ptrace: do_wait(traced_leader_killed_by_mt_exec) can block forever
Oleg Nesterov [Thu, 21 Jul 2011 18:00:43 +0000 (20:00 +0200)]
Test-case:

void *tfunc(void *arg)
{
execvp("true", NULL);
return NULL;
}

int main(void)
{
int pid;

if (fork()) {
pthread_t t;

kill(getpid(), SIGSTOP);

pthread_create(&t, NULL, tfunc, NULL);

for (;;)
pause();
}

pid = getppid();
assert(ptrace(PTRACE_ATTACH, pid, 0,0) == 0);

while (wait(NULL) > 0)
ptrace(PTRACE_CONT, pid, 0,0);

return 0;
}

It is racy, exit_notify() does __wake_up_parent() too. But in the
likely case it triggers the problem: de_thread() does release_task()
and the old leader goes away without the notification, the tracer
sleeps in do_wait() without children/tracees.

Change de_thread() to do __wake_up_parent(traced_leader->parent).
Since it is already EXIT_DEAD we can do this without ptrace_unlink(),
EXIT_DEAD threads do not exist from do_wait's pov.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>

fs/exec.c

index b08367a..d219541 100644 (file)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -967,6 +967,14 @@ static int de_thread(struct task_struct *tsk)
 
                BUG_ON(leader->exit_state != EXIT_ZOMBIE);
                leader->exit_state = EXIT_DEAD;
+
+               /*
+                * We are going to release_task()->ptrace_unlink() silently,
+                * the tracer can sleep in do_wait(). EXIT_DEAD guarantees
+                * the tracer wont't block again waiting for this thread.
+                */
+               if (unlikely(leader->ptrace))
+                       __wake_up_parent(leader, leader->parent);
                write_unlock_irq(&tasklist_lock);
 
                release_task(leader);