2019-05-19 20:08:55 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* linux/kernel/signal.c
|
|
|
|
*
|
|
|
|
* Copyright (C) 1991, 1992 Linus Torvalds
|
|
|
|
*
|
|
|
|
* 1997-11-02 Modified for POSIX.1b signals by Richard Henderson
|
|
|
|
*
|
|
|
|
* 2003-06-02 Jim Houston - Concurrent Computer Corp.
|
|
|
|
* Changes to use preallocated sigqueue structures
|
|
|
|
* to allow signals to be sent reliably.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/slab.h>
|
2011-05-24 02:51:41 +08:00
|
|
|
#include <linux/export.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/init.h>
|
2017-02-04 07:16:44 +08:00
|
|
|
#include <linux/sched/mm.h>
|
2017-02-09 01:51:30 +08:00
|
|
|
#include <linux/sched/user.h>
|
2017-02-09 01:51:35 +08:00
|
|
|
#include <linux/sched/debug.h>
|
2017-02-09 01:51:36 +08:00
|
|
|
#include <linux/sched/task.h>
|
2017-02-09 01:51:37 +08:00
|
|
|
#include <linux/sched/task_stack.h>
|
2017-02-05 18:48:36 +08:00
|
|
|
#include <linux/sched/cputime.h>
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
#include <linux/file.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/fs.h>
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
#include <linux/proc_fs.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/tty.h>
|
|
|
|
#include <linux/binfmts.h>
|
2012-10-05 08:15:24 +08:00
|
|
|
#include <linux/coredump.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/security.h>
|
|
|
|
#include <linux/syscalls.h>
|
|
|
|
#include <linux/ptrace.h>
|
2005-05-01 23:59:14 +08:00
|
|
|
#include <linux/signal.h>
|
signal/timer/event: signalfd core
This patch series implements the new signalfd() system call.
I took part of the original Linus code (and you know how badly it can be
broken :), and I added even more breakage ;) Signals are fetched from the same
signal queue used by the process, so signalfd will compete with standard
kernel delivery in dequeue_signal(). If you want to reliably fetch signals on
the signalfd file, you need to block them with sigprocmask(SIG_BLOCK). This
seems to be working fine on my Dual Opteron machine. I made a quick test
program for it:
http://www.xmailserver.org/signafd-test.c
The signalfd() system call implements signal delivery into a file descriptor
receiver. The signalfd file descriptor if created with the following API:
int signalfd(int ufd, const sigset_t *mask, size_t masksize);
The "ufd" parameter allows to change an existing signalfd sigmask, w/out going
to close/create cycle (Linus idea). Use "ufd" == -1 if you want a brand new
signalfd file.
The "mask" allows to specify the signal mask of signals that we are interested
in. The "masksize" parameter is the size of "mask".
The signalfd fd supports the poll(2) and read(2) system calls. The poll(2)
will return POLLIN when signals are available to be dequeued. As a direct
consequence of supporting the Linux poll subsystem, the signalfd fd can use
used together with epoll(2) too.
The read(2) system call will return a "struct signalfd_siginfo" structure in
the userspace supplied buffer. The return value is the number of bytes copied
in the supplied buffer, or -1 in case of error. The read(2) call can also
return 0, in case the sighand structure to which the signalfd was attached,
has been orphaned. The O_NONBLOCK flag is also supported, and read(2) will
return -EAGAIN in case no signal is available.
If the size of the buffer passed to read(2) is lower than sizeof(struct
signalfd_siginfo), -EINVAL is returned. A read from the signalfd can also
return -ERESTARTSYS in case a signal hits the process. The format of the
struct signalfd_siginfo is, and the valid fields depends of the (->code &
__SI_MASK) value, in the same way a struct siginfo would:
struct signalfd_siginfo {
__u32 signo; /* si_signo */
__s32 err; /* si_errno */
__s32 code; /* si_code */
__u32 pid; /* si_pid */
__u32 uid; /* si_uid */
__s32 fd; /* si_fd */
__u32 tid; /* si_fd */
__u32 band; /* si_band */
__u32 overrun; /* si_overrun */
__u32 trapno; /* si_trapno */
__s32 status; /* si_status */
__s32 svint; /* si_int */
__u64 svptr; /* si_ptr */
__u64 utime; /* si_utime */
__u64 stime; /* si_stime */
__u64 addr; /* si_addr */
};
[akpm@linux-foundation.org: fix signalfd_copyinfo() on i386]
Signed-off-by: Davide Libenzi <davidel@xmailserver.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-05-11 13:23:13 +08:00
|
|
|
#include <linux/signalfd.h>
|
2009-11-08 23:46:42 +08:00
|
|
|
#include <linux/ratelimit.h>
|
2022-02-10 02:47:08 +08:00
|
|
|
#include <linux/task_work.h>
|
2006-01-12 04:17:46 +08:00
|
|
|
#include <linux/capability.h>
|
2006-12-07 12:34:23 +08:00
|
|
|
#include <linux/freezer.h>
|
2006-12-08 18:38:01 +08:00
|
|
|
#include <linux/pid_namespace.h>
|
|
|
|
#include <linux/nsproxy.h>
|
user namespace: make signal.c respect user namespaces
ipc/mqueue.c: for __SI_MESQ, convert the uid being sent to recipient's
user namespace. (new, thanks Oleg)
__send_signal: convert current's uid to the recipient's user namespace
for any siginfo which is not SI_FROMKERNEL (patch from Oleg, thanks
again :)
do_notify_parent and do_notify_parent_cldstop: map task's uid to parent's
user namespace
ptrace_signal maps parent's uid into current's user namespace before
including in signal to current. IIUC Oleg has argued that this shouldn't
matter as the debugger will play with it, but it seems like not converting
the value currently being set is misleading.
Changelog:
Sep 20: Inspired by Oleg's suggestion, define map_cred_ns() helper to
simplify callers and help make clear what we are translating
(which uid into which namespace). Passing the target task would
make callers even easier to read, but we pass in user_ns because
current_user_ns() != task_cred_xxx(current, user_ns).
Sep 20: As recommended by Oleg, also put task_pid_vnr() under rcu_read_lock
in ptrace_signal().
Sep 23: In send_signal(), detect when (user) signal is coming from an
ancestor or unrelated user namespace. Pass that on to __send_signal,
which sets si_uid to 0 or overflowuid if needed.
Oct 12: Base on Oleg's fixup_uid() patch. On top of that, handle all
SI_FROMKERNEL cases at callers, because we can't assume sender is
current in those cases.
Nov 10: (mhelsley) rename fixup_uid to more meaningful usern_fixup_signal_uid
Nov 10: (akpm) make the !CONFIG_USER_NS case clearer
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Matt Helsley <matthltc@us.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
From: Serge Hallyn <serge.hallyn@canonical.com>
Subject: __send_signal: pass q->info, not info, to userns_fixup_signal_uid (v2)
Eric Biederman pointed out that passing info is a bug and could lead to a
NULL pointer deref to boot.
A collection of signal, securebits, filecaps, cap_bounds, and a few other
ltp tests passed with this kernel.
Changelog:
Nov 18: previous patch missed a leading '&'
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: ipc/mqueue: lock() => unlock() typo
There was a double lock typo introduced in b085f4bd6b21 "user namespace:
make signal.c respect user namespaces"
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Matt Helsley <matthltc@us.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 07:11:37 +08:00
|
|
|
#include <linux/user_namespace.h>
|
uprobes/core: Handle breakpoint and singlestep exceptions
Uprobes uses exception notifiers to get to know if a thread hit
a breakpoint or a singlestep exception.
When a thread hits a uprobe or is singlestepping post a uprobe
hit, the uprobe exception notifier sets its TIF_UPROBE bit,
which will then be checked on its return to userspace path
(do_notify_resume() ->uprobe_notify_resume()), where the
consumers handlers are run (in task context) based on the
defined filters.
Uprobe hits are thread specific and hence we need to maintain
information about if a task hit a uprobe, what uprobe was hit,
the slot where the original instruction was copied for xol so
that it can be singlestepped with appropriate fixups.
In some cases, special care is needed for instructions that are
executed out of line (xol). These are architecture specific
artefacts, such as handling RIP relative instructions on x86_64.
Since the instruction at which the uprobe was inserted is
executed out of line, architecture specific fixups are added so
that the thread continues normal execution in the presence of a
uprobe.
Postpone the signals until we execute the probed insn.
post_xol() path does a recalc_sigpending() before return to
user-mode, this ensures the signal can't be lost.
Uprobes relies on DIE_DEBUG notification to notify if a
singlestep is complete.
Adds x86 specific uprobe exception notifiers and appropriate
hooks needed to determine a uprobe hit and subsequent post
processing.
Add requisite x86 fixups for xol for uprobes. Specific cases
needing fixups include relative jumps (x86_64), calls, etc.
Where possible, we check and skip singlestepping the
breakpointed instructions. For now we skip single byte as well
as few multibyte nop instructions. However this can be extended
to other instructions too.
Credits to Oleg Nesterov for suggestions/patches related to
signal, breakpoint, singlestep handling code.
Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
Cc: Jim Keniston <jkenisto@linux.vnet.ibm.com>
Cc: Linux-mm <linux-mm@kvack.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/20120313180011.29771.89027.sendpatchset@srdronam.in.ibm.com
[ Performed various cleanliness edits ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2012-03-14 02:00:11 +08:00
|
|
|
#include <linux/uprobes.h>
|
2012-12-15 03:47:53 +08:00
|
|
|
#include <linux/compat.h>
|
2013-03-20 04:50:05 +08:00
|
|
|
#include <linux/cn_proc.h>
|
2014-04-08 06:39:20 +08:00
|
|
|
#include <linux/compiler.h>
|
2017-06-04 03:01:00 +08:00
|
|
|
#include <linux/posix-timers.h>
|
cgroup: cgroup v2 freezer
Cgroup v1 implements the freezer controller, which provides an ability
to stop the workload in a cgroup and temporarily free up some
resources (cpu, io, network bandwidth and, potentially, memory)
for some other tasks. Cgroup v2 lacks this functionality.
This patch implements freezer for cgroup v2.
Cgroup v2 freezer tries to put tasks into a state similar to jobctl
stop. This means that tasks can be killed, ptraced (using
PTRACE_SEIZE*), and interrupted. It is possible to attach to
a frozen task, get some information (e.g. read registers) and detach.
It's also possible to migrate a frozen tasks to another cgroup.
This differs cgroup v2 freezer from cgroup v1 freezer, which mostly
tried to imitate the system-wide freezer. However uninterruptible
sleep is fine when all tasks are going to be frozen (hibernation case),
it's not the acceptable state for some subset of the system.
Cgroup v2 freezer is not supporting freezing kthreads.
If a non-root cgroup contains kthread, the cgroup still can be frozen,
but the kthread will remain running, the cgroup will be shown
as non-frozen, and the notification will not be delivered.
* PTRACE_ATTACH is not working because non-fatal signal delivery
is blocked in frozen state.
There are some interface differences between cgroup v1 and cgroup v2
freezer too, which are required to conform the cgroup v2 interface
design principles:
1) There is no separate controller, which has to be turned on:
the functionality is always available and is represented by
cgroup.freeze and cgroup.events cgroup control files.
2) The desired state is defined by the cgroup.freeze control file.
Any hierarchical configuration is allowed.
3) The interface is asynchronous. The actual state is available
using cgroup.events control file ("frozen" field). There are no
dedicated transitional states.
4) It's allowed to make any changes with the cgroup hierarchy
(create new cgroups, remove old cgroups, move tasks between cgroups)
no matter if some cgroups are frozen.
Signed-off-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
No-objection-from-me-by: Oleg Nesterov <oleg@redhat.com>
Cc: kernel-team@fb.com
2019-04-20 01:03:04 +08:00
|
|
|
#include <linux/cgroup.h>
|
2019-05-11 00:21:49 +08:00
|
|
|
#include <linux/audit.h>
|
2014-04-08 06:39:20 +08:00
|
|
|
|
2009-11-25 05:56:45 +08:00
|
|
|
#define CREATE_TRACE_POINTS
|
|
|
|
#include <trace/events/signal.h>
|
2006-12-08 18:38:01 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <asm/param.h>
|
2016-12-25 03:46:01 +08:00
|
|
|
#include <linux/uaccess.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <asm/unistd.h>
|
|
|
|
#include <asm/siginfo.h>
|
2012-03-29 01:30:03 +08:00
|
|
|
#include <asm/cacheflush.h>
|
2021-06-24 05:44:32 +08:00
|
|
|
#include <asm/syscall.h> /* for syscall_get_* */
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* SLAB caches for signal bits.
|
|
|
|
*/
|
|
|
|
|
2006-12-07 12:33:20 +08:00
|
|
|
static struct kmem_cache *sigqueue_cachep;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-11-08 23:46:42 +08:00
|
|
|
int print_fatal_signals __read_mostly;
|
|
|
|
|
2008-07-26 10:45:51 +08:00
|
|
|
static void __user *sig_handler(struct task_struct *t, int sig)
|
2008-04-30 15:52:39 +08:00
|
|
|
{
|
2008-07-26 10:45:51 +08:00
|
|
|
return t->sighand->action[sig - 1].sa.sa_handler;
|
|
|
|
}
|
2008-04-30 15:52:39 +08:00
|
|
|
|
2018-08-22 13:00:15 +08:00
|
|
|
static inline bool sig_handler_ignored(void __user *handler, int sig)
|
2008-07-26 10:45:51 +08:00
|
|
|
{
|
2008-04-30 15:52:39 +08:00
|
|
|
/* Is it explicitly or implicitly ignored? */
|
|
|
|
return handler == SIG_IGN ||
|
2018-08-22 13:00:15 +08:00
|
|
|
(handler == SIG_DFL && sig_kernel_ignore(sig));
|
2008-04-30 15:52:39 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-08-22 13:00:19 +08:00
|
|
|
static bool sig_task_ignored(struct task_struct *t, int sig, bool force)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2008-07-26 10:45:51 +08:00
|
|
|
void __user *handler;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2009-04-03 07:58:02 +08:00
|
|
|
handler = sig_handler(t, sig);
|
|
|
|
|
2018-07-20 08:47:27 +08:00
|
|
|
/* SIGKILL and SIGSTOP may not be sent to the global init */
|
|
|
|
if (unlikely(is_global_init(t) && sig_kernel_only(sig)))
|
|
|
|
return true;
|
|
|
|
|
2009-04-03 07:58:02 +08:00
|
|
|
if (unlikely(t->signal->flags & SIGNAL_UNKILLABLE) &&
|
2017-11-18 07:30:04 +08:00
|
|
|
handler == SIG_DFL && !(force && sig_kernel_only(sig)))
|
2018-08-22 13:00:19 +08:00
|
|
|
return true;
|
2009-04-03 07:58:02 +08:00
|
|
|
|
2019-08-17 01:33:54 +08:00
|
|
|
/* Only allow kernel generated signals to this kthread */
|
2021-03-26 08:18:59 +08:00
|
|
|
if (unlikely((t->flags & PF_KTHREAD) &&
|
2019-08-17 01:33:54 +08:00
|
|
|
(handler == SIG_KTHREAD_KERNEL) && !force))
|
|
|
|
return true;
|
|
|
|
|
2009-04-03 07:58:02 +08:00
|
|
|
return sig_handler_ignored(handler, sig);
|
|
|
|
}
|
|
|
|
|
2018-08-22 13:00:23 +08:00
|
|
|
static bool sig_ignored(struct task_struct *t, int sig, bool force)
|
2009-04-03 07:58:02 +08:00
|
|
|
{
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Blocked signals are never ignored, since the
|
|
|
|
* signal handler may change by the time it is
|
|
|
|
* unblocked.
|
|
|
|
*/
|
2007-11-13 07:41:55 +08:00
|
|
|
if (sigismember(&t->blocked, sig) || sigismember(&t->real_blocked, sig))
|
2018-08-22 13:00:23 +08:00
|
|
|
return false;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-07-26 10:45:51 +08:00
|
|
|
/*
|
2017-11-18 07:30:01 +08:00
|
|
|
* Tracers may want to know about even ignored signal unless it
|
|
|
|
* is SIGKILL which can't be reported anyway but can be ignored
|
|
|
|
* by SIGNAL_UNKILLABLE task.
|
2008-07-26 10:45:51 +08:00
|
|
|
*/
|
2017-11-18 07:30:01 +08:00
|
|
|
if (t->ptrace && sig != SIGKILL)
|
2018-08-22 13:00:23 +08:00
|
|
|
return false;
|
2017-11-18 07:30:01 +08:00
|
|
|
|
|
|
|
return sig_task_ignored(t, sig, force);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Re-calculate pending state from the set of locally pending
|
|
|
|
* signals, globally pending signals, and blocked signals.
|
|
|
|
*/
|
2018-08-22 13:00:27 +08:00
|
|
|
static inline bool has_pending_signals(sigset_t *signal, sigset_t *blocked)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
unsigned long ready;
|
|
|
|
long i;
|
|
|
|
|
|
|
|
switch (_NSIG_WORDS) {
|
|
|
|
default:
|
|
|
|
for (i = _NSIG_WORDS, ready = 0; --i >= 0 ;)
|
|
|
|
ready |= signal->sig[i] &~ blocked->sig[i];
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 4: ready = signal->sig[3] &~ blocked->sig[3];
|
|
|
|
ready |= signal->sig[2] &~ blocked->sig[2];
|
|
|
|
ready |= signal->sig[1] &~ blocked->sig[1];
|
|
|
|
ready |= signal->sig[0] &~ blocked->sig[0];
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 2: ready = signal->sig[1] &~ blocked->sig[1];
|
|
|
|
ready |= signal->sig[0] &~ blocked->sig[0];
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 1: ready = signal->sig[0] &~ blocked->sig[0];
|
|
|
|
}
|
|
|
|
return ready != 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define PENDING(p,b) has_pending_signals(&(p)->signal, (b))
|
|
|
|
|
2018-08-22 13:00:30 +08:00
|
|
|
static bool recalc_sigpending_tsk(struct task_struct *t)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
cgroup: cgroup v2 freezer
Cgroup v1 implements the freezer controller, which provides an ability
to stop the workload in a cgroup and temporarily free up some
resources (cpu, io, network bandwidth and, potentially, memory)
for some other tasks. Cgroup v2 lacks this functionality.
This patch implements freezer for cgroup v2.
Cgroup v2 freezer tries to put tasks into a state similar to jobctl
stop. This means that tasks can be killed, ptraced (using
PTRACE_SEIZE*), and interrupted. It is possible to attach to
a frozen task, get some information (e.g. read registers) and detach.
It's also possible to migrate a frozen tasks to another cgroup.
This differs cgroup v2 freezer from cgroup v1 freezer, which mostly
tried to imitate the system-wide freezer. However uninterruptible
sleep is fine when all tasks are going to be frozen (hibernation case),
it's not the acceptable state for some subset of the system.
Cgroup v2 freezer is not supporting freezing kthreads.
If a non-root cgroup contains kthread, the cgroup still can be frozen,
but the kthread will remain running, the cgroup will be shown
as non-frozen, and the notification will not be delivered.
* PTRACE_ATTACH is not working because non-fatal signal delivery
is blocked in frozen state.
There are some interface differences between cgroup v1 and cgroup v2
freezer too, which are required to conform the cgroup v2 interface
design principles:
1) There is no separate controller, which has to be turned on:
the functionality is always available and is represented by
cgroup.freeze and cgroup.events cgroup control files.
2) The desired state is defined by the cgroup.freeze control file.
Any hierarchical configuration is allowed.
3) The interface is asynchronous. The actual state is available
using cgroup.events control file ("frozen" field). There are no
dedicated transitional states.
4) It's allowed to make any changes with the cgroup hierarchy
(create new cgroups, remove old cgroups, move tasks between cgroups)
no matter if some cgroups are frozen.
Signed-off-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
No-objection-from-me-by: Oleg Nesterov <oleg@redhat.com>
Cc: kernel-team@fb.com
2019-04-20 01:03:04 +08:00
|
|
|
if ((t->jobctl & (JOBCTL_PENDING_MASK | JOBCTL_TRAP_FREEZE)) ||
|
2005-04-17 06:20:36 +08:00
|
|
|
PENDING(&t->pending, &t->blocked) ||
|
cgroup: cgroup v2 freezer
Cgroup v1 implements the freezer controller, which provides an ability
to stop the workload in a cgroup and temporarily free up some
resources (cpu, io, network bandwidth and, potentially, memory)
for some other tasks. Cgroup v2 lacks this functionality.
This patch implements freezer for cgroup v2.
Cgroup v2 freezer tries to put tasks into a state similar to jobctl
stop. This means that tasks can be killed, ptraced (using
PTRACE_SEIZE*), and interrupted. It is possible to attach to
a frozen task, get some information (e.g. read registers) and detach.
It's also possible to migrate a frozen tasks to another cgroup.
This differs cgroup v2 freezer from cgroup v1 freezer, which mostly
tried to imitate the system-wide freezer. However uninterruptible
sleep is fine when all tasks are going to be frozen (hibernation case),
it's not the acceptable state for some subset of the system.
Cgroup v2 freezer is not supporting freezing kthreads.
If a non-root cgroup contains kthread, the cgroup still can be frozen,
but the kthread will remain running, the cgroup will be shown
as non-frozen, and the notification will not be delivered.
* PTRACE_ATTACH is not working because non-fatal signal delivery
is blocked in frozen state.
There are some interface differences between cgroup v1 and cgroup v2
freezer too, which are required to conform the cgroup v2 interface
design principles:
1) There is no separate controller, which has to be turned on:
the functionality is always available and is represented by
cgroup.freeze and cgroup.events cgroup control files.
2) The desired state is defined by the cgroup.freeze control file.
Any hierarchical configuration is allowed.
3) The interface is asynchronous. The actual state is available
using cgroup.events control file ("frozen" field). There are no
dedicated transitional states.
4) It's allowed to make any changes with the cgroup hierarchy
(create new cgroups, remove old cgroups, move tasks between cgroups)
no matter if some cgroups are frozen.
Signed-off-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
No-objection-from-me-by: Oleg Nesterov <oleg@redhat.com>
Cc: kernel-team@fb.com
2019-04-20 01:03:04 +08:00
|
|
|
PENDING(&t->signal->shared_pending, &t->blocked) ||
|
|
|
|
cgroup_task_frozen(t)) {
|
2005-04-17 06:20:36 +08:00
|
|
|
set_tsk_thread_flag(t, TIF_SIGPENDING);
|
2018-08-22 13:00:30 +08:00
|
|
|
return true;
|
2007-05-24 04:57:44 +08:00
|
|
|
}
|
2018-08-22 13:00:30 +08:00
|
|
|
|
2007-06-06 18:59:00 +08:00
|
|
|
/*
|
|
|
|
* We must never clear the flag in another thread, or in current
|
|
|
|
* when it's possible the current syscall is returning -ERESTART*.
|
|
|
|
* So we don't clear it here, and only callers who know they should do.
|
|
|
|
*/
|
2018-08-22 13:00:30 +08:00
|
|
|
return false;
|
2007-05-24 04:57:44 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* After recalculating TIF_SIGPENDING, we need to make sure the task wakes up.
|
|
|
|
* This is superfluous when called on current, the wakeup is a harmless no-op.
|
|
|
|
*/
|
|
|
|
void recalc_sigpending_and_wake(struct task_struct *t)
|
|
|
|
{
|
|
|
|
if (recalc_sigpending_tsk(t))
|
|
|
|
signal_wake_up(t, 0);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void recalc_sigpending(void)
|
|
|
|
{
|
2021-03-29 21:28:15 +08:00
|
|
|
if (!recalc_sigpending_tsk(current) && !freezing(current))
|
2007-06-06 18:59:00 +08:00
|
|
|
clear_thread_flag(TIF_SIGPENDING);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2018-09-14 01:26:35 +08:00
|
|
|
EXPORT_SYMBOL(recalc_sigpending);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-07-24 06:26:49 +08:00
|
|
|
void calculate_sigpending(void)
|
|
|
|
{
|
|
|
|
/* Have any signals or users of TIF_SIGPENDING been delayed
|
|
|
|
* until after fork?
|
|
|
|
*/
|
|
|
|
spin_lock_irq(¤t->sighand->siglock);
|
|
|
|
set_tsk_thread_flag(current, TIF_SIGPENDING);
|
|
|
|
recalc_sigpending();
|
|
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/* Given the mask, find the first available signal that should be serviced. */
|
|
|
|
|
2010-03-03 00:36:46 +08:00
|
|
|
#define SYNCHRONOUS_MASK \
|
|
|
|
(sigmask(SIGSEGV) | sigmask(SIGBUS) | sigmask(SIGILL) | \
|
2012-04-13 05:48:00 +08:00
|
|
|
sigmask(SIGTRAP) | sigmask(SIGFPE) | sigmask(SIGSYS))
|
2010-03-03 00:36:46 +08:00
|
|
|
|
signal/timer/event: signalfd core
This patch series implements the new signalfd() system call.
I took part of the original Linus code (and you know how badly it can be
broken :), and I added even more breakage ;) Signals are fetched from the same
signal queue used by the process, so signalfd will compete with standard
kernel delivery in dequeue_signal(). If you want to reliably fetch signals on
the signalfd file, you need to block them with sigprocmask(SIG_BLOCK). This
seems to be working fine on my Dual Opteron machine. I made a quick test
program for it:
http://www.xmailserver.org/signafd-test.c
The signalfd() system call implements signal delivery into a file descriptor
receiver. The signalfd file descriptor if created with the following API:
int signalfd(int ufd, const sigset_t *mask, size_t masksize);
The "ufd" parameter allows to change an existing signalfd sigmask, w/out going
to close/create cycle (Linus idea). Use "ufd" == -1 if you want a brand new
signalfd file.
The "mask" allows to specify the signal mask of signals that we are interested
in. The "masksize" parameter is the size of "mask".
The signalfd fd supports the poll(2) and read(2) system calls. The poll(2)
will return POLLIN when signals are available to be dequeued. As a direct
consequence of supporting the Linux poll subsystem, the signalfd fd can use
used together with epoll(2) too.
The read(2) system call will return a "struct signalfd_siginfo" structure in
the userspace supplied buffer. The return value is the number of bytes copied
in the supplied buffer, or -1 in case of error. The read(2) call can also
return 0, in case the sighand structure to which the signalfd was attached,
has been orphaned. The O_NONBLOCK flag is also supported, and read(2) will
return -EAGAIN in case no signal is available.
If the size of the buffer passed to read(2) is lower than sizeof(struct
signalfd_siginfo), -EINVAL is returned. A read from the signalfd can also
return -ERESTARTSYS in case a signal hits the process. The format of the
struct signalfd_siginfo is, and the valid fields depends of the (->code &
__SI_MASK) value, in the same way a struct siginfo would:
struct signalfd_siginfo {
__u32 signo; /* si_signo */
__s32 err; /* si_errno */
__s32 code; /* si_code */
__u32 pid; /* si_pid */
__u32 uid; /* si_uid */
__s32 fd; /* si_fd */
__u32 tid; /* si_fd */
__u32 band; /* si_band */
__u32 overrun; /* si_overrun */
__u32 trapno; /* si_trapno */
__s32 status; /* si_status */
__s32 svint; /* si_int */
__u64 svptr; /* si_ptr */
__u64 utime; /* si_utime */
__u64 stime; /* si_stime */
__u64 addr; /* si_addr */
};
[akpm@linux-foundation.org: fix signalfd_copyinfo() on i386]
Signed-off-by: Davide Libenzi <davidel@xmailserver.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-05-11 13:23:13 +08:00
|
|
|
int next_signal(struct sigpending *pending, sigset_t *mask)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
unsigned long i, *s, *m, x;
|
|
|
|
int sig = 0;
|
2009-11-08 23:46:42 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
s = pending->signal.sig;
|
|
|
|
m = mask->sig;
|
2010-03-03 00:36:46 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Handle the first word specially: it contains the
|
|
|
|
* synchronous signals that need to be dequeued first.
|
|
|
|
*/
|
|
|
|
x = *s &~ *m;
|
|
|
|
if (x) {
|
|
|
|
if (x & SYNCHRONOUS_MASK)
|
|
|
|
x &= SYNCHRONOUS_MASK;
|
|
|
|
sig = ffz(~x) + 1;
|
|
|
|
return sig;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
switch (_NSIG_WORDS) {
|
|
|
|
default:
|
2010-03-03 00:36:46 +08:00
|
|
|
for (i = 1; i < _NSIG_WORDS; ++i) {
|
|
|
|
x = *++s &~ *++m;
|
|
|
|
if (!x)
|
|
|
|
continue;
|
|
|
|
sig = ffz(~x) + i*_NSIG_BPW + 1;
|
|
|
|
break;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
|
|
|
|
2010-03-03 00:36:46 +08:00
|
|
|
case 2:
|
|
|
|
x = s[1] &~ m[1];
|
|
|
|
if (!x)
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
2010-03-03 00:36:46 +08:00
|
|
|
sig = ffz(~x) + _NSIG_BPW + 1;
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
|
|
|
|
2010-03-03 00:36:46 +08:00
|
|
|
case 1:
|
|
|
|
/* Nothing to do */
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
|
|
|
}
|
2009-11-08 23:46:42 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
return sig;
|
|
|
|
}
|
|
|
|
|
2009-11-08 23:46:42 +08:00
|
|
|
static inline void print_dropped_signal(int sig)
|
|
|
|
{
|
|
|
|
static DEFINE_RATELIMIT_STATE(ratelimit_state, 5 * HZ, 10);
|
|
|
|
|
|
|
|
if (!print_fatal_signals)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (!__ratelimit(&ratelimit_state))
|
|
|
|
return;
|
|
|
|
|
2016-05-24 07:23:59 +08:00
|
|
|
pr_info("%s/%d: reached RLIMIT_SIGPENDING, dropped signal %d\n",
|
2009-11-08 23:46:42 +08:00
|
|
|
current->comm, current->pid, sig);
|
|
|
|
}
|
|
|
|
|
2011-03-23 17:37:00 +08:00
|
|
|
/**
|
2011-06-02 17:14:00 +08:00
|
|
|
* task_set_jobctl_pending - set jobctl pending bits
|
2011-03-23 17:37:00 +08:00
|
|
|
* @task: target task
|
2011-06-02 17:14:00 +08:00
|
|
|
* @mask: pending bits to set
|
2011-03-23 17:37:00 +08:00
|
|
|
*
|
2011-06-02 17:14:00 +08:00
|
|
|
* Clear @mask from @task->jobctl. @mask must be subset of
|
|
|
|
* %JOBCTL_PENDING_MASK | %JOBCTL_STOP_CONSUME | %JOBCTL_STOP_SIGMASK |
|
|
|
|
* %JOBCTL_TRAPPING. If stop signo is being set, the existing signo is
|
|
|
|
* cleared. If @task is already being killed or exiting, this function
|
|
|
|
* becomes noop.
|
|
|
|
*
|
|
|
|
* CONTEXT:
|
|
|
|
* Must be called with @task->sighand->siglock held.
|
|
|
|
*
|
|
|
|
* RETURNS:
|
|
|
|
* %true if @mask is set, %false if made noop because @task was dying.
|
|
|
|
*/
|
2015-05-01 12:19:57 +08:00
|
|
|
bool task_set_jobctl_pending(struct task_struct *task, unsigned long mask)
|
2011-06-02 17:14:00 +08:00
|
|
|
{
|
|
|
|
BUG_ON(mask & ~(JOBCTL_PENDING_MASK | JOBCTL_STOP_CONSUME |
|
|
|
|
JOBCTL_STOP_SIGMASK | JOBCTL_TRAPPING));
|
|
|
|
BUG_ON((mask & JOBCTL_TRAPPING) && !(mask & JOBCTL_PENDING_MASK));
|
|
|
|
|
2021-03-26 08:23:44 +08:00
|
|
|
if (unlikely(fatal_signal_pending(task) || (task->flags & PF_EXITING)))
|
2011-06-02 17:14:00 +08:00
|
|
|
return false;
|
|
|
|
|
|
|
|
if (mask & JOBCTL_STOP_SIGMASK)
|
|
|
|
task->jobctl &= ~JOBCTL_STOP_SIGMASK;
|
|
|
|
|
|
|
|
task->jobctl |= mask;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2011-03-23 17:37:00 +08:00
|
|
|
/**
|
2011-06-02 17:13:59 +08:00
|
|
|
* task_clear_jobctl_trapping - clear jobctl trapping bit
|
2011-03-23 17:37:00 +08:00
|
|
|
* @task: target task
|
|
|
|
*
|
2011-06-02 17:13:59 +08:00
|
|
|
* If JOBCTL_TRAPPING is set, a ptracer is waiting for us to enter TRACED.
|
|
|
|
* Clear it and wake up the ptracer. Note that we don't need any further
|
|
|
|
* locking. @task->siglock guarantees that @task->parent points to the
|
|
|
|
* ptracer.
|
2011-03-23 17:37:00 +08:00
|
|
|
*
|
|
|
|
* CONTEXT:
|
|
|
|
* Must be called with @task->sighand->siglock held.
|
|
|
|
*/
|
2011-06-14 17:20:14 +08:00
|
|
|
void task_clear_jobctl_trapping(struct task_struct *task)
|
2011-03-23 17:37:00 +08:00
|
|
|
{
|
2011-06-02 17:13:59 +08:00
|
|
|
if (unlikely(task->jobctl & JOBCTL_TRAPPING)) {
|
|
|
|
task->jobctl &= ~JOBCTL_TRAPPING;
|
2014-06-07 05:36:44 +08:00
|
|
|
smp_mb(); /* advised by wake_up_bit() */
|
2011-06-02 17:14:00 +08:00
|
|
|
wake_up_bit(&task->jobctl, JOBCTL_TRAPPING_BIT);
|
2011-03-23 17:37:00 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
/**
|
2011-06-02 17:14:00 +08:00
|
|
|
* task_clear_jobctl_pending - clear jobctl pending bits
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
* @task: target task
|
2011-06-02 17:14:00 +08:00
|
|
|
* @mask: pending bits to clear
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
*
|
2011-06-02 17:14:00 +08:00
|
|
|
* Clear @mask from @task->jobctl. @mask must be subset of
|
|
|
|
* %JOBCTL_PENDING_MASK. If %JOBCTL_STOP_PENDING is being cleared, other
|
|
|
|
* STOP bits are cleared together.
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
*
|
2011-06-02 17:14:00 +08:00
|
|
|
* If clearing of @mask leaves no stop or trap pending, this function calls
|
|
|
|
* task_clear_jobctl_trapping().
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
*
|
|
|
|
* CONTEXT:
|
|
|
|
* Must be called with @task->sighand->siglock held.
|
|
|
|
*/
|
2015-05-01 12:19:57 +08:00
|
|
|
void task_clear_jobctl_pending(struct task_struct *task, unsigned long mask)
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
{
|
2011-06-02 17:14:00 +08:00
|
|
|
BUG_ON(mask & ~JOBCTL_PENDING_MASK);
|
|
|
|
|
|
|
|
if (mask & JOBCTL_STOP_PENDING)
|
|
|
|
mask |= JOBCTL_STOP_CONSUME | JOBCTL_STOP_DEQUEUED;
|
|
|
|
|
|
|
|
task->jobctl &= ~mask;
|
2011-06-02 17:14:00 +08:00
|
|
|
|
|
|
|
if (!(task->jobctl & JOBCTL_PENDING_MASK))
|
|
|
|
task_clear_jobctl_trapping(task);
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* task_participate_group_stop - participate in a group stop
|
|
|
|
* @task: task participating in a group stop
|
|
|
|
*
|
2011-06-02 17:13:59 +08:00
|
|
|
* @task has %JOBCTL_STOP_PENDING set and is participating in a group stop.
|
2011-03-23 17:37:00 +08:00
|
|
|
* Group stop states are cleared and the group stop count is consumed if
|
2011-06-02 17:13:59 +08:00
|
|
|
* %JOBCTL_STOP_CONSUME was set. If the consumption completes the group
|
2019-08-03 12:48:33 +08:00
|
|
|
* stop, the appropriate `SIGNAL_*` flags are set.
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
*
|
|
|
|
* CONTEXT:
|
|
|
|
* Must be called with @task->sighand->siglock held.
|
job control: Don't send duplicate job control stop notification while ptraced
Just as group_exit_code shouldn't be generated when a PTRACE_CONT'd
task re-enters job control stop, notifiction for the event should be
suppressed too. The logic is the same as the group_exit_code
generation suppression in do_signal_stop(), if SIGNAL_STOP_STOPPED is
already set, the task is re-entering job control stop without
intervening SIGCONT and the notifications should be suppressed.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <time.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
static const struct timespec ts100ms = { .tv_nsec = 100000000 };
static pid_t tracee, tracer;
static const char *pid_who(pid_t pid)
{
return pid == tracee ? "tracee" : (pid == tracer ? "tracer" : "mommy ");
}
static void sigchld_sigaction(int signo, siginfo_t *si, void *ucxt)
{
printf("%s: SIG status=%02d code=%02d (%s)\n",
pid_who(getpid()), si->si_status, si->si_code,
pid_who(si->si_pid));
}
int main(void)
{
const struct sigaction chld_sa = { .sa_sigaction = sigchld_sigaction,
.sa_flags = SA_SIGINFO|SA_RESTART };
siginfo_t si;
sigaction(SIGCHLD, &chld_sa, NULL);
tracee = fork();
if (!tracee) {
tracee = getpid();
while (1)
pause();
}
kill(tracee, SIGSTOP);
waitid(P_PID, tracee, &si, WSTOPPED);
tracer = fork();
if (!tracer) {
tracer = getpid();
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
waitid(P_PID, tracee, &si, WSTOPPED);
printf("tracer: detaching\n");
ptrace(PTRACE_DETACH, tracee, NULL, NULL);
return 0;
}
while (1)
pause();
return 0;
}
Before the patch, the parent gets the second notification for the
tracee after the tracer detaches. si_status is zero because
group_exit_code is not set by the group stop completion which
triggered this notification.
mommy : SIG status=19 code=05 (tracee)
tracer: SIG status=00 code=05 (tracee)
tracer: SIG status=19 code=04 (tracee)
tracer: SIG status=00 code=05 (tracee)
tracer: detaching
mommy : SIG status=00 code=05 (tracee)
mommy : SIG status=00 code=01 (tracer)
^C
After the patch, the duplicate notification is gone.
mommy : SIG status=19 code=05 (tracee)
tracer: SIG status=00 code=05 (tracee)
tracer: SIG status=19 code=04 (tracee)
tracer: SIG status=00 code=05 (tracee)
tracer: detaching
mommy : SIG status=00 code=01 (tracer)
^C
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
*
|
|
|
|
* RETURNS:
|
|
|
|
* %true if group stop completion should be notified to the parent, %false
|
|
|
|
* otherwise.
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
*/
|
|
|
|
static bool task_participate_group_stop(struct task_struct *task)
|
|
|
|
{
|
|
|
|
struct signal_struct *sig = task->signal;
|
2011-06-02 17:13:59 +08:00
|
|
|
bool consume = task->jobctl & JOBCTL_STOP_CONSUME;
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
|
2011-06-02 17:13:59 +08:00
|
|
|
WARN_ON_ONCE(!(task->jobctl & JOBCTL_STOP_PENDING));
|
2011-03-23 17:37:00 +08:00
|
|
|
|
2011-06-02 17:14:00 +08:00
|
|
|
task_clear_jobctl_pending(task, JOBCTL_STOP_PENDING);
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
|
|
|
|
if (!consume)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (!WARN_ON_ONCE(sig->group_stop_count == 0))
|
|
|
|
sig->group_stop_count--;
|
|
|
|
|
job control: Don't send duplicate job control stop notification while ptraced
Just as group_exit_code shouldn't be generated when a PTRACE_CONT'd
task re-enters job control stop, notifiction for the event should be
suppressed too. The logic is the same as the group_exit_code
generation suppression in do_signal_stop(), if SIGNAL_STOP_STOPPED is
already set, the task is re-entering job control stop without
intervening SIGCONT and the notifications should be suppressed.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <time.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
static const struct timespec ts100ms = { .tv_nsec = 100000000 };
static pid_t tracee, tracer;
static const char *pid_who(pid_t pid)
{
return pid == tracee ? "tracee" : (pid == tracer ? "tracer" : "mommy ");
}
static void sigchld_sigaction(int signo, siginfo_t *si, void *ucxt)
{
printf("%s: SIG status=%02d code=%02d (%s)\n",
pid_who(getpid()), si->si_status, si->si_code,
pid_who(si->si_pid));
}
int main(void)
{
const struct sigaction chld_sa = { .sa_sigaction = sigchld_sigaction,
.sa_flags = SA_SIGINFO|SA_RESTART };
siginfo_t si;
sigaction(SIGCHLD, &chld_sa, NULL);
tracee = fork();
if (!tracee) {
tracee = getpid();
while (1)
pause();
}
kill(tracee, SIGSTOP);
waitid(P_PID, tracee, &si, WSTOPPED);
tracer = fork();
if (!tracer) {
tracer = getpid();
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
waitid(P_PID, tracee, &si, WSTOPPED);
printf("tracer: detaching\n");
ptrace(PTRACE_DETACH, tracee, NULL, NULL);
return 0;
}
while (1)
pause();
return 0;
}
Before the patch, the parent gets the second notification for the
tracee after the tracer detaches. si_status is zero because
group_exit_code is not set by the group stop completion which
triggered this notification.
mommy : SIG status=19 code=05 (tracee)
tracer: SIG status=00 code=05 (tracee)
tracer: SIG status=19 code=04 (tracee)
tracer: SIG status=00 code=05 (tracee)
tracer: detaching
mommy : SIG status=00 code=05 (tracee)
mommy : SIG status=00 code=01 (tracer)
^C
After the patch, the duplicate notification is gone.
mommy : SIG status=19 code=05 (tracee)
tracer: SIG status=00 code=05 (tracee)
tracer: SIG status=19 code=04 (tracee)
tracer: SIG status=00 code=05 (tracee)
tracer: detaching
mommy : SIG status=00 code=01 (tracer)
^C
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
/*
|
|
|
|
* Tell the caller to notify completion iff we are entering into a
|
|
|
|
* fresh group stop. Read comment in do_signal_stop() for details.
|
|
|
|
*/
|
|
|
|
if (!sig->group_stop_count && !(sig->flags & SIGNAL_STOP_STOPPED)) {
|
2017-01-11 08:57:54 +08:00
|
|
|
signal_set_stop_flags(sig, SIGNAL_STOP_STOPPED);
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2018-07-24 02:38:00 +08:00
|
|
|
void task_join_group_stop(struct task_struct *task)
|
|
|
|
{
|
ptrace: fix task_join_group_stop() for the case when current is traced
This testcase
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <pthread.h>
#include <assert.h>
void *tf(void *arg)
{
return NULL;
}
int main(void)
{
int pid = fork();
if (!pid) {
kill(getpid(), SIGSTOP);
pthread_t th;
pthread_create(&th, NULL, tf, NULL);
return 0;
}
waitpid(pid, NULL, WSTOPPED);
ptrace(PTRACE_SEIZE, pid, 0, PTRACE_O_TRACECLONE);
waitpid(pid, NULL, 0);
ptrace(PTRACE_CONT, pid, 0,0);
waitpid(pid, NULL, 0);
int status;
int thread = waitpid(-1, &status, 0);
assert(thread > 0 && thread != pid);
assert(status == 0x80137f);
return 0;
}
fails and triggers WARN_ON_ONCE(!signr) in do_jobctl_trap().
This is because task_join_group_stop() has 2 problems when current is traced:
1. We can't rely on the "JOBCTL_STOP_PENDING" check, a stopped tracee
can be woken up by debugger and it can clone another thread which
should join the group-stop.
We need to check group_stop_count || SIGNAL_STOP_STOPPED.
2. If SIGNAL_STOP_STOPPED is already set, we should not increment
sig->group_stop_count and add JOBCTL_STOP_CONSUME. The new thread
should stop without another do_notify_parent_cldstop() report.
To clarify, the problem is very old and we should blame
ptrace_init_task(). But now that we have task_join_group_stop() it makes
more sense to fix this helper to avoid the code duplication.
Reported-by: syzbot+3485e3773f7da290eecc@syzkaller.appspotmail.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Christian Brauner <christian@brauner.io>
Cc: "Eric W . Biederman" <ebiederm@xmission.com>
Cc: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20201019134237.GA18810@redhat.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-11-02 09:07:44 +08:00
|
|
|
unsigned long mask = current->jobctl & JOBCTL_STOP_SIGMASK;
|
|
|
|
struct signal_struct *sig = current->signal;
|
|
|
|
|
|
|
|
if (sig->group_stop_count) {
|
|
|
|
sig->group_stop_count++;
|
|
|
|
mask |= JOBCTL_STOP_CONSUME;
|
|
|
|
} else if (!(sig->flags & SIGNAL_STOP_STOPPED))
|
|
|
|
return;
|
|
|
|
|
2018-07-24 02:38:00 +08:00
|
|
|
/* Have the new thread join an on-going signal group stop */
|
ptrace: fix task_join_group_stop() for the case when current is traced
This testcase
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <pthread.h>
#include <assert.h>
void *tf(void *arg)
{
return NULL;
}
int main(void)
{
int pid = fork();
if (!pid) {
kill(getpid(), SIGSTOP);
pthread_t th;
pthread_create(&th, NULL, tf, NULL);
return 0;
}
waitpid(pid, NULL, WSTOPPED);
ptrace(PTRACE_SEIZE, pid, 0, PTRACE_O_TRACECLONE);
waitpid(pid, NULL, 0);
ptrace(PTRACE_CONT, pid, 0,0);
waitpid(pid, NULL, 0);
int status;
int thread = waitpid(-1, &status, 0);
assert(thread > 0 && thread != pid);
assert(status == 0x80137f);
return 0;
}
fails and triggers WARN_ON_ONCE(!signr) in do_jobctl_trap().
This is because task_join_group_stop() has 2 problems when current is traced:
1. We can't rely on the "JOBCTL_STOP_PENDING" check, a stopped tracee
can be woken up by debugger and it can clone another thread which
should join the group-stop.
We need to check group_stop_count || SIGNAL_STOP_STOPPED.
2. If SIGNAL_STOP_STOPPED is already set, we should not increment
sig->group_stop_count and add JOBCTL_STOP_CONSUME. The new thread
should stop without another do_notify_parent_cldstop() report.
To clarify, the problem is very old and we should blame
ptrace_init_task(). But now that we have task_join_group_stop() it makes
more sense to fix this helper to avoid the code duplication.
Reported-by: syzbot+3485e3773f7da290eecc@syzkaller.appspotmail.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Christian Brauner <christian@brauner.io>
Cc: "Eric W . Biederman" <ebiederm@xmission.com>
Cc: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20201019134237.GA18810@redhat.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-11-02 09:07:44 +08:00
|
|
|
task_set_jobctl_pending(task, mask | JOBCTL_STOP_PENDING);
|
2018-07-24 02:38:00 +08:00
|
|
|
}
|
|
|
|
|
2008-11-14 07:39:19 +08:00
|
|
|
/*
|
|
|
|
* allocate a new signal queue record
|
|
|
|
* - this may be called without locks if and only if t == current, otherwise an
|
2011-04-05 05:59:31 +08:00
|
|
|
* appropriate lock must be held to stop the target task from exiting
|
2008-11-14 07:39:19 +08:00
|
|
|
*/
|
2009-11-08 23:46:42 +08:00
|
|
|
static struct sigqueue *
|
2021-03-22 17:19:42 +08:00
|
|
|
__sigqueue_alloc(int sig, struct task_struct *t, gfp_t gfp_flags,
|
|
|
|
int override_rlimit, const unsigned int sigqueue_flags)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct sigqueue *q = NULL;
|
2021-04-22 20:27:13 +08:00
|
|
|
struct ucounts *ucounts = NULL;
|
|
|
|
long sigpending;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-11-05 05:03:00 +08:00
|
|
|
/*
|
2009-12-10 08:53:21 +08:00
|
|
|
* Protect access to @t credentials. This can go away when all
|
|
|
|
* callers hold rcu read lock.
|
signal: avoid double atomic counter increments for user accounting
When queueing a signal, we increment both the users count of pending
signals (for RLIMIT_SIGPENDING tracking) and we increment the refcount
of the user struct itself (because we keep a reference to the user in
the signal structure in order to correctly account for it when freeing).
That turns out to be fairly expensive, because both of them are atomic
updates, and particularly under extreme signal handling pressure on big
machines, you can get a lot of cache contention on the user struct.
That can then cause horrid cacheline ping-pong when you do these
multiple accesses.
So change the reference counting to only pin the user for the _first_
pending signal, and to unpin it when the last pending signal is
dequeued. That means that when a user sees a lot of concurrent signal
queuing - which is the only situation when this matters - the only
atomic access needed is generally the 'sigpending' count update.
This was noticed because of a particularly odd timing artifact on a
dual-socket 96C/192T Cascade Lake platform: when you get into bad
contention, on that machine for some reason seems to be much worse when
the contention happens in the upper 32-byte half of the cacheline.
As a result, the kernel test robot will-it-scale 'signal1' benchmark had
an odd performance regression simply due to random alignment of the
'struct user_struct' (and pointed to a completely unrelated and
apparently nonsensical commit for the regression).
Avoiding the double increments (and decrements on the dequeueing side,
of course) makes for much less contention and hugely improved
performance on that will-it-scale microbenchmark.
Quoting Feng Tang:
"It makes a big difference, that the performance score is tripled! bump
from original 17000 to 54000. Also the gap between 5.0-rc6 and
5.0-rc6+Jiri's patch is reduced to around 2%"
[ The "2% gap" is the odd cacheline placement difference on that
platform: under the extreme contention case, the effect of which half
of the cacheline was hot was 5%, so with the reduced contention the
odd timing artifact is reduced too ]
It does help in the non-contended case too, but is not nearly as
noticeable.
Reported-and-tested-by: Feng Tang <feng.tang@intel.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Huang, Ying <ying.huang@intel.com>
Cc: Philip Li <philip.li@intel.com>
Cc: Andi Kleen <andi.kleen@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-02-25 04:47:14 +08:00
|
|
|
*
|
|
|
|
* NOTE! A pending signal will hold on to the user refcount,
|
|
|
|
* and we get/put the refcount only when the sigpending count
|
|
|
|
* changes from/to zero.
|
2006-11-05 05:03:00 +08:00
|
|
|
*/
|
2009-12-10 08:53:21 +08:00
|
|
|
rcu_read_lock();
|
2021-04-22 20:27:13 +08:00
|
|
|
ucounts = task_ucounts(t);
|
2021-10-17 04:59:49 +08:00
|
|
|
sigpending = inc_rlimit_get_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING);
|
2009-12-10 08:53:21 +08:00
|
|
|
rcu_read_unlock();
|
2021-10-17 04:59:49 +08:00
|
|
|
if (!sigpending)
|
|
|
|
return NULL;
|
2009-11-08 23:46:42 +08:00
|
|
|
|
2021-07-08 18:33:01 +08:00
|
|
|
if (override_rlimit || likely(sigpending <= task_rlimit(t, RLIMIT_SIGPENDING))) {
|
Revert "signal: Allow tasks to cache one sigqueue struct"
This reverts commits 4bad58ebc8bc4f20d89cff95417c9b4674769709 (and
399f8dd9a866e107639eabd3c1979cd526ca3a98, which tried to fix it).
I do not believe these are correct, and I'm about to release 5.13, so am
reverting them out of an abundance of caution.
The locking is odd, and appears broken.
On the allocation side (in __sigqueue_alloc()), the locking is somewhat
straightforward: it depends on sighand->siglock. Since one caller
doesn't hold that lock, it further then tests 'sigqueue_flags' to avoid
the case with no locks held.
On the freeing side (in sigqueue_cache_or_free()), there is no locking
at all, and the logic instead depends on 'current' being a single
thread, and not able to race with itself.
To make things more exciting, there's also the data race between freeing
a signal and allocating one, which is handled by using WRITE_ONCE() and
READ_ONCE(), and being mutually exclusive wrt the initial state (ie
freeing will only free if the old state was NULL, while allocating will
obviously only use the value if it was non-NULL, so only one or the
other will actually act on the value).
However, while the free->alloc paths do seem mutually exclusive thanks
to just the data value dependency, it's not clear what the memory
ordering constraints are on it. Could writes from the previous
allocation possibly be delayed and seen by the new allocation later,
causing logical inconsistencies?
So it's all very exciting and unusual.
And in particular, it seems that the freeing side is incorrect in
depending on "current" being single-threaded. Yes, 'current' is a
single thread, but in the presense of asynchronous events even a single
thread can have data races.
And such asynchronous events can and do happen, with interrupts causing
signals to be flushed and thus free'd (for example - sending a
SIGCONT/SIGSTOP can happen from interrupt context, and can flush
previously queued process control signals).
So regardless of all the other questions about the memory ordering and
locking for this new cached allocation, the sigqueue_cache_or_free()
assumptions seem to be fundamentally incorrect.
It may be that people will show me the errors of my ways, and tell me
why this is all safe after all. We can reinstate it if so. But my
current belief is that the WRITE_ONCE() that sets the cached entry needs
to be a smp_store_release(), and the READ_ONCE() that finds a cached
entry needs to be a smp_load_acquire() to handle memory ordering
correctly.
And the sequence in sigqueue_cache_or_free() would need to either use a
lock or at least be interrupt-safe some way (perhaps by using something
like the percpu 'cmpxchg': it doesn't need to be SMP-safe, but like the
percpu operations it needs to be interrupt-safe).
Fixes: 399f8dd9a866 ("signal: Prevent sigqueue caching after task got released")
Fixes: 4bad58ebc8bc ("signal: Allow tasks to cache one sigqueue struct")
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-06-28 04:32:54 +08:00
|
|
|
q = kmem_cache_alloc(sigqueue_cachep, gfp_flags);
|
2009-11-08 23:46:42 +08:00
|
|
|
} else {
|
|
|
|
print_dropped_signal(sig);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (unlikely(q == NULL)) {
|
2021-10-17 04:59:49 +08:00
|
|
|
dec_rlimit_put_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING);
|
2005-04-17 06:20:36 +08:00
|
|
|
} else {
|
|
|
|
INIT_LIST_HEAD(&q->list);
|
2021-03-22 17:19:42 +08:00
|
|
|
q->flags = sigqueue_flags;
|
2021-04-22 20:27:13 +08:00
|
|
|
q->ucounts = ucounts;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 07:39:23 +08:00
|
|
|
return q;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2006-02-03 19:04:41 +08:00
|
|
|
static void __sigqueue_free(struct sigqueue *q)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
if (q->flags & SIGQUEUE_PREALLOC)
|
|
|
|
return;
|
2021-10-17 04:59:49 +08:00
|
|
|
if (q->ucounts) {
|
|
|
|
dec_rlimit_put_ucounts(q->ucounts, UCOUNT_RLIMIT_SIGPENDING);
|
2021-04-22 20:27:13 +08:00
|
|
|
q->ucounts = NULL;
|
|
|
|
}
|
Revert "signal: Allow tasks to cache one sigqueue struct"
This reverts commits 4bad58ebc8bc4f20d89cff95417c9b4674769709 (and
399f8dd9a866e107639eabd3c1979cd526ca3a98, which tried to fix it).
I do not believe these are correct, and I'm about to release 5.13, so am
reverting them out of an abundance of caution.
The locking is odd, and appears broken.
On the allocation side (in __sigqueue_alloc()), the locking is somewhat
straightforward: it depends on sighand->siglock. Since one caller
doesn't hold that lock, it further then tests 'sigqueue_flags' to avoid
the case with no locks held.
On the freeing side (in sigqueue_cache_or_free()), there is no locking
at all, and the logic instead depends on 'current' being a single
thread, and not able to race with itself.
To make things more exciting, there's also the data race between freeing
a signal and allocating one, which is handled by using WRITE_ONCE() and
READ_ONCE(), and being mutually exclusive wrt the initial state (ie
freeing will only free if the old state was NULL, while allocating will
obviously only use the value if it was non-NULL, so only one or the
other will actually act on the value).
However, while the free->alloc paths do seem mutually exclusive thanks
to just the data value dependency, it's not clear what the memory
ordering constraints are on it. Could writes from the previous
allocation possibly be delayed and seen by the new allocation later,
causing logical inconsistencies?
So it's all very exciting and unusual.
And in particular, it seems that the freeing side is incorrect in
depending on "current" being single-threaded. Yes, 'current' is a
single thread, but in the presense of asynchronous events even a single
thread can have data races.
And such asynchronous events can and do happen, with interrupts causing
signals to be flushed and thus free'd (for example - sending a
SIGCONT/SIGSTOP can happen from interrupt context, and can flush
previously queued process control signals).
So regardless of all the other questions about the memory ordering and
locking for this new cached allocation, the sigqueue_cache_or_free()
assumptions seem to be fundamentally incorrect.
It may be that people will show me the errors of my ways, and tell me
why this is all safe after all. We can reinstate it if so. But my
current belief is that the WRITE_ONCE() that sets the cached entry needs
to be a smp_store_release(), and the READ_ONCE() that finds a cached
entry needs to be a smp_load_acquire() to handle memory ordering
correctly.
And the sequence in sigqueue_cache_or_free() would need to either use a
lock or at least be interrupt-safe some way (perhaps by using something
like the percpu 'cmpxchg': it doesn't need to be SMP-safe, but like the
percpu operations it needs to be interrupt-safe).
Fixes: 399f8dd9a866 ("signal: Prevent sigqueue caching after task got released")
Fixes: 4bad58ebc8bc ("signal: Allow tasks to cache one sigqueue struct")
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-06-28 04:32:54 +08:00
|
|
|
kmem_cache_free(sigqueue_cachep, q);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2006-03-29 08:11:18 +08:00
|
|
|
void flush_sigqueue(struct sigpending *queue)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct sigqueue *q;
|
|
|
|
|
|
|
|
sigemptyset(&queue->signal);
|
|
|
|
while (!list_empty(&queue->list)) {
|
|
|
|
q = list_entry(queue->list.next, struct sigqueue , list);
|
|
|
|
list_del_init(&q->list);
|
|
|
|
__sigqueue_free(q);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2015-06-05 04:22:16 +08:00
|
|
|
* Flush all pending signals for this kthread.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2006-03-29 08:11:17 +08:00
|
|
|
void flush_signals(struct task_struct *t)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
unsigned long flags;
|
|
|
|
|
|
|
|
spin_lock_irqsave(&t->sighand->siglock, flags);
|
2015-06-05 04:22:16 +08:00
|
|
|
clear_tsk_thread_flag(t, TIF_SIGPENDING);
|
|
|
|
flush_sigqueue(&t->pending);
|
|
|
|
flush_sigqueue(&t->signal->shared_pending);
|
2005-04-17 06:20:36 +08:00
|
|
|
spin_unlock_irqrestore(&t->sighand->siglock, flags);
|
|
|
|
}
|
2018-09-14 01:26:35 +08:00
|
|
|
EXPORT_SYMBOL(flush_signals);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
posix-timers: Make them configurable
Some embedded systems have no use for them. This removes about
25KB from the kernel binary size when configured out.
Corresponding syscalls are routed to a stub logging the attempt to
use those syscalls which should be enough of a clue if they were
disabled without proper consideration. They are: timer_create,
timer_gettime: timer_getoverrun, timer_settime, timer_delete,
clock_adjtime, setitimer, getitimer, alarm.
The clock_settime, clock_gettime, clock_getres and clock_nanosleep
syscalls are replaced by simple wrappers compatible with CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_BOOTTIME only which should cover the vast
majority of use cases with very little code.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-kbuild@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Michal Marek <mmarek@suse.com>
Cc: Edward Cree <ecree@solarflare.com>
Link: http://lkml.kernel.org/r/1478841010-28605-7-git-send-email-nicolas.pitre@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-11-11 13:10:10 +08:00
|
|
|
#ifdef CONFIG_POSIX_TIMERS
|
2008-05-27 00:55:42 +08:00
|
|
|
static void __flush_itimer_signals(struct sigpending *pending)
|
|
|
|
{
|
|
|
|
sigset_t signal, retain;
|
|
|
|
struct sigqueue *q, *n;
|
|
|
|
|
|
|
|
signal = pending->signal;
|
|
|
|
sigemptyset(&retain);
|
|
|
|
|
|
|
|
list_for_each_entry_safe(q, n, &pending->list, list) {
|
|
|
|
int sig = q->info.si_signo;
|
|
|
|
|
|
|
|
if (likely(q->info.si_code != SI_TIMER)) {
|
|
|
|
sigaddset(&retain, sig);
|
|
|
|
} else {
|
|
|
|
sigdelset(&signal, sig);
|
|
|
|
list_del_init(&q->list);
|
|
|
|
__sigqueue_free(q);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
sigorsets(&pending->signal, &signal, &retain);
|
|
|
|
}
|
|
|
|
|
|
|
|
void flush_itimer_signals(void)
|
|
|
|
{
|
|
|
|
struct task_struct *tsk = current;
|
|
|
|
unsigned long flags;
|
|
|
|
|
|
|
|
spin_lock_irqsave(&tsk->sighand->siglock, flags);
|
|
|
|
__flush_itimer_signals(&tsk->pending);
|
|
|
|
__flush_itimer_signals(&tsk->signal->shared_pending);
|
|
|
|
spin_unlock_irqrestore(&tsk->sighand->siglock, flags);
|
|
|
|
}
|
posix-timers: Make them configurable
Some embedded systems have no use for them. This removes about
25KB from the kernel binary size when configured out.
Corresponding syscalls are routed to a stub logging the attempt to
use those syscalls which should be enough of a clue if they were
disabled without proper consideration. They are: timer_create,
timer_gettime: timer_getoverrun, timer_settime, timer_delete,
clock_adjtime, setitimer, getitimer, alarm.
