From: Oleg Nesterov <oleg@redhat.com>
To: Markus Metzger <markus.t.metzger@intel.com>
Cc: linux-kernel@vger.kernel.org, mingo@elte.hu, tglx@linutronix.de,
hpa@zytor.com, markus.t.metzger@gmail.com, roland@redhat.com,
eranian@googlemail.com, juan.villacis@intel.com
Subject: Re: [patch] x86, ptrace: fix double-free on race
Date: Wed, 11 Feb 2009 23:08:21 +0100 [thread overview]
Message-ID: <20090211220821.GA17637@redhat.com> (raw)
In-Reply-To: <20090211151027.A16643@sedona.ch.intel.com>
On 02/11, Markus Metzger wrote:
>
> Ptrace_detach() races with __ptrace_unlink() if the traced task is
> reaped while detaching. This might cause a double-free of the BTS
> buffer.
>
> Change the ptrace_detach() path to only do the memory accounting in
> ptrace_bts_detach() and leave the buffer free to ptrace_bts_untrace()
> which will be called from __ptrace_unlink().
Thanks Markus, I think this should close the "really bad" problems
for 2.6.29.
Off-topic. This is subjective, so please feel to ignore, but personally
I dislike the usage of ptrace_fork() in copy_process(). And ptrace_fork()
itself.
To me, this has nothing to do with ptrace at all. copy_process() or
dup_task_struct() just must clear/tweak some fields after memcpy().
Perhaps it is better to kill all these ptrace_fork/arch_ptrace_fork/
x86_ptrace_fork/ptrace_bts_fork helpers, and make a single function
static inline void arch_bts_init(struct task_struct *p)
{
#ifdef CONFIG_X86_PTRACE_BTS
if (unlikely(p->bts)) {
p->bts = NULL;
p->bts_buffer = NULL;
p->bts_size = 0;
p->thread.bts_ovfl_signal = 0;
}
#endif /* CONFIG_X86_PTRACE_BTS */
}
which is called by arch_dup_task_struct(). The "if (ptrace)" check
in copy_process() is just wrong imho, even if it is currently correct.
Let's suppose we add, say, bts_spinlock to the fields above. In that
case we must initialize it even if the forking task is not ptraced.
Of course, in any case this is not 2.6.29 material.
Btw, just curious, bts_ovfl_signal is not used, except the user can
set/get it via PTRACE_BTS_CONFIG/PTRACE_BTS_STATUS ?
Oleg.
next prev parent reply other threads:[~2009-02-11 22:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-11 14:10 [patch] x86, ptrace: fix double-free on race Markus Metzger
2009-02-11 14:45 ` Ingo Molnar
2009-02-11 22:08 ` Oleg Nesterov [this message]
2009-02-12 9:15 ` Metzger, Markus T
2009-02-13 9:58 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090211220821.GA17637@redhat.com \
--to=oleg@redhat.com \
--cc=eranian@googlemail.com \
--cc=hpa@zytor.com \
--cc=juan.villacis@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=markus.t.metzger@gmail.com \
--cc=markus.t.metzger@intel.com \
--cc=mingo@elte.hu \
--cc=roland@redhat.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox