• Oleg Nesterov's avatar
    ptrace: change __ptrace_unlink() to clear ->ptrace under ->siglock · 1333ab03
    Oleg Nesterov authored
    This test-case (simplified version of generated by syzkaller)
    
    	#include <unistd.h>
    	#include <sys/ptrace.h>
    	#include <sys/wait.h>
    
    	void test(void)
    	{
    		for (;;) {
    			if (fork()) {
    				wait(NULL);
    				continue;
    			}
    
    			ptrace(PTRACE_SEIZE, getppid(), 0, 0);
    			ptrace(PTRACE_INTERRUPT, getppid(), 0, 0);
    			_exit(0);
    		}
    	}
    
    	int main(void)
    	{
    		int np;
    
    		for (np = 0; np < 8; ++np)
    			if (!fork())
    				test();
    
    		while (wait(NULL) > 0)
    			;
    		return 0;
    	}
    
    triggers the 2nd WARN_ON_ONCE(!signr) warning in do_jobctl_trap().  The
    problem is that __ptrace_unlink() clears task->jobctl under siglock but
    task->ptrace is cleared without this lock held; this fools the "else"
    branch which assumes that !PT_SEIZED means PT_PTRACED.
    
    Note also that most of other PTRACE_SEIZE checks can race with detach
    from the exiting tracer too.  Say, the callers of ptrace_trap_notify()
    assume that SEIZED can't go away after it was checked.
    Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
    Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Cc: Tejun Heo <tj@kernel.org>
    Cc: syzkaller <syzkaller@googlegroups.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    1333ab03
ptrace.c 31.6 KB