The clock_settime, clock_gettime, clock_getres and clock_nanosleep
syscalls are replaced by simple wrappers compatible with CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_BOOTTIME only which should cover the vast
majority of use cases with very little code.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-kbuild@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Michal Marek <mmarek@suse.com>
Cc: Edward Cree <ecree@solarflare.com>
Link: http://lkml.kernel.org/r/1478841010-28605-7-git-send-email-nicolas.pitre@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-11-11 13:10:10 +08:00
|
|
|
#endif
|
2008-05-27 00:55:42 +08:00
|
|
|
|
2007-05-09 17:34:37 +08:00
|
|
|
void ignore_signals(struct task_struct *t)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < _NSIG; ++i)
|
|
|
|
t->sighand->action[i].sa.sa_handler = SIG_IGN;
|
|
|
|
|
|
|
|
flush_signals(t);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Flush all handlers for a task.
|
|
|
|
*/
|
|
|
|
|
|
|
|
void
|
|
|
|
flush_signal_handlers(struct task_struct *t, int force_default)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
struct k_sigaction *ka = &t->sighand->action[0];
|
|
|
|
for (i = _NSIG ; i != 0 ; i--) {
|
|
|
|
if (force_default || ka->sa.sa_handler != SIG_IGN)
|
|
|
|
ka->sa.sa_handler = SIG_DFL;
|
|
|
|
ka->sa.sa_flags = 0;
|
2013-03-14 05:59:34 +08:00
|
|
|
#ifdef __ARCH_HAS_SA_RESTORER
|
2013-03-14 05:59:33 +08:00
|
|
|
ka->sa.sa_restorer = NULL;
|
|
|
|
#endif
|
2005-04-17 06:20:36 +08:00
|
|
|
sigemptyset(&ka->sa.sa_mask);
|
|
|
|
ka++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-08-22 13:00:34 +08:00
|
|
|
bool unhandled_signal(struct task_struct *tsk, int sig)
|
2007-07-22 17:12:28 +08:00
|
|
|
{
|
2008-07-26 10:45:52 +08:00
|
|
|
void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
|
2007-10-19 14:39:52 +08:00
|
|
|
if (is_global_init(tsk))
|
2018-08-22 13:00:34 +08:00
|
|
|
return true;
|
|
|
|
|
2008-07-26 10:45:52 +08:00
|
|
|
if (handler != SIG_IGN && handler != SIG_DFL)
|
2018-08-22 13:00:34 +08:00
|
|
|
return false;
|
|
|
|
|
2011-06-17 22:50:37 +08:00
|
|
|
/* if ptraced, let the tracer determine */
|
|
|
|
return !tsk->ptrace;
|
2007-07-22 17:12:28 +08:00
|
|
|
}
|
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
static void collect_signal(int sig, struct sigpending *list, kernel_siginfo_t *info,
|
signal: Only reschedule timers on signals timers have sent
Thomas Gleixner wrote:
> The CRIU support added a 'feature' which allows a user space task to send
> arbitrary (kernel) signals to itself. The changelog says:
>
> The kernel prevents sending of siginfo with positive si_code, because
> these codes are reserved for kernel. I think we can allow a task to
> send such a siginfo to itself. This operation should not be dangerous.
>
> Quite contrary to that claim, it turns out that it is outright dangerous
> for signals with info->si_code == SI_TIMER. The following code sequence in
> a user space task allows to crash the kernel:
>
> id = timer_create(CLOCK_XXX, ..... signo = SIGX);
> timer_set(id, ....);
> info->si_signo = SIGX;
> info->si_code = SI_TIMER:
> info->_sifields._timer._tid = id;
> info->_sifields._timer._sys_private = 2;
> rt_[tg]sigqueueinfo(..., SIGX, info);
> sigemptyset(&sigset);
> sigaddset(&sigset, SIGX);
> rt_sigtimedwait(sigset, info);
>
> For timers based on CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID this
> results in a kernel crash because sigwait() dequeues the signal and the
> dequeue code observes:
>
> info->si_code == SI_TIMER && info->_sifields._timer._sys_private != 0
>
> which triggers the following callchain:
>
> do_schedule_next_timer() -> posix_cpu_timer_schedule() -> arm_timer()
>
> arm_timer() executes a list_add() on the timer, which is already armed via
> the timer_set() syscall. That's a double list add which corrupts the posix
> cpu timer list. As a consequence the kernel crashes on the next operation
> touching the posix cpu timer list.
>
> Posix clocks which are internally implemented based on hrtimers are not
> affected by this because hrtimer_start() can handle already armed timers
> nicely, but it's a reliable way to trigger the WARN_ON() in
> hrtimer_forward(), which complains about calling that function on an
> already armed timer.
This problem has existed since the posix timer code was merged into
2.5.63. A few releases earlier in 2.5.60 ptrace gained the ability to
inject not just a signal (which linux has supported since 1.0) but the
full siginfo of a signal.
The core problem is that the code will reschedule in response to
signals getting dequeued not just for signals the timers sent but
for other signals that happen to a si_code of SI_TIMER.
Avoid this confusion by testing to see if the queued signal was
preallocated as all timer signals are preallocated, and so far
only the timer code preallocates signals.
Move the check for if a timer needs to be rescheduled up into
collect_signal where the preallocation check must be performed,
and pass the result back to dequeue_signal where the code reschedules
timers. This makes it clear why the code cares about preallocated
timers.
Cc: stable@vger.kernel.org
Reported-by: Thomas Gleixner <tglx@linutronix.de>
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reference: 66dd34ad31e5 ("signal: allow to send any siginfo to itself")
Reference: 1669ce53e2ff ("Add PTRACE_GETSIGINFO and PTRACE_SETSIGINFO")
Fixes: db8b50ba75f2 ("[PATCH] POSIX clocks & timers")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-06-13 17:31:16 +08:00
|
|
|
bool *resched_timer)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct sigqueue *q, *first = NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Collect the siginfo appropriate to this signal. Check if
|
|
|
|
* there is another siginfo for the same signal.
|
|
|
|
*/
|
|
|
|
list_for_each_entry(q, &list->list, list) {
|
|
|
|
if (q->info.si_signo == sig) {
|
2008-07-25 16:47:28 +08:00
|
|
|
if (first)
|
|
|
|
goto still_pending;
|
2005-04-17 06:20:36 +08:00
|
|
|
first = q;
|
|
|
|
}
|
|
|
|
}
|
2008-07-25 16:47:28 +08:00
|
|
|
|
|
|
|
sigdelset(&list->signal, sig);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (first) {
|
2008-07-25 16:47:28 +08:00
|
|
|
still_pending:
|
2005-04-17 06:20:36 +08:00
|
|
|
list_del_init(&first->list);
|
|
|
|
copy_siginfo(info, &first->info);
|
signal: Only reschedule timers on signals timers have sent
Thomas Gleixner wrote:
> The CRIU support added a 'feature' which allows a user space task to send
> arbitrary (kernel) signals to itself. The changelog says:
>
> The kernel prevents sending of siginfo with positive si_code, because
> these codes are reserved for kernel. I think we can allow a task to
> send such a siginfo to itself. This operation should not be dangerous.
>
> Quite contrary to that claim, it turns out that it is outright dangerous
> for signals with info->si_code == SI_TIMER. The following code sequence in
> a user space task allows to crash the kernel:
>
> id = timer_create(CLOCK_XXX, ..... signo = SIGX);
> timer_set(id, ....);
> info->si_signo = SIGX;
> info->si_code = SI_TIMER:
> info->_sifields._timer._tid = id;
> info->_sifields._timer._sys_private = 2;
> rt_[tg]sigqueueinfo(..., SIGX, info);
> sigemptyset(&sigset);
> sigaddset(&sigset, SIGX);
> rt_sigtimedwait(sigset, info);
>
> For timers based on CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID this
> results in a kernel crash because sigwait() dequeues the signal and the
> dequeue code observes:
>
> info->si_code == SI_TIMER && info->_sifields._timer._sys_private != 0
>
> which triggers the following callchain:
>
> do_schedule_next_timer() -> posix_cpu_timer_schedule() -> arm_timer()
>
> arm_timer() executes a list_add() on the timer, which is already armed via
> the timer_set() syscall. That's a double list add which corrupts the posix
> cpu timer list. As a consequence the kernel crashes on the next operation
> touching the posix cpu timer list.
>
> Posix clocks which are internally implemented based on hrtimers are not
> affected by this because hrtimer_start() can handle already armed timers
> nicely, but it's a reliable way to trigger the WARN_ON() in
> hrtimer_forward(), which complains about calling that function on an
> already armed timer.
This problem has existed since the posix timer code was merged into
2.5.63. A few releases earlier in 2.5.60 ptrace gained the ability to
inject not just a signal (which linux has supported since 1.0) but the
full siginfo of a signal.
The core problem is that the code will reschedule in response to
signals getting dequeued not just for signals the timers sent but
for other signals that happen to a si_code of SI_TIMER.
Avoid this confusion by testing to see if the queued signal was
preallocated as all timer signals are preallocated, and so far
only the timer code preallocates signals.
Move the check for if a timer needs to be rescheduled up into
collect_signal where the preallocation check must be performed,
and pass the result back to dequeue_signal where the code reschedules
timers. This makes it clear why the code cares about preallocated
timers.
Cc: stable@vger.kernel.org
Reported-by: Thomas Gleixner <tglx@linutronix.de>
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reference: 66dd34ad31e5 ("signal: allow to send any siginfo to itself")
Reference: 1669ce53e2ff ("Add PTRACE_GETSIGINFO and PTRACE_SETSIGINFO")
Fixes: db8b50ba75f2 ("[PATCH] POSIX clocks & timers")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-06-13 17:31:16 +08:00
|
|
|
|
|
|
|
*resched_timer =
|
|
|
|
(first->flags & SIGQUEUE_PREALLOC) &&
|
|
|
|
(info->si_code == SI_TIMER) &&
|
|
|
|
(info->si_sys_private);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
__sigqueue_free(first);
|
|
|
|
} else {
|
2011-04-05 05:59:31 +08:00
|
|
|
/*
|
|
|
|
* Ok, it wasn't in the queue. This must be
|
|
|
|
* a fast-pathed signal or we must have been
|
|
|
|
* out of queue space. So zero out the info.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2018-01-06 07:27:42 +08:00
|
|
|
clear_siginfo(info);
|
2005-04-17 06:20:36 +08:00
|
|
|
info->si_signo = sig;
|
|
|
|
info->si_errno = 0;
|
2009-12-16 08:47:24 +08:00
|
|
|
info->si_code = SI_USER;
|
2005-04-17 06:20:36 +08:00
|
|
|
info->si_pid = 0;
|
|
|
|
info->si_uid = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int __dequeue_signal(struct sigpending *pending, sigset_t *mask,
|
2018-09-25 17:27:20 +08:00
|
|
|
kernel_siginfo_t *info, bool *resched_timer)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2006-09-29 17:00:31 +08:00
|
|
|
int sig = next_signal(pending, mask);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2015-11-07 08:32:19 +08:00
|
|
|
if (sig)
|
signal: Only reschedule timers on signals timers have sent
Thomas Gleixner wrote:
> The CRIU support added a 'feature' which allows a user space task to send
> arbitrary (kernel) signals to itself. The changelog says:
>
> The kernel prevents sending of siginfo with positive si_code, because
> these codes are reserved for kernel. I think we can allow a task to
> send such a siginfo to itself. This operation should not be dangerous.
>
> Quite contrary to that claim, it turns out that it is outright dangerous
> for signals with info->si_code == SI_TIMER. The following code sequence in
> a user space task allows to crash the kernel:
>
> id = timer_create(CLOCK_XXX, ..... signo = SIGX);
> timer_set(id, ....);
> info->si_signo = SIGX;
> info->si_code = SI_TIMER:
> info->_sifields._timer._tid = id;
> info->_sifields._timer._sys_private = 2;
> rt_[tg]sigqueueinfo(..., SIGX, info);
> sigemptyset(&sigset);
> sigaddset(&sigset, SIGX);
> rt_sigtimedwait(sigset, info);
>
> For timers based on CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID this
> results in a kernel crash because sigwait() dequeues the signal and the
> dequeue code observes:
>
> info->si_code == SI_TIMER && info->_sifields._timer._sys_private != 0
>
> which triggers the following callchain:
>
> do_schedule_next_timer() -> posix_cpu_timer_schedule() -> arm_timer()
>
> arm_timer() executes a list_add() on the timer, which is already armed via
> the timer_set() syscall. That's a double list add which corrupts the posix
> cpu timer list. As a consequence the kernel crashes on the next operation
> touching the posix cpu timer list.
>
> Posix clocks which are internally implemented based on hrtimers are not
> affected by this because hrtimer_start() can handle already armed timers
> nicely, but it's a reliable way to trigger the WARN_ON() in
> hrtimer_forward(), which complains about calling that function on an
> already armed timer.
This problem has existed since the posix timer code was merged into
2.5.63. A few releases earlier in 2.5.60 ptrace gained the ability to
inject not just a signal (which linux has supported since 1.0) but the
full siginfo of a signal.
The core problem is that the code will reschedule in response to
signals getting dequeued not just for signals the timers sent but
for other signals that happen to a si_code of SI_TIMER.
Avoid this confusion by testing to see if the queued signal was
preallocated as all timer signals are preallocated, and so far
only the timer code preallocates signals.
Move the check for if a timer needs to be rescheduled up into
collect_signal where the preallocation check must be performed,
and pass the result back to dequeue_signal where the code reschedules
timers. This makes it clear why the code cares about preallocated
timers.
Cc: stable@vger.kernel.org
Reported-by: Thomas Gleixner <tglx@linutronix.de>
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reference: 66dd34ad31e5 ("signal: allow to send any siginfo to itself")
Reference: 1669ce53e2ff ("Add PTRACE_GETSIGINFO and PTRACE_SETSIGINFO")
Fixes: db8b50ba75f2 ("[PATCH] POSIX clocks & timers")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-06-13 17:31:16 +08:00
|
|
|
collect_signal(sig, pending, info, resched_timer);
|
2005-04-17 06:20:36 +08:00
|
|
|
return sig;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2011-04-05 05:59:31 +08:00
|
|
|
* Dequeue a signal and return the element to the caller, which is
|
2005-04-17 06:20:36 +08:00
|
|
|
* expected to free it.
|
|
|
|
*
|
|
|
|
* All callers have to hold the siglock.
|
|
|
|
*/
|
2021-11-16 03:47:13 +08:00
|
|
|
int dequeue_signal(struct task_struct *tsk, sigset_t *mask,
|
|
|
|
kernel_siginfo_t *info, enum pid_type *type)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
signal: Only reschedule timers on signals timers have sent
Thomas Gleixner wrote:
> The CRIU support added a 'feature' which allows a user space task to send
> arbitrary (kernel) signals to itself. The changelog says:
>
> The kernel prevents sending of siginfo with positive si_code, because
> these codes are reserved for kernel. I think we can allow a task to
> send such a siginfo to itself. This operation should not be dangerous.
>
> Quite contrary to that claim, it turns out that it is outright dangerous
> for signals with info->si_code == SI_TIMER. The following code sequence in
> a user space task allows to crash the kernel:
>
> id = timer_create(CLOCK_XXX, ..... signo = SIGX);
> timer_set(id, ....);
> info->si_signo = SIGX;
> info->si_code = SI_TIMER:
> info->_sifields._timer._tid = id;
> info->_sifields._timer._sys_private = 2;
> rt_[tg]sigqueueinfo(..., SIGX, info);
> sigemptyset(&sigset);
> sigaddset(&sigset, SIGX);
> rt_sigtimedwait(sigset, info);
>
> For timers based on CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID this
> results in a kernel crash because sigwait() dequeues the signal and the
> dequeue code observes:
>
> info->si_code == SI_TIMER && info->_sifields._timer._sys_private != 0
>
> which triggers the following callchain:
>
> do_schedule_next_timer() -> posix_cpu_timer_schedule() -> arm_timer()
>
> arm_timer() executes a list_add() on the timer, which is already armed via
> the timer_set() syscall. That's a double list add which corrupts the posix
> cpu timer list. As a consequence the kernel crashes on the next operation
> touching the posix cpu timer list.
>
> Posix clocks which are internally implemented based on hrtimers are not
> affected by this because hrtimer_start() can handle already armed timers
> nicely, but it's a reliable way to trigger the WARN_ON() in
> hrtimer_forward(), which complains about calling that function on an
> already armed timer.
This problem has existed since the posix timer code was merged into
2.5.63. A few releases earlier in 2.5.60 ptrace gained the ability to
inject not just a signal (which linux has supported since 1.0) but the
full siginfo of a signal.
The core problem is that the code will reschedule in response to
signals getting dequeued not just for signals the timers sent but
for other signals that happen to a si_code of SI_TIMER.
Avoid this confusion by testing to see if the queued signal was
preallocated as all timer signals are preallocated, and so far
only the timer code preallocates signals.
Move the check for if a timer needs to be rescheduled up into
collect_signal where the preallocation check must be performed,
and pass the result back to dequeue_signal where the code reschedules
timers. This makes it clear why the code cares about preallocated
timers.
Cc: stable@vger.kernel.org
Reported-by: Thomas Gleixner <tglx@linutronix.de>
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reference: 66dd34ad31e5 ("signal: allow to send any siginfo to itself")
Reference: 1669ce53e2ff ("Add PTRACE_GETSIGINFO and PTRACE_SETSIGINFO")
Fixes: db8b50ba75f2 ("[PATCH] POSIX clocks & timers")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-06-13 17:31:16 +08:00
|
|
|
bool resched_timer = false;
|
2008-04-30 15:52:40 +08:00
|
|
|
int signr;
|
2007-06-12 06:16:18 +08:00
|
|
|
|
|
|
|
/* We only dequeue private signals from ourselves, we don't let
|
|
|
|
* signalfd steal them
|
|
|
|
*/
|
2021-11-16 03:47:13 +08:00
|
|
|
*type = PIDTYPE_PID;
|
signal: Only reschedule timers on signals timers have sent
Thomas Gleixner wrote:
> The CRIU support added a 'feature' which allows a user space task to send
> arbitrary (kernel) signals to itself. The changelog says:
>
> The kernel prevents sending of siginfo with positive si_code, because
> these codes are reserved for kernel. I think we can allow a task to
> send such a siginfo to itself. This operation should not be dangerous.
>
> Quite contrary to that claim, it turns out that it is outright dangerous
> for signals with info->si_code == SI_TIMER. The following code sequence in
> a user space task allows to crash the kernel:
>
> id = timer_create(CLOCK_XXX, ..... signo = SIGX);
> timer_set(id, ....);
> info->si_signo = SIGX;
> info->si_code = SI_TIMER:
> info->_sifields._timer._tid = id;
> info->_sifields._timer._sys_private = 2;
> rt_[tg]sigqueueinfo(..., SIGX, info);
> sigemptyset(&sigset);
> sigaddset(&sigset, SIGX);
> rt_sigtimedwait(sigset, info);
>
> For timers based on CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID this
> results in a kernel crash because sigwait() dequeues the signal and the
> dequeue code observes:
>
> info->si_code == SI_TIMER && info->_sifields._timer._sys_private != 0
>
> which triggers the following callchain:
>
> do_schedule_next_timer() -> posix_cpu_timer_schedule() -> arm_timer()
>
> arm_timer() executes a list_add() on the timer, which is already armed via
> the timer_set() syscall. That's a double list add which corrupts the posix
> cpu timer list. As a consequence the kernel crashes on the next operation
> touching the posix cpu timer list.
>
> Posix clocks which are internally implemented based on hrtimers are not
> affected by this because hrtimer_start() can handle already armed timers
> nicely, but it's a reliable way to trigger the WARN_ON() in
> hrtimer_forward(), which complains about calling that function on an
> already armed timer.
This problem has existed since the posix timer code was merged into
2.5.63. A few releases earlier in 2.5.60 ptrace gained the ability to
inject not just a signal (which linux has supported since 1.0) but the
full siginfo of a signal.
The core problem is that the code will reschedule in response to
signals getting dequeued not just for signals the timers sent but
for other signals that happen to a si_code of SI_TIMER.
Avoid this confusion by testing to see if the queued signal was
preallocated as all timer signals are preallocated, and so far
only the timer code preallocates signals.
Move the check for if a timer needs to be rescheduled up into
collect_signal where the preallocation check must be performed,
and pass the result back to dequeue_signal where the code reschedules
timers. This makes it clear why the code cares about preallocated
timers.
Cc: stable@vger.kernel.org
Reported-by: Thomas Gleixner <tglx@linutronix.de>
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reference: 66dd34ad31e5 ("signal: allow to send any siginfo to itself")
Reference: 1669ce53e2ff ("Add PTRACE_GETSIGINFO and PTRACE_SETSIGINFO")
Fixes: db8b50ba75f2 ("[PATCH] POSIX clocks & timers")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-06-13 17:31:16 +08:00
|
|
|
signr = __dequeue_signal(&tsk->pending, mask, info, &resched_timer);
|
2007-02-16 17:28:12 +08:00
|
|
|
if (!signr) {
|
2021-11-16 03:47:13 +08:00
|
|
|
*type = PIDTYPE_TGID;
|
2005-04-17 06:20:36 +08:00
|
|
|
signr = __dequeue_signal(&tsk->signal->shared_pending,
|
signal: Only reschedule timers on signals timers have sent
Thomas Gleixner wrote:
> The CRIU support added a 'feature' which allows a user space task to send
> arbitrary (kernel) signals to itself. The changelog says:
>
> The kernel prevents sending of siginfo with positive si_code, because
> these codes are reserved for kernel. I think we can allow a task to
> send such a siginfo to itself. This operation should not be dangerous.
>
> Quite contrary to that claim, it turns out that it is outright dangerous
> for signals with info->si_code == SI_TIMER. The following code sequence in
> a user space task allows to crash the kernel:
>
> id = timer_create(CLOCK_XXX, ..... signo = SIGX);
> timer_set(id, ....);
> info->si_signo = SIGX;
> info->si_code = SI_TIMER:
> info->_sifields._timer._tid = id;
> info->_sifields._timer._sys_private = 2;
> rt_[tg]sigqueueinfo(..., SIGX, info);
> sigemptyset(&sigset);
> sigaddset(&sigset, SIGX);
> rt_sigtimedwait(sigset, info);
>
> For timers based on CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID this
> results in a kernel crash because sigwait() dequeues the signal and the
> dequeue code observes:
>
> info->si_code == SI_TIMER && info->_sifields._timer._sys_private != 0
>
> which triggers the following callchain:
>
> do_schedule_next_timer() -> posix_cpu_timer_schedule() -> arm_timer()
>
> arm_timer() executes a list_add() on the timer, which is already armed via
> the timer_set() syscall. That's a double list add which corrupts the posix
> cpu timer list. As a consequence the kernel crashes on the next operation
> touching the posix cpu timer list.
>
> Posix clocks which are internally implemented based on hrtimers are not
> affected by this because hrtimer_start() can handle already armed timers
> nicely, but it's a reliable way to trigger the WARN_ON() in
> hrtimer_forward(), which complains about calling that function on an
> already armed timer.
This problem has existed since the posix timer code was merged into
2.5.63. A few releases earlier in 2.5.60 ptrace gained the ability to
inject not just a signal (which linux has supported since 1.0) but the
full siginfo of a signal.
The core problem is that the code will reschedule in response to
signals getting dequeued not just for signals the timers sent but
for other signals that happen to a si_code of SI_TIMER.
Avoid this confusion by testing to see if the queued signal was
preallocated as all timer signals are preallocated, and so far
only the timer code preallocates signals.
Move the check for if a timer needs to be rescheduled up into
collect_signal where the preallocation check must be performed,
and pass the result back to dequeue_signal where the code reschedules
timers. This makes it clear why the code cares about preallocated
timers.
Cc: stable@vger.kernel.org
Reported-by: Thomas Gleixner <tglx@linutronix.de>
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reference: 66dd34ad31e5 ("signal: allow to send any siginfo to itself")
Reference: 1669ce53e2ff ("Add PTRACE_GETSIGINFO and PTRACE_SETSIGINFO")
Fixes: db8b50ba75f2 ("[PATCH] POSIX clocks & timers")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-06-13 17:31:16 +08:00
|
|
|
mask, info, &resched_timer);
|
posix-timers: Make them configurable
Some embedded systems have no use for them. This removes about
25KB from the kernel binary size when configured out.
Corresponding syscalls are routed to a stub logging the attempt to
use those syscalls which should be enough of a clue if they were
disabled without proper consideration. They are: timer_create,
timer_gettime: timer_getoverrun, timer_settime, timer_delete,
clock_adjtime, setitimer, getitimer, alarm.
The clock_settime, clock_gettime, clock_getres and clock_nanosleep
syscalls are replaced by simple wrappers compatible with CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_BOOTTIME only which should cover the vast
majority of use cases with very little code.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-kbuild@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Michal Marek <mmarek@suse.com>
Cc: Edward Cree <ecree@solarflare.com>
Link: http://lkml.kernel.org/r/1478841010-28605-7-git-send-email-nicolas.pitre@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-11-11 13:10:10 +08:00
|
|
|
#ifdef CONFIG_POSIX_TIMERS
|
2007-02-16 17:28:12 +08:00
|
|
|
/*
|
|
|
|
* itimer signal ?
|
|
|
|
*
|
|
|
|
* itimers are process shared and we restart periodic
|
|
|
|
* itimers in the signal delivery path to prevent DoS
|
|
|
|
* attacks in the high resolution timer case. This is
|
2011-04-05 05:59:31 +08:00
|
|
|
* compliant with the old way of self-restarting
|
2007-02-16 17:28:12 +08:00
|
|
|
* itimers, as the SIGALRM is a legacy signal and only
|
|
|
|
* queued once. Changing the restart behaviour to
|
|
|
|
* restart the timer in the signal dequeue path is
|
|
|
|
* reducing the timer noise on heavy loaded !highres
|
|
|
|
* systems too.
|
|
|
|
*/
|
|
|
|
if (unlikely(signr == SIGALRM)) {
|
|
|
|
struct hrtimer *tmr = &tsk->signal->real_timer;
|
|
|
|
|
|
|
|
if (!hrtimer_is_queued(tmr) &&
|
2016-12-25 18:38:40 +08:00
|
|
|
tsk->signal->it_real_incr != 0) {
|
2007-02-16 17:28:12 +08:00
|
|
|
hrtimer_forward(tmr, tmr->base->get_time(),
|
|
|
|
tsk->signal->it_real_incr);
|
|
|
|
hrtimer_restart(tmr);
|
|
|
|
}
|
|
|
|
}
|
posix-timers: Make them configurable
Some embedded systems have no use for them. This removes about
25KB from the kernel binary size when configured out.
Corresponding syscalls are routed to a stub logging the attempt to
use those syscalls which should be enough of a clue if they were
disabled without proper consideration. They are: timer_create,
timer_gettime: timer_getoverrun, timer_settime, timer_delete,
clock_adjtime, setitimer, getitimer, alarm.
The clock_settime, clock_gettime, clock_getres and clock_nanosleep
syscalls are replaced by simple wrappers compatible with CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_BOOTTIME only which should cover the vast
majority of use cases with very little code.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-kbuild@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Michal Marek <mmarek@suse.com>
Cc: Edward Cree <ecree@solarflare.com>
Link: http://lkml.kernel.org/r/1478841010-28605-7-git-send-email-nicolas.pitre@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-11-11 13:10:10 +08:00
|
|
|
#endif
|
2007-02-16 17:28:12 +08:00
|
|
|
}
|
2008-04-30 15:52:40 +08:00
|
|
|
|
2007-09-21 03:40:16 +08:00
|
|
|
recalc_sigpending();
|
2008-04-30 15:52:40 +08:00
|
|
|
if (!signr)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (unlikely(sig_kernel_stop(signr))) {
|
2007-02-16 17:28:12 +08:00
|
|
|
/*
|
|
|
|
* Set a marker that we have dequeued a stop signal. Our
|
|
|
|
* caller might release the siglock and then the pending
|
|
|
|
* stop signal it is about to process is no longer in the
|
|
|
|
* pending bitmasks, but must still be cleared by a SIGCONT
|
|
|
|
* (and overruled by a SIGKILL). So those cases clear this
|
|
|
|
* shared flag after we've set it. Note that this flag may
|
|
|
|
* remain set after the signal we return is ignored or
|
|
|
|
* handled. That doesn't matter because its only purpose
|
|
|
|
* is to alert stop-signal processing code when another
|
|
|
|
* processor has come along and cleared the flag.
|
|
|
|
*/
|
2011-06-02 17:13:59 +08:00
|
|
|
current->jobctl |= JOBCTL_STOP_DEQUEUED;
|
2007-02-16 17:28:12 +08:00
|
|
|
}
|
posix-timers: Make them configurable
Some embedded systems have no use for them. This removes about
25KB from the kernel binary size when configured out.
Corresponding syscalls are routed to a stub logging the attempt to
use those syscalls which should be enough of a clue if they were
disabled without proper consideration. They are: timer_create,
timer_gettime: timer_getoverrun, timer_settime, timer_delete,
clock_adjtime, setitimer, getitimer, alarm.
The clock_settime, clock_gettime, clock_getres and clock_nanosleep
syscalls are replaced by simple wrappers compatible with CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_BOOTTIME only which should cover the vast
majority of use cases with very little code.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-kbuild@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Michal Marek <mmarek@suse.com>
Cc: Edward Cree <ecree@solarflare.com>
Link: http://lkml.kernel.org/r/1478841010-28605-7-git-send-email-nicolas.pitre@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-11-11 13:10:10 +08:00
|
|
|
#ifdef CONFIG_POSIX_TIMERS
|
signal: Only reschedule timers on signals timers have sent
Thomas Gleixner wrote:
> The CRIU support added a 'feature' which allows a user space task to send
> arbitrary (kernel) signals to itself. The changelog says:
>
> The kernel prevents sending of siginfo with positive si_code, because
> these codes are reserved for kernel. I think we can allow a task to
> send such a siginfo to itself. This operation should not be dangerous.
>
> Quite contrary to that claim, it turns out that it is outright dangerous
> for signals with info->si_code == SI_TIMER. The following code sequence in
> a user space task allows to crash the kernel:
>
> id = timer_create(CLOCK_XXX, ..... signo = SIGX);
> timer_set(id, ....);
> info->si_signo = SIGX;
> info->si_code = SI_TIMER:
> info->_sifields._timer._tid = id;
> info->_sifields._timer._sys_private = 2;
> rt_[tg]sigqueueinfo(..., SIGX, info);
> sigemptyset(&sigset);
> sigaddset(&sigset, SIGX);
> rt_sigtimedwait(sigset, info);
>
> For timers based on CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID this
> results in a kernel crash because sigwait() dequeues the signal and the
> dequeue code observes:
>
> info->si_code == SI_TIMER && info->_sifields._timer._sys_private != 0
>
> which triggers the following callchain:
>
> do_schedule_next_timer() -> posix_cpu_timer_schedule() -> arm_timer()
>
> arm_timer() executes a list_add() on the timer, which is already armed via
> the timer_set() syscall. That's a double list add which corrupts the posix
> cpu timer list. As a consequence the kernel crashes on the next operation
> touching the posix cpu timer list.
>
> Posix clocks which are internally implemented based on hrtimers are not
> affected by this because hrtimer_start() can handle already armed timers
> nicely, but it's a reliable way to trigger the WARN_ON() in
> hrtimer_forward(), which complains about calling that function on an
> already armed timer.
This problem has existed since the posix timer code was merged into
2.5.63. A few releases earlier in 2.5.60 ptrace gained the ability to
inject not just a signal (which linux has supported since 1.0) but the
full siginfo of a signal.
The core problem is that the code will reschedule in response to
signals getting dequeued not just for signals the timers sent but
for other signals that happen to a si_code of SI_TIMER.
Avoid this confusion by testing to see if the queued signal was
preallocated as all timer signals are preallocated, and so far
only the timer code preallocates signals.
Move the check for if a timer needs to be rescheduled up into
collect_signal where the preallocation check must be performed,
and pass the result back to dequeue_signal where the code reschedules
timers. This makes it clear why the code cares about preallocated
timers.
Cc: stable@vger.kernel.org
Reported-by: Thomas Gleixner <tglx@linutronix.de>
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reference: 66dd34ad31e5 ("signal: allow to send any siginfo to itself")
Reference: 1669ce53e2ff ("Add PTRACE_GETSIGINFO and PTRACE_SETSIGINFO")
Fixes: db8b50ba75f2 ("[PATCH] POSIX clocks & timers")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2017-06-13 17:31:16 +08:00
|
|
|
if (resched_timer) {
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Release the siglock to ensure proper locking order
|
|
|
|
* of timer locks outside of siglocks. Note, we leave
|
|
|
|
* irqs disabled here, since the posix-timers code is
|
|
|
|
* about to disable them again anyway.
|
|
|
|
*/
|
|
|
|
spin_unlock(&tsk->sighand->siglock);
|
2017-05-31 05:15:46 +08:00
|
|
|
posixtimer_rearm(info);
|
2005-04-17 06:20:36 +08:00
|
|
|
spin_lock(&tsk->sighand->siglock);
|
2017-07-25 03:53:03 +08:00
|
|
|
|
|
|
|
/* Don't expose the si_sys_private value to userspace */
|
|
|
|
info->si_sys_private = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
posix-timers: Make them configurable
Some embedded systems have no use for them. This removes about
25KB from the kernel binary size when configured out.
Corresponding syscalls are routed to a stub logging the attempt to
use those syscalls which should be enough of a clue if they were
disabled without proper consideration. They are: timer_create,
timer_gettime: timer_getoverrun, timer_settime, timer_delete,
clock_adjtime, setitimer, getitimer, alarm.
The clock_settime, clock_gettime, clock_getres and clock_nanosleep
syscalls are replaced by simple wrappers compatible with CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_BOOTTIME only which should cover the vast
majority of use cases with very little code.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-kbuild@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Michal Marek <mmarek@suse.com>
Cc: Edward Cree <ecree@solarflare.com>
Link: http://lkml.kernel.org/r/1478841010-28605-7-git-send-email-nicolas.pitre@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-11-11 13:10:10 +08:00
|
|
|
#endif
|
2005-04-17 06:20:36 +08:00
|
|
|
return signr;
|
|
|
|
}
|
2018-09-14 01:26:35 +08:00
|
|
|
EXPORT_SYMBOL_GPL(dequeue_signal);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2019-02-07 07:51:47 +08:00
|
|
|
static int dequeue_synchronous_signal(kernel_siginfo_t *info)
|
|
|
|
{
|
|
|
|
struct task_struct *tsk = current;
|
|
|
|
struct sigpending *pending = &tsk->pending;
|
|
|
|
struct sigqueue *q, *sync = NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Might a synchronous signal be in the queue?
|
|
|
|
*/
|
|
|
|
if (!((pending->signal.sig[0] & ~tsk->blocked.sig[0]) & SYNCHRONOUS_MASK))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Return the first synchronous signal in the queue.
|
|
|
|
*/
|
|
|
|
list_for_each_entry(q, &pending->list, list) {
|
2020-07-24 17:05:31 +08:00
|
|
|
/* Synchronous signals have a positive si_code */
|
2019-02-07 07:51:47 +08:00
|
|
|
if ((q->info.si_code > SI_USER) &&
|
|
|
|
(sigmask(q->info.si_signo) & SYNCHRONOUS_MASK)) {
|
|
|
|
sync = q;
|
|
|
|
goto next;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
next:
|
|
|
|
/*
|
|
|
|
* Check if there is another siginfo for the same signal.
|
|
|
|
*/
|
|
|
|
list_for_each_entry_continue(q, &pending->list, list) {
|
|
|
|
if (q->info.si_signo == sync->info.si_signo)
|
|
|
|
goto still_pending;
|
|
|
|
}
|
|
|
|
|
|
|
|
sigdelset(&pending->signal, sync->info.si_signo);
|
|
|
|
recalc_sigpending();
|
|
|
|
still_pending:
|
|
|
|
list_del_init(&sync->list);
|
|
|
|
copy_siginfo(info, &sync->info);
|
|
|
|
__sigqueue_free(sync);
|
|
|
|
return info->si_signo;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Tell a process that it has a new active signal..
|
|
|
|
*
|
|
|
|
* NOTE! we rely on the previous spin_lock to
|
|
|
|
* lock interrupts for us! We can only be called with
|
|
|
|
* "siglock" held, and the local interrupt must
|
|
|
|
* have been disabled when that got acquired!
|
|
|
|
*
|
|
|
|
* No need to set need_resched since signal event passing
|
|
|
|
* goes through ->blocked
|
|
|
|
*/
|
2013-01-22 03:47:41 +08:00
|
|
|
void signal_wake_up_state(struct task_struct *t, unsigned int state)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2022-05-04 04:57:47 +08:00
|
|
|
lockdep_assert_held(&t->sighand->siglock);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
set_tsk_thread_flag(t, TIF_SIGPENDING);
|
2022-05-04 04:57:47 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2013-01-22 03:47:41 +08:00
|
|
|
* TASK_WAKEKILL also means wake it up in the stopped/traced/killable
|
2007-12-07 00:13:16 +08:00
|
|
|
* case. We don't check t->state here because there is a race with it
|
2005-04-17 06:20:36 +08:00
|
|
|
* executing another processor and just now entering stopped state.
|
|
|
|
* By using wake_up_state, we ensure the process will wake up and
|
|
|
|
* handle its death signal.
|
|
|
|
*/
|
2013-01-22 03:47:41 +08:00
|
|
|
if (!wake_up_state(t, state | TASK_INTERRUPTIBLE))
|
2005-04-17 06:20:36 +08:00
|
|
|
kick_process(t);
|
|
|
|
}
|
|
|
|
|
2006-01-08 17:02:48 +08:00
|
|
|
/*
|
|
|
|
* Remove signals in mask from the pending set and queue.
|
|
|
|
* Returns 1 if any signals were found.
|
|
|
|
*
|
|
|
|
* All callers must be holding the siglock.
|
|
|
|
*/
|
2018-08-22 13:00:38 +08:00
|
|
|
static void flush_sigqueue_mask(sigset_t *mask, struct sigpending *s)
|
2006-01-08 17:02:48 +08:00
|
|
|
{
|
|
|
|
struct sigqueue *q, *n;
|
|
|
|
sigset_t m;
|
|
|
|
|
|
|
|
sigandsets(&m, mask, &s->signal);
|
|
|
|
if (sigisemptyset(&m))
|
2018-08-22 13:00:38 +08:00
|
|
|
return;
|
2006-01-08 17:02:48 +08:00
|
|
|
|
2011-04-28 04:01:27 +08:00
|
|
|
sigandnsets(&s->signal, &s->signal, mask);
|
2006-01-08 17:02:48 +08:00
|
|
|
list_for_each_entry_safe(q, n, &s->list, list) {
|
|
|
|
if (sigismember(mask, q->info.si_signo)) {
|
|
|
|
list_del_init(&q->list);
|
|
|
|
__sigqueue_free(q);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
static inline int is_si_special(const struct kernel_siginfo *info)
|
2009-12-16 08:47:22 +08:00
|
|
|
{
|
2018-09-03 16:39:04 +08:00
|
|
|
return info <= SEND_SIG_PRIV;
|
2009-12-16 08:47:22 +08:00
|
|
|
}
|
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
static inline bool si_fromuser(const struct kernel_siginfo *info)
|
2009-12-16 08:47:22 +08:00
|
|
|
{
|
|
|
|
return info == SEND_SIG_NOINFO ||
|
|
|
|
(!is_si_special(info) && SI_FROMUSER(info));
|
|
|
|
}
|
|
|
|
|
2011-03-24 07:43:19 +08:00
|
|
|
/*
|
|
|
|
* called with RCU read lock from check_kill_permission()
|
|
|
|
*/
|
2018-08-22 13:00:11 +08:00
|
|
|
static bool kill_ok_by_cred(struct task_struct *t)
|
2011-03-24 07:43:19 +08:00
|
|
|
{
|
|
|
|
const struct cred *cred = current_cred();
|
|
|
|
const struct cred *tcred = __task_cred(t);
|
|
|
|
|
2018-08-22 13:00:11 +08:00
|
|
|
return uid_eq(cred->euid, tcred->suid) ||
|
|
|
|
uid_eq(cred->euid, tcred->uid) ||
|
|
|
|
uid_eq(cred->uid, tcred->suid) ||
|
|
|
|
uid_eq(cred->uid, tcred->uid) ||
|
|
|
|
ns_capable(tcred->user_ns, CAP_KILL);
|
2011-03-24 07:43:19 +08:00
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Bad permissions for sending the signal
|
2010-08-04 23:59:14 +08:00
|
|
|
* - the caller must hold the RCU read lock
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2018-09-25 17:27:20 +08:00
|
|
|
static int check_kill_permission(int sig, struct kernel_siginfo *info,
|
2005-04-17 06:20:36 +08:00
|
|
|
struct task_struct *t)
|
|
|
|
{
|
2008-04-30 15:53:01 +08:00
|
|
|
struct pid *sid;
|
2008-04-30 15:52:42 +08:00
|
|
|
int error;
|
|
|
|
|
2005-05-01 23:59:14 +08:00
|
|
|
if (!valid_signal(sig))
|
2008-04-30 15:52:42 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
2009-12-16 08:47:22 +08:00
|
|
|
if (!si_fromuser(info))
|
2008-04-30 15:52:42 +08:00
|
|
|
return 0;
|
2007-03-30 06:01:04 +08:00
|
|
|
|
2008-04-30 15:52:42 +08:00
|
|
|
error = audit_signal_info(sig, t); /* Let audit system see the signal */
|
|
|
|
if (error)
|
2005-04-17 06:20:36 +08:00
|
|
|
return error;
|
2008-04-30 15:52:42 +08:00
|
|
|
|
2010-05-27 05:42:54 +08:00
|
|
|
if (!same_thread_group(current, t) &&
|
2011-03-24 07:43:19 +08:00
|
|
|
!kill_ok_by_cred(t)) {
|
2008-04-30 15:53:01 +08:00
|
|
|
switch (sig) {
|
|
|
|
case SIGCONT:
|
|
|
|
sid = task_session(t);
|
|
|
|
/*
|
|
|
|
* We don't return the error if sid == NULL. The
|
|
|
|
* task was unhashed, the caller must notice this.
|
|
|
|
*/
|
|
|
|
if (!sid || sid == task_session(current))
|
|
|
|
break;
|
2020-08-24 06:36:59 +08:00
|
|
|
fallthrough;
|
2008-04-30 15:53:01 +08:00
|
|
|
default:
|
|
|
|
return -EPERM;
|
|
|
|
}
|
|
|
|
}
|
2005-05-06 19:38:39 +08:00
|
|
|
|
usb, signal, security: only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill
commit d178bc3a708f39cbfefc3fab37032d3f2511b4ec ("user namespace: usb:
make usb urbs user namespace aware (v2)") changed kill_pid_info_as_uid
to kill_pid_info_as_cred, saving and passing a cred structure instead of
uids. Since the secid can be obtained from the cred, drop the secid fields
from the usb_dev_state and async structures, and drop the secid argument to
kill_pid_info_as_cred. Replace the secid argument to security_task_kill
with the cred. Update SELinux, Smack, and AppArmor to use the cred, which
avoids the need for Smack and AppArmor to use a secid at all in this hook.
