BUG in tty_open when using containers and ptrace

Grzegorz Nosek root at localdomain.pl
Mon Jul 13 15:34:44 PDT 2009

On Mon, Jul 13, 2009 at 03:26:10PM -0500, Serge E. Hallyn wrote:
> The container init is /bin/sh, and you
> while [ 1 ]; do
> 	virsh --connect lxc:/// start vm1
> 	virsh --connect lxc:/// destroy vm1
> done
> ?  (I thought there was something about stracing the container
> init too, so i was basically doing the above while also
> stracing the bash shell)

That was the first occurrence of the crash (though I can't tell you
whether I used sash or upstart then). When I could reproduce the crash
reliably, I was using upstart without strace and the script was

while [ 1 ]; do
	virsh --connect lxc:/// start vm1
	sleep 3
	virsh --connect lxc:/// shutdown vm1
	sleep 3

to let the startup/shutdown settle (also, SLUB debugging had to be on to
poison freed memory -- this was crucial for me).

OK, I've been writing this mail for over an hour now, but I managed to
produce a single program which produces the oops I've been encountering.

Simply run it as container init. Sometimes it oopses immediately,
usually it goes as far as the pause. If you kill it with SIGINT then,
everything will probably be fine. But if you first kill the libvirt_lxc
process above it (holding the pty master), and only then kill init, it
should oops.

Note that the weird mount stuff is critical here (couldn't reproduce the
oops by simply opening /dev/pts/0, even if I mounted it on /dev/console

After applying my patch from some earlier mail I can no longer crash the
kernel, but the "Hello world!" appears on my current VT, so there's
potential for container root to mess up host console. I don't know how
that happened, actually.

Best regards,
 Grzegorz Nosek

#include <sys/mount.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/signal.h>

void dummy(int sig)

int main(void)
	sleep(2); /* wait for /dev/pts/0 to appear */
	mount("/dev/pts/0", "/dev/console", NULL, MS_BIND, NULL);
	signal(SIGINT, dummy);

	open("/dev/console", O_RDWR);
	write(1, "Hello world!\n", sizeof("Hello world!\n")-1);
	return 0;

More information about the Containers mailing list