/11/2014 12:08 PM, Cyrill Gorcunov wrote:
> >>> pre_dump_one_fanotify calls for parse_fdinfo_pid_s where
> >>> fsn_params mut not be NULL, otherwise we get nil dereference.
> >>>
> >>> Fix it by passing a real variable instead.
> >>>
> >>> Reported-by: Pavel Tikhomirov <snorcht at gmail.com>
> >>> Signed-off-by: Cyrill Gorcunov <gorcunov at openvz.org>
> >>> ---
> >>
> >> Applied.
> >> Why isn't it caught by any zdtm test?
> > 
> > I suppose we never ran pre-dump action.
> 
> It should be in zdtm.sh keys and Jenkins' scripts.
> Andrey?

I added a new job for checking pre-dump and it  hangs up.

Looks like we are trying to open unconnected fifo.

 1191 ?        Ssl  143:37 java -Dcom.sun.akuma.Daemon=daemonized -agentpath:/usr/lib64/libabrt-java-connector.so=abrt=on -Djava.awt.headless=true -DJENKINS_HOME=/var/l
 7494 ?        S      0:00  \_ /bin/sh -xe /tmp/hudson316557994203182600.sh
 7497 ?        S      0:00      \_ bash -c ( mount --make-rprivate / && umount -l  /proc && mount -t proc proc /proc/ && bash -x /var/lib/jenkins/criu-pre-dump.sh )
 7498 ?        S      0:00          \_ bash -c ( mount --make-rprivate / && umount -l  /proc && mount -t proc proc /proc/ && bash -x /var/lib/jenkins/criu-pre-dump.sh )
 7502 ?        S      0:00              \_ bash -x /var/lib/jenkins/criu-pre-dump.sh
10367 ?        S      0:00              |   \_ make -C test -j 4 ZDTM_ARGS=-P -i 3 -C
10404 ?        S      0:00              |       \_ make zdtm
10461 ?        S      0:00              |           \_ make zdtm_ns
23493 ?        S      0:00              |               \_ /bin/sh -c ./zdtm.sh -P -i 3 -C ns/static/fifo-ghost &> ns_static_fifo-ghost.log || \ { flock Makefile cat ns
23496 ?        S      0:00              |                   \_ /bin/bash ./zdtm.sh -P -i 3 -C ns/static/fifo-ghost
23969 ?        Ss     0:00              |                       \_ /var/lib/jenkins/jobs/CRIU-pre-dump/workspace/criu pre-dump --file-locks --tcp-established -x --evasi
23893 ?        ts     0:00              \_ ./fifo-ghost --pidfile=fifo-ghost.pid --outfile=fifo-ghost.out --filename=fifo-ghost.test
23908 ?        Ss     0:00                  \_ ./fifo-ghost --pidfile=fifo-ghost.pid --outfile=fifo-ghost.out --filename=fifo-ghost.test
[root at jenkins ~]# strace -fp 23969
Process 23969 attached
openat(3, "fd/4", O_RDONLY^CProcess 23969 detached
 <detached ...>
[root at jenkins ~]# gdb -p 23969
(gdb) bt
#0  0x00007fba05179679 in openat64 () from /lib64/libc.so.6
#1  0x000000000042fee7 in do_open_proc ()
#2  0x000000000043b526 in predump_task_files ()
#3  0x000000000042caa1 in cr_pre_dump_tasks ()
#4  0x0000000000416119 in main ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 23969] will be detached.

Quit anyway? (y or n) y
[root at jenkins ~]# ls -l /proc/23969/fd/
total 0
lr-x------ 1 root root 64 Mar 12 14:31 0 -> pipe:[551450468]
l-wx------ 1 root root 64 Mar 12 14:31 1 -> /var/lib/jenkins/jobs/CRIU-pre-dump/workspace/test/ns_static_fifo-ghost.log
lr-x------ 1 root root 64 Mar 12 14:31 10 -> /lib64/ld-linux-x86-64.so.2
lr-x------ 1 root root 64 Mar 12 14:31 11 -> /lib64/ld-linux-x86-64.so.2
lr-x------ 1 root root 64 Mar 12 14:31 12 -> pipe:[551490962]
l-wx------ 1 root root 64 Mar 12 14:31 13 -> pipe:[551490962]
l-wx------ 1 root root 64 Mar 12 14:31 2 -> /var/lib/jenkins/jobs/CRIU-pre-dump/workspace/test/ns_static_fifo-ghost.log
lr-x------ 1 root root 64 Mar 12 14:31 3 -> /proc/16388
lr-x------ 1 root root 64 Mar 12 14:31 4 -> /
lr-x------ 1 root root 64 Mar 12 14:31 4093 -> /proc
lr-x------ 1 root root 64 Mar 12 14:31 4094 -> /var/lib/jenkins/jobs/CRIU-pre-dump/workspace/test/dump/fifo-ghost/16373/1
l-wx------ 1 root root 64 Mar 12 14:31 4095 -> /var/lib/jenkins/jobs/CRIU-pre-dump/workspace/test/dump/fifo-ghost/16373/1/dump.log
lrwx------ 1 root root 64 Mar 12 14:31 5 -> socket:[551490950]
lrwx------ 1 root root 64 Mar 12 14:31 6 -> socket:[551490972]
lr-x------ 1 root root 64 Mar 12 14:31 7 -> /proc/16388/fd
lr-x------ 1 root root 64 Mar 12 14:31 8 -> /zdtm/live/static/fifo-ghost
lr-x------ 1 root root 64 Mar 12 14:31 9 -> /lib64/libc.so.6

[root at jenkins ~]# cat /proc/23969/stack 
[<ffffffff812205ee>] pipe_wait+0x6e/0x90
[<ffffffff81221908>] fifo_open+0x148/0x3d0
[<ffffffff81215266>] do_dentry_open+0x2a6/0x350
[<ffffffff8121535b>] finish_open+0x4b/0x70
[<ffffffff81225e81>] do_last+0x211/0xed0
[<ffffffff8122974c>] path_openat+0x27c/0x640
[<ffffffff81229c4a>] do_filp_open+0x4a/0xa0
[<ffffffff812168ea>] do_sys_open+0x11a/0x230
[<ffffffff81216a14>] SyS_openat+0x14/0x20
[<ffffffff8177bfe9>] system_call_fastpath+0x16/0x1b
[<ffffffffffffffff>] 0xffffffffffffffff


diff --git a/files.c b/files.c
index e2fb8eb..e6a32ee 100644
--- a/files.c
+++ b/files.c
@@ -416,7 +416,7 @@ static int predump_one_fd(int pid, int fd)
         * enightened version without fds draining.
         */
 
-       lfd = open_proc(pid, "fd/%d", fd);
+       lfd = __open_proc(pid, O_PATH | O_RDONLY, "fd/%d", fd);
        if (lfd < 0)
                return 0; /* That's OK, it can be a socket */

More information about the CRIU mailing list