Re: [PATCH 2/4] ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL

[Oleg Nesterov <oleg@redhat.com>]

On 01/20, Linus Torvalds wrote:
>
> On Sun, Jan 20, 2013 at 11:25 AM, Oleg Nesterov <oleg@redhat.com> wrote:
> > +
> > +static void ptrace_unfreeze_traced(struct task_struct *task)
> > +{
> > +       if (task->state != __TASK_TRACED)
> > +               return;
> > +
> > +       if (WARN_ON(!task->ptrace || task->parent != current))
> > +               return;
>
> This WARN_ON() is bogus.
>
> Because you added the warning, you then need to make the callers check
> for the whole PTRACE_UNATTACH.
>
> So I think you should just remove the WARN_ON(), and then just call
> ptrace_unfreeze_traced() unconditionally after you've successfully
> done a ptrace_check_attach(). Just to keep the code simpler.

This is what initial patch did. But, assuming that ptrace_unfreeze_traced()
is called unconditionally, we need a locking or barriers, otherwise

	// another debugger attached after we did PTRACE_DETACH ?
	if (!task->ptrace || task->parent != current)
		return;

is racy. Suppose we trace the natural child, then do PTRACE_DETACH,
then another tracer comes. We can see ->ptrace and __TASK_TRACED,
but see the old task->parent == current.

Of course, this is only theoretical, and probably we can add a barrier
before this check, but I am not sure this will make the code simpler.
If nothing else, this needs a comment.

If PTRACE_DETACH doesn't do _unfreeze_, we know that the task is either
traced by us or it is exiting/exited, so we can always trust the
"state == __TASK_TRACED" check.

So I'd prefer to keep this code, but I won't insist if you still disagree.

> Also, in your corrected version, you had
>
> +               if (!wait_task_inactive(child, __TASK_TRACED)) {
> +                       /* This can only happen if may_ptrace_stop() fails */
> +                       WARN_ON(child->state == __TASK_TRACED);
> +                       ret = -ESRCH;
>
> where I actually think that the comment is not really helpful. It
> doesn't really explain what he child can do to get to ptrace_stop() in
> the first place, and what that does to the child state...

OK. Agreed. This comment reflects the fact that the first version removed
may_ptrace_stop() to ensure wait_task_inactive() can't fail.

I'll update the comment and resend.

Oleg.