From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754129AbbJSTwo (ORCPT <rfc822;w@1wt.eu>);
	Mon, 19 Oct 2015 15:52:44 -0400
Received: from mx1.redhat.com ([209.132.183.28]:55584 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751358AbbJSTwn (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 19 Oct 2015 15:52:43 -0400
Date: Mon, 19 Oct 2015 21:49:11 +0200
From: Oleg Nesterov <oleg@redhat.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: LKML <linux-kernel@vger.kernel.org>, roland@hack.frob.com,
        syzkaller@googlegroups.com, Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Robert Swiecki <swiecki@google.com>, Kees Cook <keescook@google.com>,
        Julien Tinnes <jln@google.com>, Eric Dumazet <edumazet@google.com>
Subject: Re: Unkillable processes due to PTRACE_TRACEME
Message-ID: <20151019194911.GA20063@redhat.com>
References: <CACT4Y+Zu9uvt5z_LRAQaPTo+nwfodwBbjkeTRHoxGKRCPqpx5Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACT4Y+Zu9uvt5z_LRAQaPTo+nwfodwBbjkeTRHoxGKRCPqpx5Q@mail.gmail.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 10/19, Dmitry Vyukov wrote:
>
> The following program hangs in some interesting state and is not
> killable (started by a normal user, not root):

Thanks.

> #include <pthread.h>
> #include <unistd.h>
> #include <sys/ptrace.h>
> #include <stdio.h>
> #include <signal.h>
>
> void *thr(void *arg) {
>         ptrace(PTRACE_TRACEME, 0, 0, 0);
>         sleep(3);
>         kill(getpid(), SIGCHLD);
>         return 0;
> }
>
> int main() {
>         if (fork() == 0) {
>                 sleep(1);
>                 pthread_t th;
>                 pthread_create(&th, 0, thr, 0);
>                 sleep(1);
>         }
>         return 0;
> }
>
>
> The child process attaches as tracee to init process

Yes, although in a racy manner, the parent can exit after
PTRACE_TRACEME in this case the kernel will untrace the task
before reparenting. Not that this matters.

> and then hangs in
> a state that I don't understand. When I did a similar thing but
> attached it to a normal parent process (shell), I still was able to
> get rid of it by killing parent (shell).

See above.

So I bet the problem is that your /sbin/init doesn't use __WALL,
so wait() doesn't reap the traced zombie sub-thread, and thus it
can't release the non-empty thread group.

Could you please verify? Just do "strace -p1" and send SIGCHLD to
init.

perhaps eligible_child() should assume WALL if ptrace && ZOMBIE...

Oleg.