Further changes to Smack might still be required to take full advantage of
this change, since it should now be possible to perform capability
checking based on the supplied cred. The changes to Smack and AppArmor
have only been compile-tested.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
2017-09-09 00:40:01 +08:00
|
|
|
return security_task_kill(t, info, sig, NULL);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
ptrace: implement TRAP_NOTIFY and use it for group stop events
Currently there's no way for ptracer to find out whether group stop
finished other than polling with INTERRUPT - GETSIGINFO - CONT
sequence. This patch implements group stop notification for ptracer
using STOP traps.
When group stop state of a seized tracee changes, JOBCTL_TRAP_NOTIFY
is set, which schedules a STOP trap which is sticky - it isn't cleared
by other traps and at least one STOP trap will happen eventually.
STOP trap is synchronization point for event notification and the
tracer can determine the current group stop state by looking at the
signal number portion of exit code (si_status from waitid(2) or
si_code from PTRACE_GETSIGINFO).
Notifications are generated both on start and end of group stops but,
because group stop participation always happens before STOP trap, this
doesn't cause an extra trap while tracee is participating in group
stop. The symmetry will be useful later.
Note that this notification works iff tracee is not trapped.
Currently there is no way to be notified of group stop state changes
while tracee is trapped. This will be addressed by a later patch.
An example program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
In the above program, tracer keeps tracee running and gets
notification of each group stop state changes.
# ./test-notify
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:17 +08:00
|
|
|
/**
|
|
|
|
* ptrace_trap_notify - schedule trap to notify ptracer
|
|
|
|
* @t: tracee wanting to notify tracer
|
|
|
|
*
|
|
|
|
* This function schedules sticky ptrace trap which is cleared on the next
|
|
|
|
* TRAP_STOP to notify ptracer of an event. @t must have been seized by
|
|
|
|
* ptracer.
|
|
|
|
*
|
ptrace: implement PTRACE_LISTEN
The previous patch implemented async notification for ptrace but it
only worked while trace is running. This patch introduces
PTRACE_LISTEN which is suggested by Oleg Nestrov.
It's allowed iff tracee is in STOP trap and puts tracee into
quasi-running state - tracee never really runs but wait(2) and
ptrace(2) consider it to be running. While ptracer is listening,
tracee is allowed to re-enter STOP to notify an async event.
Listening state is cleared on the first notification. Ptracer can
also clear it by issuing INTERRUPT - tracee will re-trap into STOP
with listening state cleared.
This allows ptracer to monitor group stop state without running tracee
- use INTERRUPT to put tracee into STOP trap, issue LISTEN and then
wait(2) to wait for the next group stop event. When it happens,
PTRACE_GETSIGINFO provides information to determine the current state.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_LISTEN 0x4208
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
if (si.si_signo != SIGTRAP)
ptrace(PTRACE_LISTEN, tracee, NULL, NULL);
else
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
This is identical to the program to test TRAP_NOTIFY except that
tracee is PTRACE_LISTEN'd instead of PTRACE_CONT'd when group stopped.
This allows ptracer to monitor when group stop ends without running
tracee.
# ./test-listen
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
-v2: Moved JOBCTL_LISTENING check in wait_task_stopped() into
task_stopped_code() as suggested by Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:18 +08:00
|
|
|
* If @t is running, STOP trap will be taken. If trapped for STOP and
|
|
|
|
* ptracer is listening for events, tracee is woken up so that it can
|
|
|
|
* re-trap for the new event. If trapped otherwise, STOP trap will be
|
|
|
|
* eventually taken without returning to userland after the existing traps
|
|
|
|
* are finished by PTRACE_CONT.
|
ptrace: implement TRAP_NOTIFY and use it for group stop events
Currently there's no way for ptracer to find out whether group stop
finished other than polling with INTERRUPT - GETSIGINFO - CONT
sequence. This patch implements group stop notification for ptracer
using STOP traps.
When group stop state of a seized tracee changes, JOBCTL_TRAP_NOTIFY
is set, which schedules a STOP trap which is sticky - it isn't cleared
by other traps and at least one STOP trap will happen eventually.
STOP trap is synchronization point for event notification and the
tracer can determine the current group stop state by looking at the
signal number portion of exit code (si_status from waitid(2) or
si_code from PTRACE_GETSIGINFO).
Notifications are generated both on start and end of group stops but,
because group stop participation always happens before STOP trap, this
doesn't cause an extra trap while tracee is participating in group
stop. The symmetry will be useful later.
Note that this notification works iff tracee is not trapped.
Currently there is no way to be notified of group stop state changes
while tracee is trapped. This will be addressed by a later patch.
An example program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
In the above program, tracer keeps tracee running and gets
notification of each group stop state changes.
# ./test-notify
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:17 +08:00
|
|
|
*
|
|
|
|
* CONTEXT:
|
|
|
|
* Must be called with @task->sighand->siglock held.
|
|
|
|
*/
|
|
|
|
static void ptrace_trap_notify(struct task_struct *t)
|
|
|
|
{
|
|
|
|
WARN_ON_ONCE(!(t->ptrace & PT_SEIZED));
|
2022-04-29 22:16:10 +08:00
|
|
|
lockdep_assert_held(&t->sighand->siglock);
|
ptrace: implement TRAP_NOTIFY and use it for group stop events
Currently there's no way for ptracer to find out whether group stop
finished other than polling with INTERRUPT - GETSIGINFO - CONT
sequence. This patch implements group stop notification for ptracer
using STOP traps.
When group stop state of a seized tracee changes, JOBCTL_TRAP_NOTIFY
is set, which schedules a STOP trap which is sticky - it isn't cleared
by other traps and at least one STOP trap will happen eventually.
STOP trap is synchronization point for event notification and the
tracer can determine the current group stop state by looking at the
signal number portion of exit code (si_status from waitid(2) or
si_code from PTRACE_GETSIGINFO).
Notifications are generated both on start and end of group stops but,
because group stop participation always happens before STOP trap, this
doesn't cause an extra trap while tracee is participating in group
stop. The symmetry will be useful later.
Note that this notification works iff tracee is not trapped.
Currently there is no way to be notified of group stop state changes
while tracee is trapped. This will be addressed by a later patch.
An example program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
In the above program, tracer keeps tracee running and gets
notification of each group stop state changes.
# ./test-notify
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:17 +08:00
|
|
|
|
|
|
|
task_set_jobctl_pending(t, JOBCTL_TRAP_NOTIFY);
|
2013-01-22 03:47:41 +08:00
|
|
|
ptrace_signal_wake_up(t, t->jobctl & JOBCTL_LISTENING);
|
ptrace: implement TRAP_NOTIFY and use it for group stop events
Currently there's no way for ptracer to find out whether group stop
finished other than polling with INTERRUPT - GETSIGINFO - CONT
sequence. This patch implements group stop notification for ptracer
using STOP traps.
When group stop state of a seized tracee changes, JOBCTL_TRAP_NOTIFY
is set, which schedules a STOP trap which is sticky - it isn't cleared
by other traps and at least one STOP trap will happen eventually.
STOP trap is synchronization point for event notification and the
tracer can determine the current group stop state by looking at the
signal number portion of exit code (si_status from waitid(2) or
si_code from PTRACE_GETSIGINFO).
Notifications are generated both on start and end of group stops but,
because group stop participation always happens before STOP trap, this
doesn't cause an extra trap while tracee is participating in group
stop. The symmetry will be useful later.
Note that this notification works iff tracee is not trapped.
Currently there is no way to be notified of group stop state changes
while tracee is trapped. This will be addressed by a later patch.
An example program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
In the above program, tracer keeps tracee running and gets
notification of each group stop state changes.
# ./test-notify
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:17 +08:00
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2008-04-30 15:52:59 +08:00
|
|
|
* Handle magic process-wide effects of stop/continue signals. Unlike
|
|
|
|
* the signal actions, these happen immediately at signal-generation
|
2005-04-17 06:20:36 +08:00
|
|
|
* time regardless of blocking, ignoring, or handling. This does the
|
|
|
|
* actual continuing for SIGCONT, but not the actual stopping for stop
|
2008-04-30 15:52:59 +08:00
|
|
|
* signals. The process stop is done as a signal action for SIG_DFL.
|
|
|
|
*
|
|
|
|
* Returns true if the signal should be actually delivered, otherwise
|
|
|
|
* it should be dropped.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2013-05-01 06:28:10 +08:00
|
|
|
static bool prepare_signal(int sig, struct task_struct *p, bool force)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2008-04-30 15:52:46 +08:00
|
|
|
struct signal_struct *signal = p->signal;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct task_struct *t;
|
2014-06-07 05:36:48 +08:00
|
|
|
sigset_t flush;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2022-01-08 23:48:31 +08:00
|
|
|
if (signal->flags & SIGNAL_GROUP_EXIT) {
|
2022-01-08 23:34:50 +08:00
|
|
|
if (signal->core_state)
|
2013-05-01 06:28:10 +08:00
|
|
|
return sig == SIGKILL;
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2022-01-09 00:37:00 +08:00
|
|
|
* The process is in the middle of dying, drop the signal.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2022-01-09 00:37:00 +08:00
|
|
|
return false;
|
2008-04-30 15:52:59 +08:00
|
|
|
} else if (sig_kernel_stop(sig)) {
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* This is a stop signal. Remove SIGCONT from all queues.
|
|
|
|
*/
|
2014-06-07 05:36:48 +08:00
|
|
|
siginitset(&flush, sigmask(SIGCONT));
|
2014-06-07 05:36:50 +08:00
|
|
|
flush_sigqueue_mask(&flush, &signal->shared_pending);
|
2014-06-07 05:36:48 +08:00
|
|
|
for_each_thread(p, t)
|
2014-06-07 05:36:50 +08:00
|
|
|
flush_sigqueue_mask(&flush, &t->pending);
|
2005-04-17 06:20:36 +08:00
|
|
|
} else if (sig == SIGCONT) {
|
2008-04-30 15:52:46 +08:00
|
|
|
unsigned int why;
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
signal: prepare_signal(SIGCONT) shouldn't play with TIF_SIGPENDING
prepare_signal(SIGCONT) should never set TIF_SIGPENDING or wake up
the TASK_INTERRUPTIBLE threads. We are going to call complete_signal()
which should pick the right thread correctly. All we need is to wake
up the TASK_STOPPED threads.
If the task was stopped, it can't return to usermode without taking
->siglock. Otherwise we don't care, and the spurious TIF_SIGPENDING
can't be useful.
The comment says:
* If there is a handler for SIGCONT, we must make
* sure that no thread returns to user mode before
* we post the signal
It is not clear what this means. Probably, "when there's only a single
thread" and this continues to be true. Otherwise, even if this SIGCONT
is not private, with or without this change only one thread can dequeue
SIGCONT, other threads can happily return to user mode before before
that thread handles this signal.
Note also that wake_up_state(t, __TASK_STOPPED) can't race with the task
which changes its state, TASK_STOPPED state is protected by ->siglock as
well.
In short: when it comes to signal delivery, SIGCONT is the normal signal
and does not need any special support.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2011-04-02 02:11:50 +08:00
|
|
|
* Remove all stop signals from all queues, wake all threads.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2014-06-07 05:36:48 +08:00
|
|
|
siginitset(&flush, SIG_KERNEL_STOP_MASK);
|
2014-06-07 05:36:50 +08:00
|
|
|
flush_sigqueue_mask(&flush, &signal->shared_pending);
|
2014-06-07 05:36:48 +08:00
|
|
|
for_each_thread(p, t) {
|
2014-06-07 05:36:50 +08:00
|
|
|
flush_sigqueue_mask(&flush, &t->pending);
|
2011-06-02 17:14:00 +08:00
|
|
|
task_clear_jobctl_pending(t, JOBCTL_STOP_PENDING);
|
2022-05-04 04:57:47 +08:00
|
|
|
if (likely(!(t->ptrace & PT_SEIZED))) {
|
|
|
|
t->jobctl &= ~JOBCTL_STOPPED;
|
ptrace: implement TRAP_NOTIFY and use it for group stop events
Currently there's no way for ptracer to find out whether group stop
finished other than polling with INTERRUPT - GETSIGINFO - CONT
sequence. This patch implements group stop notification for ptracer
using STOP traps.
When group stop state of a seized tracee changes, JOBCTL_TRAP_NOTIFY
is set, which schedules a STOP trap which is sticky - it isn't cleared
by other traps and at least one STOP trap will happen eventually.
STOP trap is synchronization point for event notification and the
tracer can determine the current group stop state by looking at the
signal number portion of exit code (si_status from waitid(2) or
si_code from PTRACE_GETSIGINFO).
Notifications are generated both on start and end of group stops but,
because group stop participation always happens before STOP trap, this
doesn't cause an extra trap while tracee is participating in group
stop. The symmetry will be useful later.
Note that this notification works iff tracee is not trapped.
Currently there is no way to be notified of group stop state changes
while tracee is trapped. This will be addressed by a later patch.
An example program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
In the above program, tracer keeps tracee running and gets
notification of each group stop state changes.
# ./test-notify
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:17 +08:00
|
|
|
wake_up_state(t, __TASK_STOPPED);
|
2022-05-04 04:57:47 +08:00
|
|
|
} else
|
ptrace: implement TRAP_NOTIFY and use it for group stop events
Currently there's no way for ptracer to find out whether group stop
finished other than polling with INTERRUPT - GETSIGINFO - CONT
sequence. This patch implements group stop notification for ptracer
using STOP traps.
When group stop state of a seized tracee changes, JOBCTL_TRAP_NOTIFY
is set, which schedules a STOP trap which is sticky - it isn't cleared
by other traps and at least one STOP trap will happen eventually.
STOP trap is synchronization point for event notification and the
tracer can determine the current group stop state by looking at the
signal number portion of exit code (si_status from waitid(2) or
si_code from PTRACE_GETSIGINFO).
Notifications are generated both on start and end of group stops but,
because group stop participation always happens before STOP trap, this
doesn't cause an extra trap while tracee is participating in group
stop. The symmetry will be useful later.
Note that this notification works iff tracee is not trapped.
Currently there is no way to be notified of group stop state changes
while tracee is trapped. This will be addressed by a later patch.
An example program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
In the above program, tracer keeps tracee running and gets
notification of each group stop state changes.
# ./test-notify
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:17 +08:00
|
|
|
ptrace_trap_notify(t);
|
2014-06-07 05:36:48 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-04-30 15:52:46 +08:00
|
|
|
/*
|
|
|
|
* Notify the parent with CLD_CONTINUED if we were stopped.
|
|
|
|
*
|
|
|
|
* If we were in the middle of a group stop, we pretend it
|
|
|
|
* was already finished, and then continued. Since SIGCHLD
|
|
|
|
* doesn't queue we report only CLD_STOPPED, as if the next
|
|
|
|
* CLD_CONTINUED was dropped.
|
|
|
|
*/
|
|
|
|
why = 0;
|
2008-04-30 15:52:46 +08:00
|
|
|
if (signal->flags & SIGNAL_STOP_STOPPED)
|
2008-04-30 15:52:46 +08:00
|
|
|
why |= SIGNAL_CLD_CONTINUED;
|
2008-04-30 15:52:46 +08:00
|
|
|
else if (signal->group_stop_count)
|
2008-04-30 15:52:46 +08:00
|
|
|
why |= SIGNAL_CLD_STOPPED;
|
|
|
|
|
|
|
|
if (why) {
|
2008-04-30 15:53:00 +08:00
|
|
|
/*
|
2009-09-24 06:56:53 +08:00
|
|
|
* The first thread which returns from do_signal_stop()
|
2008-04-30 15:53:00 +08:00
|
|
|
* will take ->siglock, notice SIGNAL_CLD_MASK, and
|
2018-10-31 06:07:05 +08:00
|
|
|
* notify its parent. See get_signal().
|
2008-04-30 15:53:00 +08:00
|
|
|
*/
|
2017-01-11 08:57:54 +08:00
|
|
|
signal_set_stop_flags(signal, why | SIGNAL_STOP_CONTINUED);
|
2008-04-30 15:52:46 +08:00
|
|
|
signal->group_stop_count = 0;
|
|
|
|
signal->group_exit_code = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
2008-04-30 15:52:59 +08:00
|
|
|
|
2012-03-24 06:02:45 +08:00
|
|
|
return !sig_ignored(p, sig, force);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2008-04-30 15:52:53 +08:00
|
|
|
/*
|
|
|
|
* Test if P wants to take SIG. After we've checked all threads with this,
|
|
|
|
* it's equivalent to finding no threads not blocking SIG. Any threads not
|
|
|
|
* blocking SIG were ruled out because they are not running and already
|
|
|
|
* have pending signals. Such threads will dequeue from the shared queue
|
|
|
|
* as soon as they're available, so putting the signal on the shared queue
|
|
|
|
* will be equivalent to sending it to one such thread.
|
|
|
|
*/
|
2018-08-22 13:00:42 +08:00
|
|
|
static inline bool wants_signal(int sig, struct task_struct *p)
|
2008-04-30 15:52:53 +08:00
|
|
|
{
|
|
|
|
if (sigismember(&p->blocked, sig))
|
2018-08-22 13:00:42 +08:00
|
|
|
return false;
|
|
|
|
|
2008-04-30 15:52:53 +08:00
|
|
|
if (p->flags & PF_EXITING)
|
2018-08-22 13:00:42 +08:00
|
|
|
return false;
|
|
|
|
|
2008-04-30 15:52:53 +08:00
|
|
|
if (sig == SIGKILL)
|
2018-08-22 13:00:42 +08:00
|
|
|
return true;
|
|
|
|
|
2008-04-30 15:52:53 +08:00
|
|
|
if (task_is_stopped_or_traced(p))
|
2018-08-22 13:00:42 +08:00
|
|
|
return false;
|
|
|
|
|
2020-10-27 04:32:27 +08:00
|
|
|
return task_curr(p) || !task_sigpending(p);
|
2008-04-30 15:52:53 +08:00
|
|
|
}
|
|
|
|
|
2018-07-14 10:39:13 +08:00
|
|
|
static void complete_signal(int sig, struct task_struct *p, enum pid_type type)
|
2008-04-30 15:52:53 +08:00
|
|
|
{
|
|
|
|
struct signal_struct *signal = p->signal;
|
|
|
|
struct task_struct *t;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now find a thread we can wake up to take the signal off the queue.
|
|
|
|
*
|
|
|
|
* If the main thread wants the signal, it gets first crack.
|
|
|
|
* Probably the least surprising to the average bear.
|
|
|
|
*/
|
|
|
|
if (wants_signal(sig, p))
|
|
|
|
t = p;
|
2018-07-14 10:39:13 +08:00
|
|
|
else if ((type == PIDTYPE_PID) || thread_group_empty(p))
|
2008-04-30 15:52:53 +08:00
|
|
|
/*
|
|
|
|
* There is just one thread and it does not need to be woken.
|
|
|
|
* It will dequeue unblocked signals before it runs again.
|
|
|
|
*/
|
|
|
|
return;
|
|
|
|
else {
|
|
|
|
/*
|
|
|
|
* Otherwise try to find a suitable thread.
|
|
|
|
*/
|
|
|
|
t = signal->curr_target;
|
|
|
|
while (!wants_signal(sig, t)) {
|
|
|
|
t = next_thread(t);
|
|
|
|
if (t == signal->curr_target)
|
|
|
|
/*
|
|
|
|
* No thread needs to be woken.
|
|
|
|
* Any eligible threads will see
|
|
|
|
* the signal in the queue soon.
|
|
|
|
*/
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
signal->curr_target = t;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Found a killable thread. If the signal will be fatal,
|
|
|
|
* then start taking the whole group down immediately.
|
|
|
|
*/
|
2008-04-30 15:53:03 +08:00
|
|
|
if (sig_fatal(p, sig) &&
|
2022-01-09 01:01:12 +08:00
|
|
|
(signal->core_state || !(signal->flags & SIGNAL_GROUP_EXIT)) &&
|
2008-04-30 15:52:53 +08:00
|
|
|
!sigismember(&t->real_blocked, sig) &&
|
kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal()
complete_signal() checks SIGNAL_UNKILLABLE before it starts to destroy
the thread group, today this is wrong in many ways.
