The patch titled ptrace: fix possible zombie leak on PTRACE_DETACH has been added to the -mm tree. Its filename is ptrace-fix-possible-zombie-leak-on-ptrace_detach.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find out what to do about this The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/ ------------------------------------------------------ Subject: ptrace: fix possible zombie leak on PTRACE_DETACH From: Oleg Nesterov <oleg@xxxxxxxxxx> When ptrace_detach() takes tasklist, the tracee can be SIGKILL'ed. If it has already passed exit_notify() we can leak a zombie, because a) ptracing disables the auto-reaping logic, and b) ->real_parent was not notified about the child's death. ptrace_detach() should follow the ptrace_exit's logic, change the code accordingly. Signed-off-by: Oleg Nesterov <oleg@xxxxxxxxxx> Cc: Jerome Marchand <jmarchan@xxxxxxxxxx> Cc: Roland McGrath <roland@xxxxxxxxxx> Cc: Denys Vlasenko <dvlasenk@xxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- include/linux/ptrace.h | 1 + kernel/ptrace.c | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff -puN include/linux/ptrace.h~ptrace-fix-possible-zombie-leak-on-ptrace_detach include/linux/ptrace.h --- a/include/linux/ptrace.h~ptrace-fix-possible-zombie-leak-on-ptrace_detach +++ a/include/linux/ptrace.h @@ -94,6 +94,7 @@ extern void ptrace_notify(int exit_code) extern void __ptrace_link(struct task_struct *child, struct task_struct *new_parent); extern void __ptrace_unlink(struct task_struct *child); +extern int __ptrace_detach(struct task_struct *tracer, struct task_struct *p); extern void ptrace_fork(struct task_struct *task, unsigned long clone_flags); #define PTRACE_MODE_READ 1 #define PTRACE_MODE_ATTACH 2 diff -puN kernel/ptrace.c~ptrace-fix-possible-zombie-leak-on-ptrace_detach kernel/ptrace.c --- a/kernel/ptrace.c~ptrace-fix-possible-zombie-leak-on-ptrace_detach +++ a/kernel/ptrace.c @@ -237,6 +237,8 @@ out: int ptrace_detach(struct task_struct *child, unsigned int data) { + int dead = 0; + if (!valid_signal(data)) return -EIO; @@ -244,18 +246,21 @@ int ptrace_detach(struct task_struct *ch ptrace_disable(child); clear_tsk_thread_flag(child, TIF_SYSCALL_TRACE); - /* protect against de_thread()->release_task() */ write_lock_irq(&tasklist_lock); + /* protect against de_thread()->release_task() */ if (child->ptrace) { child->exit_code = data; - __ptrace_unlink(child); + dead = __ptrace_detach(current, child); if (!child->exit_state) wake_up_process(child); } write_unlock_irq(&tasklist_lock); + if (unlikely(dead)) + release_task(child); + return 0; } _ Patches currently in -mm which might be from oleg@xxxxxxxxxx are linux-next.patch wait-prevent-exclusive-waiter-starvation.patch pipe_rdwr_fasync-fix-the-error-handling-to-prevent-the-leak-crash.patch get_mm_hiwater_xxx-trivial-s-define-inline.patch getrusage-fill-ru_maxrss-value.patch ptrace-kill-__ptrace_detach-fix-exit_state-check.patch ptrace-simplify-ptrace_exit-ignoring_children-path.patch ptrace-reintroduce-__ptrace_detach-as-a-callee-of-ptrace_exit.patch ptrace-fix-possible-zombie-leak-on-ptrace_detach.patch kthread-dont-looking-for-a-task-in-create_kthread-2.patch pids-document-task_pgrp-task_session-is-not-safe-without-tasklist-rcu.patch pids-document-task_pgrp-task_session-is-not-safe-without-tasklist-rcu-fix.patch pids-improve-get_task_pid-to-fix-the-unsafe-sys_wait4-task_pgrp.patch pids-refactor-vnr-nr_ns-helpers-to-make-them-safe.patch pids-kill-now-unused-signal_struct-__pgrp-__session-and-friends.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html