[PATCH] ptrace: prefer live sibling mm over user_dumpable when task->mm is NULL

[Hyunwoo Kim <imv4bel@gmail.com>]

task_still_dumpable() reads task->user_dumpable when task->mm is NULL.
That cache is written exactly once in exit_mm(): a single
get_dumpable(mm) load taken just before task->mm is cleared.

The load is not ordered against set_dumpable() writes performed by
CLONE_VM siblings, either via commit_creds() (any uid/gid/fsuid/fsgid
or capability transition) or via prctl(PR_SET_DUMPABLE). If a sibling
stores SUID_DUMP_DISABLE after the exiting thread observed
SUID_DUMP_USER, the live shared mm and the cached value diverge with
no later refresh, so task_still_dumpable() keeps returning the stale
SUID_DUMP_USER answer for the exiting task.

In the task->mm == NULL branch, walk the thread group under
rcu_read_lock and spin_trylock(&t->alloc_lock); use the first sibling
that still holds the shared mm and read its current get_dumpable().
Pin the mm's user_ns with get_user_ns() so it can outlive the
locked region (the actual ptrace_has_cap() may sleep). Keep
task->user_dumpable only as the fallback when no live sibling mm is
observable: a single-threaded exit, a PF_KTHREAD, or all siblings
simultaneously contended on alloc_lock.

Fixes: 31e62c2ebbfd ("ptrace: slightly saner 'get_dumpable()' logic")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
 kernel/ptrace.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 130043bfc209..2b2d8402b9ee 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -272,15 +272,59 @@ static bool ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
 	return ns_capable(ns, CAP_SYS_PTRACE);
 }
 
+static bool task_sibling_mm_dumpable(struct task_struct *task,
+				     unsigned int mode, bool *result)
+{
+	struct task_struct *t;
+	bool found = false;
+
+	rcu_read_lock();
+	for_each_thread(task, t) {
+		struct mm_struct *sib_mm;
+		struct user_namespace *sib_uns;
+		int sib_dumpable;
+
+		if (t == task)
+			continue;
+		if (!spin_trylock(&t->alloc_lock))
+			continue;
+		sib_mm = t->mm;
+		if (!sib_mm) {
+			spin_unlock(&t->alloc_lock);
+			continue;
+		}
+		sib_dumpable = get_dumpable(sib_mm);
+		sib_uns = get_user_ns(sib_mm->user_ns);
+		spin_unlock(&t->alloc_lock);
+
+		if (sib_dumpable == SUID_DUMP_USER)
+			*result = true;
+		else
+			*result = ptrace_has_cap(sib_uns, mode);
+		put_user_ns(sib_uns);
+		found = true;
+		break;
+	}
+	rcu_read_unlock();
+	return found;
+}
+
 static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
 {
 	struct mm_struct *mm = task->mm;
+	bool sib_result;
+
 	if (mm) {
 		if (get_dumpable(mm) == SUID_DUMP_USER)
 			return true;
 		return ptrace_has_cap(mm->user_ns, mode);
 	}
 
+	/* user_dumpable can be stale; prefer a live sibling mm if any. */
+	if (!(task->flags & PF_KTHREAD) &&
+	    task_sibling_mm_dumpable(task, mode, &sib_result))
+		return sib_result;
+
 	if (task->user_dumpable)
 		return true;
 	return ptrace_has_cap(&init_user_ns, mode);
-- 
2.43.0