If nothing else, fatal_signal_pending() should always imply that the
whole thread group (except ->group_exit_task if it is not NULL) is
killed, this check breaks the rule.
After the previous changes we can rely on sig_task_ignored();
sig_fatal(sig) && SIGNAL_UNKILLABLE can only be true if we actually want
to kill this task and sig == SIGKILL OR it is traced and debugger can
intercept the signal.
This should hopefully fix the problem reported by Dmitry. This
test-case
static int init(void *arg)
{
for (;;)
pause();
}
int main(void)
{
char stack[16 * 1024];
for (;;) {
int pid = clone(init, stack + sizeof(stack)/2,
CLONE_NEWPID | SIGCHLD, NULL);
assert(pid > 0);
assert(ptrace(PTRACE_ATTACH, pid, 0, 0) == 0);
assert(waitpid(-1, NULL, WSTOPPED) == pid);
assert(ptrace(PTRACE_DETACH, pid, 0, SIGSTOP) == 0);
assert(syscall(__NR_tkill, pid, SIGKILL) == 0);
assert(pid == wait(NULL));
}
}
triggers the WARN_ON_ONCE(!(task->jobctl & JOBCTL_STOP_PENDING)) in
task_participate_group_stop(). do_signal_stop()->signal_group_exit()
checks SIGNAL_GROUP_EXIT and return false, but task_set_jobctl_pending()
checks fatal_signal_pending() and does not set JOBCTL_STOP_PENDING.
And his should fix the minor security problem reported by Kyle,
SECCOMP_RET_TRACE can miss fatal_signal_pending() the same way if the
task is the root of a pid namespace.
Link: http://lkml.kernel.org/r/20171103184246.GD21036@redhat.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Kyle Huey <me@kylehuey.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Kyle Huey <me@kylehuey.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-11-18 07:30:08 +08:00
|
|
|
(sig == SIGKILL || !p->ptrace)) {
|
2008-04-30 15:52:53 +08:00
|
|
|
/*
|
|
|
|
* This signal will be fatal to the whole group.
|
|
|
|
*/
|
|
|
|
if (!sig_kernel_coredump(sig)) {
|
|
|
|
/*
|
|
|
|
* Start a group exit and wake everybody up.
|
|
|
|
* This way we don't have other threads
|
|
|
|
* running and doing things after a slower
|
|
|
|
* thread has the fatal signal pending.
|
|
|
|
*/
|
|
|
|
signal->flags = SIGNAL_GROUP_EXIT;
|
|
|
|
signal->group_exit_code = sig;
|
|
|
|
signal->group_stop_count = 0;
|
|
|
|
t = p;
|
|
|
|
do {
|
2011-06-02 17:14:00 +08:00
|
|
|
task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
|
2008-04-30 15:52:53 +08:00
|
|
|
sigaddset(&t->pending.signal, SIGKILL);
|
|
|
|
signal_wake_up(t, 1);
|
|
|
|
} while_each_thread(p, t);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The signal is already in the shared-pending queue.
|
|
|
|
* Tell the chosen thread to wake up and dequeue it.
|
|
|
|
*/
|
|
|
|
signal_wake_up(t, sig == SIGKILL);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2018-08-22 13:00:46 +08:00
|
|
|
static inline bool legacy_queue(struct sigpending *signals, int sig)
|
2008-04-30 15:52:34 +08:00
|
|
|
{
|
|
|
|
return (sig < SIGRTMIN) && sigismember(&signals->signal, sig);
|
|
|
|
}
|
|
|
|
|
2022-04-22 22:48:54 +08:00
|
|
|
static int __send_signal_locked(int sig, struct kernel_siginfo *info,
|
|
|
|
struct task_struct *t, enum pid_type type, bool force)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2008-04-30 15:52:54 +08:00
|
|
|
struct sigpending *pending;
|
2008-04-30 15:52:50 +08:00
|
|
|
struct sigqueue *q;
|
2009-05-16 17:28:33 +08:00
|
|
|
int override_rlimit;
|
2011-11-23 04:13:48 +08:00
|
|
|
int ret = 0, result;
|
tracing, sched: LTTng instrumentation - scheduler
Instrument the scheduler activity (sched_switch, migration, wakeups,
wait for a task, signal delivery) and process/thread
creation/destruction (fork, exit, kthread stop). Actually, kthread
creation is not instrumented in this patch because it is architecture
dependent. It allows to connect tracers such as ftrace which detects
scheduling latencies, good/bad scheduler decisions. Tools like LTTng can
export this scheduler information along with instrumentation of the rest
of the kernel activity to perform post-mortem analysis on the scheduler
activity.
About the performance impact of tracepoints (which is comparable to
markers), even without immediate values optimizations, tests done by
Hideo Aoki on ia64 show no regression. His test case was using hackbench
on a kernel where scheduler instrumentation (about 5 events in code
scheduler code) was added. See the "Tracepoints" patch header for
performance result detail.
Changelog :
- Change instrumentation location and parameter to match ftrace
instrumentation, previously done with kernel markers.
[ mingo@elte.hu: conflict resolutions ]
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
Acked-by: 'Peter Zijlstra' <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-07-19 00:16:17 +08:00
|
|
|
|
2022-04-29 22:16:10 +08:00
|
|
|
lockdep_assert_held(&t->sighand->siglock);
|
2009-04-03 07:58:05 +08:00
|
|
|
|
2011-11-23 04:13:48 +08:00
|
|
|
result = TRACE_SIGNAL_IGNORED;
|
2019-05-16 11:23:32 +08:00
|
|
|
if (!prepare_signal(sig, t, force))
|
2011-11-23 04:13:48 +08:00
|
|
|
goto ret;
|
2008-04-30 15:52:54 +08:00
|
|
|
|
2018-07-14 08:26:27 +08:00
|
|
|
pending = (type != PIDTYPE_PID) ? &t->signal->shared_pending : &t->pending;
|
2008-04-30 15:52:35 +08:00
|
|
|
/*
|
|
|
|
* Short-circuit ignored signals and support queuing
|
|
|
|
* exactly one non-rt signal, so that we can get more
|
|
|
|
* detailed information about the cause of the signal.
|
|
|
|
*/
|
2011-11-23 04:13:48 +08:00
|
|
|
result = TRACE_SIGNAL_ALREADY_PENDING;
|
2008-04-30 15:52:59 +08:00
|
|
|
if (legacy_queue(pending, sig))
|
2011-11-23 04:13:48 +08:00
|
|
|
goto ret;
|
|
|
|
|
|
|
|
result = TRACE_SIGNAL_DELIVERED;
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2019-02-05 21:19:11 +08:00
|
|
|
* Skip useless siginfo allocation for SIGKILL and kernel threads.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2021-03-26 08:18:59 +08:00
|
|
|
if ((sig == SIGKILL) || (t->flags & PF_KTHREAD))
|
2005-04-17 06:20:36 +08:00
|
|
|
goto out_set;
|
|
|
|
|
2011-04-05 05:59:31 +08:00
|
|
|
/*
|
|
|
|
* Real-time signals must be queued if sent by sigqueue, or
|
|
|
|
* some other real-time mechanism. It is implementation
|
|
|
|
* defined whether kill() does so. We attempt to do so, on
|
|
|
|
* the principle of least surprise, but since kill is not
|
|
|
|
* allowed to fail with EAGAIN when low on memory we just
|
|
|
|
* make sure at least one signal gets delivered and don't
|
|
|
|
* pass on the info struct.
|
|
|
|
*/
|
2009-05-16 17:28:33 +08:00
|
|
|
if (sig < SIGRTMIN)
|
|
|
|
override_rlimit = (is_si_special(info) || info->si_code >= 0);
|
|
|
|
else
|
|
|
|
override_rlimit = 0;
|
|
|
|
|
2021-03-22 17:19:42 +08:00
|
|
|
q = __sigqueue_alloc(sig, t, GFP_ATOMIC, override_rlimit, 0);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (q) {
|
2008-04-30 15:52:54 +08:00
|
|
|
list_add_tail(&q->list, &pending->list);
|
2005-04-17 06:20:36 +08:00
|
|
|
switch ((unsigned long) info) {
|
2005-10-31 07:03:44 +08:00
|
|
|
case (unsigned long) SEND_SIG_NOINFO:
|
2018-01-06 07:27:42 +08:00
|
|
|
clear_siginfo(&q->info);
|
2005-04-17 06:20:36 +08:00
|
|
|
q->info.si_signo = sig;
|
|
|
|
q->info.si_errno = 0;
|
|
|
|
q->info.si_code = SI_USER;
|
2009-01-07 06:42:46 +08:00
|
|
|
q->info.si_pid = task_tgid_nr_ns(current,
|
2009-01-07 06:42:45 +08:00
|
|
|
task_active_pid_ns(t));
|
2019-05-16 11:54:56 +08:00
|
|
|
rcu_read_lock();
|
|
|
|
q->info.si_uid =
|
|
|
|
from_kuid_munged(task_cred_xxx(t, user_ns),
|
|
|
|
current_uid());
|
|
|
|
rcu_read_unlock();
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
2005-10-31 07:03:44 +08:00
|
|
|
case (unsigned long) SEND_SIG_PRIV:
|
2018-01-06 07:27:42 +08:00
|
|
|
clear_siginfo(&q->info);
|
2005-04-17 06:20:36 +08:00
|
|
|
q->info.si_signo = sig;
|
|
|
|
q->info.si_errno = 0;
|
|
|
|
q->info.si_code = SI_KERNEL;
|
|
|
|
q->info.si_pid = 0;
|
|
|
|
q->info.si_uid = 0;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
copy_siginfo(&q->info, info);
|
|
|
|
break;
|
|
|
|
}
|
2019-05-16 11:56:17 +08:00
|
|
|
} else if (!is_si_special(info) &&
|
|
|
|
sig >= SIGRTMIN && info->si_code != SI_USER) {
|
|
|
|
/*
|
|
|
|
* Queue overflow, abort. We may abort if the
|
|
|
|
* signal was rt and sent by user using something
|
|
|
|
* other than kill().
|
|
|
|
*/
|
|
|
|
result = TRACE_SIGNAL_OVERFLOW_FAIL;
|
|
|
|
ret = -EAGAIN;
|
|
|
|
goto ret;
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* This is a silent loss of information. We still
|
|
|
|
* send the signal, but the *info bits are lost.
|
|
|
|
*/
|
|
|
|
result = TRACE_SIGNAL_LOSE_INFO;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
out_set:
|
2008-04-30 15:53:00 +08:00
|
|
|
signalfd_notify(t, sig);
|
2008-04-30 15:52:54 +08:00
|
|
|
sigaddset(&pending->signal, sig);
|
2018-07-24 04:20:37 +08:00
|
|
|
|
|
|
|
/* Let multiprocess signals appear after on-going forks */
|
|
|
|
if (type > PIDTYPE_TGID) {
|
|
|
|
struct multiprocess_signals *delayed;
|
|
|
|
hlist_for_each_entry(delayed, &t->signal->multiprocess, node) {
|
|
|
|
sigset_t *signal = &delayed->signal;
|
|
|
|
/* Can't queue both a stop and a continue signal */
|
|
|
|
if (sig == SIGCONT)
|
|
|
|
sigdelsetmask(signal, SIG_KERNEL_STOP_MASK);
|
|
|
|
else if (sig_kernel_stop(sig))
|
|
|
|
sigdelset(signal, SIGCONT);
|
|
|
|
sigaddset(signal, sig);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-07-14 10:39:13 +08:00
|
|
|
complete_signal(sig, t, type);
|
2011-11-23 04:13:48 +08:00
|
|
|
ret:
|
2018-07-14 08:26:27 +08:00
|
|
|
trace_signal_generate(sig, info, t, type != PIDTYPE_PID, result);
|
2011-11-23 04:13:48 +08:00
|
|
|
return ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2019-05-16 11:54:56 +08:00
|
|
|
static inline bool has_si_pid_and_uid(struct kernel_siginfo *info)
|
|
|
|
{
|
|
|
|
bool ret = false;
|
|
|
|
switch (siginfo_layout(info->si_signo, info->si_code)) {
|
|
|
|
case SIL_KILL:
|
|
|
|
case SIL_CHLD:
|
|
|
|
case SIL_RT:
|
|
|
|
ret = true;
|
|
|
|
break;
|
|
|
|
case SIL_TIMER:
|
|
|
|
case SIL_POLL:
|
|
|
|
case SIL_FAULT:
|
2021-05-01 06:29:36 +08:00
|
|
|
case SIL_FAULT_TRAPNO:
|
2019-05-16 11:54:56 +08:00
|
|
|
case SIL_FAULT_MCEERR:
|
|
|
|
case SIL_FAULT_BNDERR:
|
|
|
|
case SIL_FAULT_PKUERR:
|
2021-05-01 06:58:56 +08:00
|
|
|
case SIL_FAULT_PERF_EVENT:
|
2019-05-16 11:54:56 +08:00
|
|
|
case SIL_SYS:
|
|
|
|
ret = false;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2022-04-22 22:48:54 +08:00
|
|
|
int send_signal_locked(int sig, struct kernel_siginfo *info,
|
|
|
|
struct task_struct *t, enum pid_type type)
|
2009-04-03 07:58:04 +08:00
|
|
|
{
|
2019-05-16 11:23:32 +08:00
|
|
|
/* Should SIGKILL or SIGSTOP be received by a pid namespace init? */
|
|
|
|
bool force = false;
|
2009-04-03 07:58:05 +08:00
|
|
|
|
2019-05-16 11:23:32 +08:00
|
|
|
if (info == SEND_SIG_NOINFO) {
|
|
|
|
/* Force if sent from an ancestor pid namespace */
|
|
|
|
force = !task_pid_nr_ns(current, task_active_pid_ns(t));
|
|
|
|
} else if (info == SEND_SIG_PRIV) {
|
|
|
|
/* Don't ignore kernel generated signals */
|
|
|
|
force = true;
|
|
|
|
} else if (has_si_pid_and_uid(info)) {
|
|
|
|
/* SIGKILL and SIGSTOP is special or has ids */
|
2019-05-16 11:54:56 +08:00
|
|
|
struct user_namespace *t_user_ns;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
t_user_ns = task_cred_xxx(t, user_ns);
|
|
|
|
if (current_user_ns() != t_user_ns) {
|
|
|
|
kuid_t uid = make_kuid(current_user_ns(), info->si_uid);
|
|
|
|
info->si_uid = from_kuid_munged(t_user_ns, uid);
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
2009-04-03 07:58:05 +08:00
|
|
|
|
2019-05-16 11:23:32 +08:00
|
|
|
/* A kernel generated signal? */
|
|
|
|
force = (info->si_code == SI_KERNEL);
|
|
|
|
|
|
|
|
/* From an ancestor pid namespace? */
|
|
|
|
if (!task_pid_nr_ns(current, task_active_pid_ns(t))) {
|
2019-05-16 11:54:56 +08:00
|
|
|
info->si_pid = 0;
|
2019-05-16 11:23:32 +08:00
|
|
|
force = true;
|
|
|
|
}
|
2019-05-16 11:54:56 +08:00
|
|
|
}
|
2022-04-22 22:48:54 +08:00
|
|
|
return __send_signal_locked(sig, info, t, type, force);
|
2009-04-03 07:58:04 +08:00
|
|
|
}
|
|
|
|
|
2012-11-06 02:09:56 +08:00
|
|
|
static void print_fatal_signal(int signr)
|
2007-07-16 14:40:10 +08:00
|
|
|
{
|
2020-06-09 00:21:07 +08:00
|
|
|
struct pt_regs *regs = task_pt_regs(current);
|
2016-05-24 07:23:59 +08:00
|
|
|
pr_info("potentially unexpected fatal signal %d.\n", signr);
|
2007-07-16 14:40:10 +08:00
|
|
|
|
2007-10-29 12:31:16 +08:00
|
|
|
#if defined(__i386__) && !defined(__arch_um__)
|
2016-05-24 07:23:59 +08:00
|
|
|
pr_info("code at %08lx: ", regs->ip);
|
2007-07-16 14:40:10 +08:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
for (i = 0; i < 16; i++) {
|
|
|
|
unsigned char insn;
|
|
|
|
|
2010-01-09 06:42:52 +08:00
|
|
|
if (get_user(insn, (unsigned char *)(regs->ip + i)))
|
|
|
|
break;
|
2016-05-24 07:23:59 +08:00
|
|
|
pr_cont("%02x ", insn);
|
2007-07-16 14:40:10 +08:00
|
|
|
}
|
|
|
|
}
|
2016-05-24 07:23:59 +08:00
|
|
|
pr_cont("\n");
|
2007-07-16 14:40:10 +08:00
|
|
|
#endif
|
2009-01-27 07:33:31 +08:00
|
|
|
preempt_disable();
|
2007-07-16 14:40:10 +08:00
|
|
|
show_regs(regs);
|
2009-01-27 07:33:31 +08:00
|
|
|
preempt_enable();
|
2007-07-16 14:40:10 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static int __init setup_print_fatal_signals(char *str)
|
|
|
|
{
|
|
|
|
get_option (&str, &print_fatal_signals);
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
__setup("print-fatal-signals=", setup_print_fatal_signals);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
int do_send_sig_info(int sig, struct kernel_siginfo *info, struct task_struct *p,
|
2018-07-21 23:45:15 +08:00
|
|
|
enum pid_type type)
|
2009-09-24 06:57:00 +08:00
|
|
|
{
|
|
|
|
unsigned long flags;
|
|
|
|
int ret = -ESRCH;
|
|
|
|
|
|
|
|
if (lock_task_sighand(p, &flags)) {
|
2022-04-22 22:48:54 +08:00
|
|
|
ret = send_signal_locked(sig, info, p, type);
|
2009-09-24 06:57:00 +08:00
|
|
|
unlock_task_sighand(p, &flags);
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2021-11-19 01:11:13 +08:00
|
|
|
enum sig_handler {
|
|
|
|
HANDLER_CURRENT, /* If reachable use the current handler */
|
|
|
|
HANDLER_SIG_DFL, /* Always use SIG_DFL handler semantics */
|
|
|
|
HANDLER_EXIT, /* Only visible as the process exit code */
|
|
|
|
};
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Force a signal that the process can't ignore: if necessary
|
|
|
|
* we unblock the signal and change any SIG_IGN to SIG_DFL.
|
2006-08-03 11:17:49 +08:00
|
|
|
*
|
|
|
|
* Note: If we unblock the signal, we always reset it to SIG_DFL,
|
|
|
|
* since we do not want to have a signal handler that was blocked
|
|
|
|
* be invoked when user space had explicitly blocked it.
|
|
|
|
*
|
2008-04-30 15:53:05 +08:00
|
|
|
* We don't want to have recursive SIGSEGV's etc, for example,
|
|
|
|
* that is why we also clear SIGNAL_UNKILLABLE.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2019-02-08 01:01:20 +08:00
|
|
|
static int
|
2021-11-19 01:11:13 +08:00
|
|
|
force_sig_info_to_task(struct kernel_siginfo *info, struct task_struct *t,
|
|
|
|
enum sig_handler handler)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
unsigned long int flags;
|
2006-08-03 11:17:49 +08:00
|
|
|
int ret, blocked, ignored;
|
|
|
|
struct k_sigaction *action;
|
2019-02-08 01:01:20 +08:00
|
|
|
int sig = info->si_signo;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
spin_lock_irqsave(&t->sighand->siglock, flags);
|
2006-08-03 11:17:49 +08:00
|
|
|
action = &t->sighand->action[sig-1];
|
|
|
|
ignored = action->sa.sa_handler == SIG_IGN;
|
|
|
|
blocked = sigismember(&t->blocked, sig);
|
2021-11-19 01:11:13 +08:00
|
|
|
if (blocked || ignored || (handler != HANDLER_CURRENT)) {
|
2006-08-03 11:17:49 +08:00
|
|
|
action->sa.sa_handler = SIG_DFL;
|
2021-11-19 01:11:13 +08:00
|
|
|
if (handler == HANDLER_EXIT)
|
|
|
|
action->sa.sa_flags |= SA_IMMUTABLE;
|
2006-08-03 11:17:49 +08:00
|
|
|
if (blocked) {
|
|
|
|
sigdelset(&t->blocked, sig);
|
2007-05-24 04:57:44 +08:00
|
|
|
recalc_sigpending_and_wake(t);
|
2006-08-03 11:17:49 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2017-08-19 06:16:18 +08:00
|
|
|
/*
|
|
|
|
* Don't clear SIGNAL_UNKILLABLE for traced tasks, users won't expect
|
2022-02-08 16:57:17 +08:00
|
|
|
* debugging to leave init killable. But HANDLER_EXIT is always fatal.
