• Oleg Nesterov's avatar
    ptrace: fix task_join_group_stop() for the case when current is traced · 7b3c36fc
    Oleg Nesterov authored
    This testcase
    
    	#include <stdio.h>
    	#include <unistd.h>
    	#include <signal.h>
    	#include <sys/ptrace.h>
    	#include <sys/wait.h>
    	#include <pthread.h>
    	#include <assert.h>
    
    	void *tf(void *arg)
    	{
    		return NULL;
    	}
    
    	int main(void)
    	{
    		int pid = fork();
    		if (!pid) {
    			kill(getpid(), SIGSTOP);
    
    			pthread_t th;
    			pthread_create(&th, NULL, tf, NULL);
    
    			return 0;
    		}
    
    		waitpid(pid, NULL, WSTOPPED);
    
    		ptrace(PTRACE_SEIZE, pid, 0, PTRACE_O_TRACECLONE);
    		waitpid(pid, NULL, 0);
    
    		ptrace(PTRACE_CONT, pid, 0,0);
    		waitpid(pid, NULL, 0);
    
    		int status;
    		int thread = waitpid(-1, &status, 0);
    		assert(thread > 0 && thread != pid);
    		assert(status == 0x80137f);
    
    		return 0;
    	}
    
    fails and triggers WARN_ON_ONCE(!signr) in do_jobctl_trap().
    
    This is because task_join_group_stop() has 2 problems when current is traced:
    
    	1. We can't rely on the "JOBCTL_STOP_PENDING" check, a stopped tracee
    	   can be woken up by debugger and it can clone another thread which
    	   should join the group-stop.
    
    	   We need to check group_stop_count || SIGNAL_STOP_STOPPED.
    
    	2. If SIGNAL_STOP_STOPPED is already set, we should not increment
    	   sig->group_stop_count and add JOBCTL_STOP_CONSUME. The new thread
    	   should stop without another do_notify_parent_cldstop() report.
    
    To clarify, the problem is very old and we should blame
    ptrace_init_task().  But now that we have task_join_group_stop() it makes
    more sense to fix this helper to avoid the code duplication.
    
    Reported-by: syzbot+3485e3773f7da290eecc@syzkaller.appspotmail.com
    Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: Christian Brauner <christian@brauner.io>
    Cc: "Eric W . Biederman" <ebiederm@xmission.com>
    Cc: Zhiqiang Liu <liuzhiqiang26@huawei.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: <stable@vger.kernel.org>
    Link: https://lkml.kernel.org/r/20201019134237.GA18810@redhat.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    7b3c36fc
signal.c 119 KB