diff options
author | Oleg Nesterov <oleg@redhat.com> | 2009-04-02 19:58:14 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-04-02 22:04:59 -0400 |
commit | 4576145c1ecdaaea9ef8976a48335206aa1ebf91 (patch) | |
tree | b20b51848380b708f4158852b1bb4afa29ffc5f0 | |
parent | b1b4c6799fb59e710454bfe0ab477cb8523a8667 (diff) |
ptrace: fix possible zombie leak on PTRACE_DETACH
When ptrace_detach() takes tasklist, the tracee can be SIGKILL'ed. If it
has already passed exit_notify() we can leak a zombie, because a) ptracing
disables the auto-reaping logic, and b) ->real_parent was not notified
about the child's death.
ptrace_detach() should follow the ptrace_exit's logic, change the code
accordingly.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Jerome Marchand <jmarchan@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
Tested-by: Denys Vlasenko <dvlasenk@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | include/linux/ptrace.h | 1 | ||||
-rw-r--r-- | kernel/ptrace.c | 9 |
2 files changed, 8 insertions, 2 deletions
diff --git a/include/linux/ptrace.h b/include/linux/ptrace.h index 98b93ca4db06..1a2b0cb55535 100644 --- a/include/linux/ptrace.h +++ b/include/linux/ptrace.h | |||
@@ -94,6 +94,7 @@ extern void ptrace_notify(int exit_code); | |||
94 | extern void __ptrace_link(struct task_struct *child, | 94 | extern void __ptrace_link(struct task_struct *child, |
95 | struct task_struct *new_parent); | 95 | struct task_struct *new_parent); |
96 | extern void __ptrace_unlink(struct task_struct *child); | 96 | extern void __ptrace_unlink(struct task_struct *child); |
97 | extern int __ptrace_detach(struct task_struct *tracer, struct task_struct *p); | ||
97 | extern void ptrace_fork(struct task_struct *task, unsigned long clone_flags); | 98 | extern void ptrace_fork(struct task_struct *task, unsigned long clone_flags); |
98 | #define PTRACE_MODE_READ 1 | 99 | #define PTRACE_MODE_READ 1 |
99 | #define PTRACE_MODE_ATTACH 2 | 100 | #define PTRACE_MODE_ATTACH 2 |
diff --git a/kernel/ptrace.c b/kernel/ptrace.c index f62a568e84ec..ee553b6ad125 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c | |||
@@ -237,6 +237,8 @@ out: | |||
237 | 237 | ||
238 | int ptrace_detach(struct task_struct *child, unsigned int data) | 238 | int ptrace_detach(struct task_struct *child, unsigned int data) |
239 | { | 239 | { |
240 | int dead = 0; | ||
241 | |||
240 | if (!valid_signal(data)) | 242 | if (!valid_signal(data)) |
241 | return -EIO; | 243 | return -EIO; |
242 | 244 | ||
@@ -244,18 +246,21 @@ int ptrace_detach(struct task_struct *child, unsigned int data) | |||
244 | ptrace_disable(child); | 246 | ptrace_disable(child); |
245 | clear_tsk_thread_flag(child, TIF_SYSCALL_TRACE); | 247 | clear_tsk_thread_flag(child, TIF_SYSCALL_TRACE); |
246 | 248 | ||
247 | /* protect against de_thread()->release_task() */ | ||
248 | write_lock_irq(&tasklist_lock); | 249 | write_lock_irq(&tasklist_lock); |
250 | /* protect against de_thread()->release_task() */ | ||
249 | if (child->ptrace) { | 251 | if (child->ptrace) { |
250 | child->exit_code = data; | 252 | child->exit_code = data; |
251 | 253 | ||
252 | __ptrace_unlink(child); | 254 | dead = __ptrace_detach(current, child); |
253 | 255 | ||
254 | if (!child->exit_state) | 256 | if (!child->exit_state) |
255 | wake_up_process(child); | 257 | wake_up_process(child); |
256 | } | 258 | } |
257 | write_unlock_irq(&tasklist_lock); | 259 | write_unlock_irq(&tasklist_lock); |
258 | 260 | ||
261 | if (unlikely(dead)) | ||
262 | release_task(child); | ||
263 | |||
259 | return 0; | 264 | return 0; |
260 | } | 265 | } |
261 | 266 | ||