diff options
| author | Oleg Nesterov <oleg@redhat.com> | 2015-04-16 15:47:29 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-04-17 09:04:06 -0400 |
| commit | b72c186999e689cb0b055ab1c7b3cd8fffbeb5ed (patch) | |
| tree | 600e5933e22b67cbd0d8b58ee02950ff66a62c9d /kernel | |
| parent | 8de560def7426a770ce8f967b3c3534bc9a2f683 (diff) | |
ptrace: fix race between ptrace_resume() and wait_task_stopped()
ptrace_resume() is called when the tracee is still __TASK_TRACED. We set
tracee->exit_code and then wake_up_state() changes tracee->state. If the
tracer's sub-thread does wait() in between, task_stopped_code(ptrace => T)
wrongly looks like another report from tracee.
This confuses debugger, and since wait_task_stopped() clears ->exit_code
the tracee can miss a signal.
Test-case:
#include <stdio.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <pthread.h>
#include <assert.h>
int pid;
void *waiter(void *arg)
{
int stat;
for (;;) {
assert(pid == wait(&stat));
assert(WIFSTOPPED(stat));
if (WSTOPSIG(stat) == SIGHUP)
continue;
assert(WSTOPSIG(stat) == SIGCONT);
printf("ERR! extra/wrong report:%x\n", stat);
}
}
int main(void)
{
pthread_t thread;
pid = fork();
if (!pid) {
assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0);
for (;;)
kill(getpid(), SIGHUP);
}
assert(pthread_create(&thread, NULL, waiter, NULL) == 0);
for (;;)
ptrace(PTRACE_CONT, pid, 0, SIGCONT);
return 0;
}
Note for stable: the bug is very old, but without 9899d11f6544 "ptrace:
ensure arch_ptrace/ptrace_request can never race with SIGKILL" the fix
should use lock_task_sighand(child).
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Pavel Labath <labath@google.com>
Tested-by: Pavel Labath <labath@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/ptrace.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/kernel/ptrace.c b/kernel/ptrace.c index 227fec36b12a..9a34bd80a745 100644 --- a/kernel/ptrace.c +++ b/kernel/ptrace.c | |||
| @@ -697,6 +697,8 @@ static int ptrace_peek_siginfo(struct task_struct *child, | |||
| 697 | static int ptrace_resume(struct task_struct *child, long request, | 697 | static int ptrace_resume(struct task_struct *child, long request, |
| 698 | unsigned long data) | 698 | unsigned long data) |
| 699 | { | 699 | { |
| 700 | bool need_siglock; | ||
| 701 | |||
| 700 | if (!valid_signal(data)) | 702 | if (!valid_signal(data)) |
| 701 | return -EIO; | 703 | return -EIO; |
| 702 | 704 | ||
| @@ -724,8 +726,26 @@ static int ptrace_resume(struct task_struct *child, long request, | |||
| 724 | user_disable_single_step(child); | 726 | user_disable_single_step(child); |
| 725 | } | 727 | } |
| 726 | 728 | ||
| 729 | /* | ||
| 730 | * Change ->exit_code and ->state under siglock to avoid the race | ||
| 731 | * with wait_task_stopped() in between; a non-zero ->exit_code will | ||
| 732 | * wrongly look like another report from tracee. | ||
| 733 | * | ||
| 734 | * Note that we need siglock even if ->exit_code == data and/or this | ||
| 735 | * status was not reported yet, the new status must not be cleared by | ||
| 736 | * wait_task_stopped() after resume. | ||
| 737 | * | ||
| 738 | * If data == 0 we do not care if wait_task_stopped() reports the old | ||
| 739 | * status and clears the code too; this can't race with the tracee, it | ||
| 740 | * takes siglock after resume. | ||
| 741 | */ | ||
| 742 | need_siglock = data && !thread_group_empty(current); | ||
| 743 | if (need_siglock) | ||
| 744 | spin_lock_irq(&child->sighand->siglock); | ||
| 727 | child->exit_code = data; | 745 | child->exit_code = data; |
| 728 | wake_up_state(child, __TASK_TRACED); | 746 | wake_up_state(child, __TASK_TRACED); |
| 747 | if (need_siglock) | ||
| 748 | spin_unlock_irq(&child->sighand->siglock); | ||
| 729 | 749 | ||
| 730 | return 0; | 750 | return 0; |
| 731 | } | 751 | } |