Commit 1333ab03 authored by Oleg Nesterov's avatar Oleg Nesterov Committed by Linus Torvalds

ptrace: change __ptrace_unlink() to clear ->ptrace under ->siglock

This test-case (simplified version of generated by syzkaller)

	#include <unistd.h>
	#include <sys/ptrace.h>
	#include <sys/wait.h>

	void test(void)
	{
		for (;;) {
			if (fork()) {
				wait(NULL);
				continue;
			}

			ptrace(PTRACE_SEIZE, getppid(), 0, 0);
			ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
			_exit(0);
		}
	}

	int main(void)
	{
		int np;

		for (np = 0; np < 8; ++np)
			if (!fork())
				test();

		while (wait(NULL) > 0)
			;
		return 0;
	}

triggers the 2nd WARN_ON_ONCE(!signr) warning in do_jobctl_trap().  The
problem is that __ptrace_unlink() clears task->jobctl under siglock but
task->ptrace is cleared without this lock held; this fools the "else"
branch which assumes that !PT_SEIZED means PT_PTRACED.

Note also that most of other PTRACE_SEIZE checks can race with detach
from the exiting tracer too.  Say, the callers of ptrace_trap_notify()
assume that SEIZED can't go away after it was checked.
Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 38739380
...@@ -73,12 +73,11 @@ void __ptrace_unlink(struct task_struct *child) ...@@ -73,12 +73,11 @@ void __ptrace_unlink(struct task_struct *child)
{ {
BUG_ON(!child->ptrace); BUG_ON(!child->ptrace);
child->ptrace = 0;
child->parent = child->real_parent; child->parent = child->real_parent;
list_del_init(&child->ptrace_entry); list_del_init(&child->ptrace_entry);
spin_lock(&child->sighand->siglock); spin_lock(&child->sighand->siglock);
child->ptrace = 0;
/* /*
* Clear all pending traps and TRAPPING. TRAPPING should be * Clear all pending traps and TRAPPING. TRAPPING should be
* cleared regardless of JOBCTL_STOP_PENDING. Do it explicitly. * cleared regardless of JOBCTL_STOP_PENDING. Do it explicitly.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment