From: Fengguang Wu <fengguang.wu@intel.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>, Oleg Nesterov <oleg@redhat.com>
Subject: Re: yama_ptrace_access_check(): possible recursive locking detected
Date: Fri, 10 Aug 2012 09:52:22 +0800 [thread overview]
Message-ID: <20120810015222.GA19286@localhost> (raw)
In-Reply-To: <CAGXu5j+xjud3w4cYXADM-KvFPvnkaKp49j5x-wdZ66wUJjkX0g@mail.gmail.com>
On Thu, Aug 09, 2012 at 06:39:34PM -0700, Kees Cook wrote:
> Hi,
>
> So, after taking a closer look at this, I cannot understand how it's
> possible. Yama's task_lock call is against "current", not "child",
> which is what ptrace_may_access() is locking. And the same code makes
> sure that current != child. Yama would never get called if current ==
> child.
>
> How did you reproduce this situation?
This warning can be triggered with Dave Jones' trinity tool:
git://git.codemonkey.org.uk/trinity
That's a very dangerous tool, please only run it as normal user in a
backed up and chrooted test box. I personally run it inside an initrd.
If you are interested in reproducing this, I can send you the ready
made initrd in private email.
Thanks,
Fengguang
> On Thu, Jul 26, 2012 at 6:47 AM, Fengguang Wu <fengguang.wu@intel.com> wrote:
> > Hi Kees,
> >
> > Here is a recursive lock possibility:
> >
> > ptrace_may_access()
> > => task_lock(task);
> > yama_ptrace_access_check()
> > get_task_comm()
> > => task_lock(task);
> >
> > [ 60.230444] =============================================
> > [ 60.232078] [ INFO: possible recursive locking detected ]
> > [ 60.232078] 3.5.0+ #281 Not tainted
> > [ 60.232078] ---------------------------------------------
> > [ 60.232078] trinity-child0/17019 is trying to acquire lock:
> > [ 60.232078] (&(&p->alloc_lock)->rlock){+.+...}, at: [<c1176ffa>] get_task_comm+0x4a/0xf0
> > [ 60.232078]
> > [ 60.232078] but task is already holding lock:
> > [ 60.232078] (&(&p->alloc_lock)->rlock){+.+...}, at: [<c10653fa>] ptrace_may_access+0x4a/0xf0
> > [ 60.232078]
> > [ 60.232078] other info that might help us debug this:
> > [ 60.232078] Possible unsafe locking scenario:
> > [ 60.232078]
> > [ 60.232078] CPU0
> > [ 60.232078] ----
> > [ 60.232078] lock(&(&p->alloc_lock)->rlock);
> > [ 60.232078] lock(&(&p->alloc_lock)->rlock);
> > [ 60.232078]
> > [ 60.232078] *** DEADLOCK ***
> > [ 60.232078]
> > [ 60.232078] May be due to missing lock nesting notation
> > [ 60.232078]
> > [ 60.232078] 3 locks held by trinity-child0/17019:
> > [ 60.232078] #0: (&p->lock){+.+.+.}, at: [<c11a9683>] seq_read+0x33/0x6b0
> > [ 60.232078] #1: (&sig->cred_guard_mutex){+.+.+.}, at: [<c11ff8ae>] lock_trace+0x2e/0xb0
> > [ 60.232078] #2: (&(&p->alloc_lock)->rlock){+.+...}, at: [<c10653fa>] ptrace_may_access+0x4a/0xf0
> > [ 60.232078]
> > [ 60.232078] stack backtrace:
> > [ 60.232078] Pid: 17019, comm: trinity-child0 Not tainted 3.5.0+ #281
> > [ 60.232078] Call Trace:
> > [ 60.232078] [<c10c6238>] __lock_acquire+0x1498/0x14f0
> > [ 60.232078] [<c10be7e7>] ? trace_hardirqs_off+0x27/0x40
> > [ 60.232078] [<c10c6360>] lock_acquire+0xd0/0x110
> > [ 60.232078] [<c1176ffa>] ? get_task_comm+0x4a/0xf0
> > [ 60.232078] [<c1422290>] _raw_spin_lock+0x60/0x110
> > [ 60.232078] [<c1176ffa>] ? get_task_comm+0x4a/0xf0
> > [ 60.232078] [<c1176ffa>] get_task_comm+0x4a/0xf0
> > [ 60.232078] [<c1246798>] yama_ptrace_access_check+0x468/0x4a0
> > [ 60.232078] [<c124648f>] ? yama_ptrace_access_check+0x15f/0x4a0
> > [ 60.232078] [<c124209a>] security_ptrace_access_check+0x1a/0x30
> > [ 60.232078] [<c1065229>] __ptrace_may_access+0x189/0x310
> > [ 60.232078] [<c10650cc>] ? __ptrace_may_access+0x2c/0x310
> > [ 60.232078] [<c106542d>] ptrace_may_access+0x7d/0xf0
> > [ 60.232078] [<c11ff8ea>] lock_trace+0x6a/0xb0
> > [ 60.232078] [<c11ffa46>] proc_pid_stack+0x76/0x170
> > [ 60.232078] [<c1201064>] proc_single_show+0x74/0x100
> > [ 60.232078] [<c11a97b3>] seq_read+0x163/0x6b0
> > [ 60.232078] [<c105bf70>] ? do_setitimer+0x220/0x330
> > [ 60.232078] [<c11a9650>] ? seq_lseek+0x1f0/0x1f0
> > [ 60.232078] [<c116b55a>] vfs_read+0xca/0x280
> > [ 60.232078] [<c11a9650>] ? seq_lseek+0x1f0/0x1f0
> > [ 60.232078] [<c116b776>] sys_read+0x66/0xe0
> > [ 60.232078] [<c1423d9d>] syscall_call+0x7/0xb
> > [ 60.232078] [<c1420000>] ? __schedule+0x2a0/0xc80
> >
> > Thanks,
> > Fengguang
>
>
>
> --
> Kees Cook
> Chrome OS Security
next prev parent reply other threads:[~2012-08-10 1:52 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-26 13:47 yama_ptrace_access_check(): possible recursive locking detected Fengguang Wu
2012-07-26 15:41 ` Oleg Nesterov
2012-07-30 17:00 ` Kees Cook
2012-08-10 1:39 ` Kees Cook
2012-08-10 1:52 ` Fengguang Wu [this message]
2012-08-14 21:16 ` Kees Cook
2012-08-15 3:01 ` Fengguang Wu
2012-08-15 5:56 ` Kees Cook
2012-08-15 8:05 ` Peter Zijlstra
2012-08-15 13:01 ` Oleg Nesterov
2012-08-15 14:30 ` Peter Zijlstra
2012-08-15 17:56 ` Oleg Nesterov
2012-08-15 18:09 ` Kees Cook
2012-08-15 18:17 ` Oleg Nesterov
2012-08-15 18:30 ` Kees Cook
2012-08-15 18:44 ` Alan Cox
2012-08-15 18:43 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120810015222.GA19286@localhost \
--to=fengguang.wu@intel.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.