|
2017-08-19 06:16:18 +08:00
|
|
|
*/
|
2022-02-08 16:57:17 +08:00
|
|
|
if (action->sa.sa_handler == SIG_DFL &&
|
|
|
|
(!t->ptrace || (handler == HANDLER_EXIT)))
|
2008-04-30 15:53:05 +08:00
|
|
|
t->signal->flags &= ~SIGNAL_UNKILLABLE;
|
2022-04-22 22:48:54 +08:00
|
|
|
ret = send_signal_locked(sig, info, t, PIDTYPE_PID);
|
2005-04-17 06:20:36 +08:00
|
|
|
spin_unlock_irqrestore(&t->sighand->siglock, flags);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2019-05-15 23:11:09 +08:00
|
|
|
int force_sig_info(struct kernel_siginfo *info)
|
2019-02-08 01:01:20 +08:00
|
|
|
{
|
2021-11-19 01:11:13 +08:00
|
|
|
return force_sig_info_to_task(info, current, HANDLER_CURRENT);
|
2019-02-08 01:01:20 +08:00
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Nuke all other threads in the group.
|
|
|
|
*/
|
2010-05-27 05:43:11 +08:00
|
|
|
int zap_other_threads(struct task_struct *p)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-05-27 05:43:11 +08:00
|
|
|
struct task_struct *t = p;
|
|
|
|
int count = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
p->signal->group_stop_count = 0;
|
|
|
|
|
2010-05-27 05:43:11 +08:00
|
|
|
while_each_thread(p, t) {
|
2011-06-02 17:14:00 +08:00
|
|
|
task_clear_jobctl_pending(t, JOBCTL_PENDING_MASK);
|
2010-05-27 05:43:11 +08:00
|
|
|
count++;
|
|
|
|
|
|
|
|
/* Don't bother with already dead threads */
|
2005-04-17 06:20:36 +08:00
|
|
|
if (t->exit_state)
|
|
|
|
continue;
|
|
|
|
sigaddset(&t->pending.signal, SIGKILL);
|
|
|
|
signal_wake_up(t, 1);
|
|
|
|
}
|
2010-05-27 05:43:11 +08:00
|
|
|
|
|
|
|
return count;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-10-28 06:34:06 +08:00
|
|
|
struct sighand_struct *__lock_task_sighand(struct task_struct *tsk,
|
|
|
|
unsigned long *flags)
|
2006-03-29 08:11:13 +08:00
|
|
|
{
|
|
|
|
struct sighand_struct *sighand;
|
|
|
|
|
2018-05-25 17:05:07 +08:00
|
|
|
rcu_read_lock();
|
2006-03-29 08:11:13 +08:00
|
|
|
for (;;) {
|
|
|
|
sighand = rcu_dereference(tsk->sighand);
|
2018-05-25 17:05:07 +08:00
|
|
|
if (unlikely(sighand == NULL))
|
2006-03-29 08:11:13 +08:00
|
|
|
break;
|
2018-05-25 17:05:07 +08:00
|
|
|
|
2014-09-29 05:44:18 +08:00
|
|
|
/*
|
|
|
|
* This sighand can be already freed and even reused, but
|
2017-01-18 18:53:44 +08:00
|
|
|
* we rely on SLAB_TYPESAFE_BY_RCU and sighand_ctor() which
|
2014-09-29 05:44:18 +08:00
|
|
|
* initializes ->siglock: this slab can't go away, it has
|
|
|
|
* the same object type, ->siglock can't be reinitialized.
|
|
|
|
*
|
|
|
|
* We need to ensure that tsk->sighand is still the same
|
|
|
|
* after we take the lock, we can race with de_thread() or
|
|
|
|
* __exit_signal(). In the latter case the next iteration
|
|
|
|
* must see ->sighand == NULL.
|
|
|
|
*/
|
2018-05-25 17:05:07 +08:00
|
|
|
spin_lock_irqsave(&sighand->siglock, *flags);
|
2020-01-24 12:59:08 +08:00
|
|
|
if (likely(sighand == rcu_access_pointer(tsk->sighand)))
|
2006-03-29 08:11:13 +08:00
|
|
|
break;
|
2018-05-25 17:05:07 +08:00
|
|
|
spin_unlock_irqrestore(&sighand->siglock, *flags);
|
2006-03-29 08:11:13 +08:00
|
|
|
}
|
2018-05-25 17:05:07 +08:00
|
|
|
rcu_read_unlock();
|
2006-03-29 08:11:13 +08:00
|
|
|
|
|
|
|
return sighand;
|
|
|
|
}
|
|
|
|
|
2021-07-26 20:55:08 +08:00
|
|
|
#ifdef CONFIG_LOCKDEP
|
|
|
|
void lockdep_assert_task_sighand_held(struct task_struct *task)
|
|
|
|
{
|
|
|
|
struct sighand_struct *sighand;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
sighand = rcu_dereference(task->sighand);
|
|
|
|
if (sighand)
|
|
|
|
lockdep_assert_held(&sighand->siglock);
|
|
|
|
else
|
|
|
|
WARN_ON_ONCE(1);
|
|
|
|
rcu_read_unlock();
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2008-11-14 07:39:19 +08:00
|
|
|
/*
|
|
|
|
* send signal info to all the members of a group
|
|
|
|
*/
|
2018-09-25 17:27:20 +08:00
|
|
|
int group_send_sig_info(int sig, struct kernel_siginfo *info,
|
|
|
|
struct task_struct *p, enum pid_type type)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-08-04 23:59:14 +08:00
|
|
|
int ret;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
ret = check_kill_permission(sig, info, p);
|
|
|
|
rcu_read_unlock();
|
2006-03-29 08:11:13 +08:00
|
|
|
|
2009-09-24 06:57:00 +08:00
|
|
|
if (!ret && sig)
|
2018-07-21 23:45:15 +08:00
|
|
|
ret = do_send_sig_info(sig, info, p, type);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2008-02-08 20:19:22 +08:00
|
|
|
* __kill_pgrp_info() sends a signal to a process group: this is what the tty
|
2005-04-17 06:20:36 +08:00
|
|
|
* control characters do (^C, ^Z etc)
|
2008-11-14 07:39:19 +08:00
|
|
|
* - the caller must hold at least a readlock on tasklist_lock
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2018-09-25 17:27:20 +08:00
|
|
|
int __kill_pgrp_info(int sig, struct kernel_siginfo *info, struct pid *pgrp)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct task_struct *p = NULL;
|
|
|
|
int retval, success;
|
|
|
|
|
|
|
|
success = 0;
|
|
|
|
retval = -ESRCH;
|
2006-10-02 17:17:10 +08:00
|
|
|
do_each_pid_task(pgrp, PIDTYPE_PGID, p) {
|
2018-07-14 07:40:57 +08:00
|
|
|
int err = group_send_sig_info(sig, info, p, PIDTYPE_PGID);
|
2005-04-17 06:20:36 +08:00
|
|
|
success |= !err;
|
|
|
|
retval = err;
|
2006-10-02 17:17:10 +08:00
|
|
|
} while_each_pid_task(pgrp, PIDTYPE_PGID, p);
|
2005-04-17 06:20:36 +08:00
|
|
|
return success ? 0 : retval;
|
|
|
|
}
|
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
int kill_pid_info(int sig, struct kernel_siginfo *info, struct pid *pid)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2008-02-08 20:19:18 +08:00
|
|
|
int error = -ESRCH;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct task_struct *p;
|
|
|
|
|
2014-10-24 02:41:22 +08:00
|
|
|
for (;;) {
|
|
|
|
rcu_read_lock();
|
|
|
|
p = pid_task(pid, PIDTYPE_PID);
|
|
|
|
if (p)
|
2018-07-14 07:40:57 +08:00
|
|
|
error = group_send_sig_info(sig, info, p, PIDTYPE_TGID);
|
2014-10-24 02:41:22 +08:00
|
|
|
rcu_read_unlock();
|
|
|
|
if (likely(!p || error != -ESRCH))
|
|
|
|
return error;
|
2008-04-30 15:52:45 +08:00
|
|
|
|
2014-10-24 02:41:22 +08:00
|
|
|
/*
|
|
|
|
* The task was unhashed in between, try again. If it
|
|
|
|
* is dead, pid_task() will return NULL, if we race with
|
|
|
|
* de_thread() it will find the new leader.
|
|
|
|
*/
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
static int kill_proc_info(int sig, struct kernel_siginfo *info, pid_t pid)
|
2006-10-02 17:17:10 +08:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
rcu_read_lock();
|
2007-10-19 14:40:14 +08:00
|
|
|
error = kill_pid_info(sig, info, find_vpid(pid));
|
2006-10-02 17:17:10 +08:00
|
|
|
rcu_read_unlock();
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2018-08-22 12:59:55 +08:00
|
|
|
static inline bool kill_as_cred_perm(const struct cred *cred,
|
|
|
|
struct task_struct *target)
|
2011-09-26 23:45:18 +08:00
|
|
|
{
|
|
|
|
const struct cred *pcred = __task_cred(target);
|
2018-08-22 12:59:55 +08:00
|
|
|
|
|
|
|
return uid_eq(cred->euid, pcred->suid) ||
|
|
|
|
uid_eq(cred->euid, pcred->uid) ||
|
|
|
|
uid_eq(cred->uid, pcred->suid) ||
|
|
|
|
uid_eq(cred->uid, pcred->uid);
|
2011-09-26 23:45:18 +08:00
|
|
|
}
|
|
|
|
|
signal/usb: Replace kill_pid_info_as_cred with kill_pid_usb_asyncio
The usb support for asyncio encoded one of it's values in the wrong
field. It should have used si_value but instead used si_addr which is
not present in the _rt union member of struct siginfo.
The practical result of this is that on a 64bit big endian kernel
when delivering a signal to a 32bit process the si_addr field
is set to NULL, instead of the expected pointer value.
This issue can not be fixed in copy_siginfo_to_user32 as the usb
usage of the the _sigfault (aka si_addr) member of the siginfo
union when SI_ASYNCIO is set is incompatible with the POSIX and
glibc usage of the _rt member of the siginfo union.
Therefore replace kill_pid_info_as_cred with kill_pid_usb_asyncio a
dedicated function for this one specific case. There are no other
users of kill_pid_info_as_cred so this specialization should have no
impact on the amount of code in the kernel. Have kill_pid_usb_asyncio
take instead of a siginfo_t which is difficult and error prone, 3
arguments, a signal number, an errno value, and an address enconded as
a sigval_t. The encoding of the address as a sigval_t allows the
code that reads the userspace request for a signal to handle this
compat issue along with all of the other compat issues.
Add BUILD_BUG_ONs in kernel/signal.c to ensure that we can now place
the pointer value at the in si_pid (instead of si_addr). That is the
code now verifies that si_pid and si_addr always occur at the same
location. Further the code veries that for native structures a value
placed in si_pid and spilling into si_uid will appear in userspace in
si_addr (on a byte by byte copy of siginfo or a field by field copy of
siginfo). The code also verifies that for a 64bit kernel and a 32bit
userspace the 32bit pointer will fit in si_pid.
I have used the usbsig.c program below written by Alan Stern and
slightly tweaked by me to run on a big endian machine to verify the
issue exists (on sparc64) and to confirm the patch below fixes the issue.
/* usbsig.c -- test USB async signal delivery */
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <endian.h>
#include <linux/usb/ch9.h>
#include <linux/usbdevice_fs.h>
static struct usbdevfs_urb urb;
static struct usbdevfs_disconnectsignal ds;
static volatile sig_atomic_t done = 0;
void urb_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p urb: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &urb);
printf("%s\n", (info->si_addr == &urb) ? "Good" : "Bad");
}
void ds_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p ds: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &ds);
printf("%s\n", (info->si_addr == &ds) ? "Good" : "Bad");
done = 1;
}
int main(int argc, char **argv)
{
char *devfilename;
int fd;
int rc;
struct sigaction act;
struct usb_ctrlrequest *req;
void *ptr;
char buf[80];
if (argc != 2) {
fprintf(stderr, "Usage: usbsig device-file-name\n");
return 1;
}
devfilename = argv[1];
fd = open(devfilename, O_RDWR);
if (fd == -1) {
perror("Error opening device file");
return 1;
}
act.sa_sigaction = urb_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR1, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
act.sa_sigaction = ds_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR2, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
memset(&urb, 0, sizeof(urb));
urb.type = USBDEVFS_URB_TYPE_CONTROL;
urb.endpoint = USB_DIR_IN | 0;
urb.buffer = buf;
urb.buffer_length = sizeof(buf);
urb.signr = SIGUSR1;
req = (struct usb_ctrlrequest *) buf;
req->bRequestType = USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_DEVICE;
req->bRequest = USB_REQ_GET_DESCRIPTOR;
req->wValue = htole16(USB_DT_DEVICE << 8);
req->wIndex = htole16(0);
req->wLength = htole16(sizeof(buf) - sizeof(*req));
rc = ioctl(fd, USBDEVFS_SUBMITURB, &urb);
if (rc == -1) {
perror("Error in SUBMITURB ioctl");
return 1;
}
rc = ioctl(fd, USBDEVFS_REAPURB, &ptr);
if (rc == -1) {
perror("Error in REAPURB ioctl");
return 1;
}
memset(&ds, 0, sizeof(ds));
ds.signr = SIGUSR2;
ds.context = &ds;
rc = ioctl(fd, USBDEVFS_DISCSIGNAL, &ds);
if (rc == -1) {
perror("Error in DISCSIGNAL ioctl");
return 1;
}
printf("Waiting for usb disconnect\n");
while (!done) {
sleep(1);
}
close(fd);
return 0;
}
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oneukum@suse.com>
Fixes: v2.3.39
Cc: stable@vger.kernel.org
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2019-02-08 09:44:12 +08:00
|
|
|
/*
|
|
|
|
* The usb asyncio usage of siginfo is wrong. The glibc support
|
|
|
|
* for asyncio which uses SI_ASYNCIO assumes the layout is SIL_RT.
|
|
|
|
* AKA after the generic fields:
|
|
|
|
* kernel_pid_t si_pid;
|
|
|
|
* kernel_uid32_t si_uid;
|
|
|
|
* sigval_t si_value;
|
|
|
|
*
|
|
|
|
* Unfortunately when usb generates SI_ASYNCIO it assumes the layout
|
|
|
|
* after the generic fields is:
|
|
|
|
* void __user *si_addr;
|
|
|
|
*
|
|
|
|
* This is a practical problem when there is a 64bit big endian kernel
|
|
|
|
* and a 32bit userspace. As the 32bit address will encoded in the low
|
|
|
|
* 32bits of the pointer. Those low 32bits will be stored at higher
|
|
|
|
* address than appear in a 32 bit pointer. So userspace will not
|
|
|
|
* see the address it was expecting for it's completions.
|
|
|
|
*
|
|
|
|
* There is nothing in the encoding that can allow
|
|
|
|
* copy_siginfo_to_user32 to detect this confusion of formats, so
|
|
|
|
* handle this by requiring the caller of kill_pid_usb_asyncio to
|
|
|
|
* notice when this situration takes place and to store the 32bit
|
|
|
|
* pointer in sival_int, instead of sival_addr of the sigval_t addr
|
|
|
|
* parameter.
|
|
|
|
*/
|
|
|
|
int kill_pid_usb_asyncio(int sig, int errno, sigval_t addr,
|
|
|
|
struct pid *pid, const struct cred *cred)
|
2005-10-11 01:44:29 +08:00
|
|
|
{
|
signal/usb: Replace kill_pid_info_as_cred with kill_pid_usb_asyncio
The usb support for asyncio encoded one of it's values in the wrong
field. It should have used si_value but instead used si_addr which is
not present in the _rt union member of struct siginfo.
The practical result of this is that on a 64bit big endian kernel
when delivering a signal to a 32bit process the si_addr field
is set to NULL, instead of the expected pointer value.
This issue can not be fixed in copy_siginfo_to_user32 as the usb
usage of the the _sigfault (aka si_addr) member of the siginfo
union when SI_ASYNCIO is set is incompatible with the POSIX and
glibc usage of the _rt member of the siginfo union.
Therefore replace kill_pid_info_as_cred with kill_pid_usb_asyncio a
dedicated function for this one specific case. There are no other
users of kill_pid_info_as_cred so this specialization should have no
impact on the amount of code in the kernel. Have kill_pid_usb_asyncio
take instead of a siginfo_t which is difficult and error prone, 3
arguments, a signal number, an errno value, and an address enconded as
a sigval_t. The encoding of the address as a sigval_t allows the
code that reads the userspace request for a signal to handle this
compat issue along with all of the other compat issues.
Add BUILD_BUG_ONs in kernel/signal.c to ensure that we can now place
the pointer value at the in si_pid (instead of si_addr). That is the
code now verifies that si_pid and si_addr always occur at the same
location. Further the code veries that for native structures a value
placed in si_pid and spilling into si_uid will appear in userspace in
si_addr (on a byte by byte copy of siginfo or a field by field copy of
siginfo). The code also verifies that for a 64bit kernel and a 32bit
userspace the 32bit pointer will fit in si_pid.
I have used the usbsig.c program below written by Alan Stern and
slightly tweaked by me to run on a big endian machine to verify the
issue exists (on sparc64) and to confirm the patch below fixes the issue.
/* usbsig.c -- test USB async signal delivery */
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <endian.h>
#include <linux/usb/ch9.h>
#include <linux/usbdevice_fs.h>
static struct usbdevfs_urb urb;
static struct usbdevfs_disconnectsignal ds;
static volatile sig_atomic_t done = 0;
void urb_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p urb: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &urb);
printf("%s\n", (info->si_addr == &urb) ? "Good" : "Bad");
}
void ds_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p ds: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &ds);
printf("%s\n", (info->si_addr == &ds) ? "Good" : "Bad");
done = 1;
}
int main(int argc, char **argv)
{
char *devfilename;
int fd;
int rc;
struct sigaction act;
struct usb_ctrlrequest *req;
void *ptr;
char buf[80];
if (argc != 2) {
fprintf(stderr, "Usage: usbsig device-file-name\n");
return 1;
}
devfilename = argv[1];
fd = open(devfilename, O_RDWR);
if (fd == -1) {
perror("Error opening device file");
return 1;
}
act.sa_sigaction = urb_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR1, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
act.sa_sigaction = ds_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR2, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
memset(&urb, 0, sizeof(urb));
urb.type = USBDEVFS_URB_TYPE_CONTROL;
urb.endpoint = USB_DIR_IN | 0;
urb.buffer = buf;
urb.buffer_length = sizeof(buf);
urb.signr = SIGUSR1;
req = (struct usb_ctrlrequest *) buf;
req->bRequestType = USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_DEVICE;
req->bRequest = USB_REQ_GET_DESCRIPTOR;
req->wValue = htole16(USB_DT_DEVICE << 8);
req->wIndex = htole16(0);
req->wLength = htole16(sizeof(buf) - sizeof(*req));
rc = ioctl(fd, USBDEVFS_SUBMITURB, &urb);
if (rc == -1) {
perror("Error in SUBMITURB ioctl");
return 1;
}
rc = ioctl(fd, USBDEVFS_REAPURB, &ptr);
if (rc == -1) {
perror("Error in REAPURB ioctl");
return 1;
}
memset(&ds, 0, sizeof(ds));
ds.signr = SIGUSR2;
ds.context = &ds;
rc = ioctl(fd, USBDEVFS_DISCSIGNAL, &ds);
if (rc == -1) {
perror("Error in DISCSIGNAL ioctl");
return 1;
}
printf("Waiting for usb disconnect\n");
while (!done) {
sleep(1);
}
close(fd);
return 0;
}
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oneukum@suse.com>
Fixes: v2.3.39
Cc: stable@vger.kernel.org
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2019-02-08 09:44:12 +08:00
|
|
|
struct kernel_siginfo info;
|
2005-10-11 01:44:29 +08:00
|
|
|
struct task_struct *p;
|
2009-12-10 08:53:17 +08:00
|
|
|
unsigned long flags;
|
signal/usb: Replace kill_pid_info_as_cred with kill_pid_usb_asyncio
The usb support for asyncio encoded one of it's values in the wrong
field. It should have used si_value but instead used si_addr which is
not present in the _rt union member of struct siginfo.
The practical result of this is that on a 64bit big endian kernel
when delivering a signal to a 32bit process the si_addr field
is set to NULL, instead of the expected pointer value.
This issue can not be fixed in copy_siginfo_to_user32 as the usb
usage of the the _sigfault (aka si_addr) member of the siginfo
union when SI_ASYNCIO is set is incompatible with the POSIX and
glibc usage of the _rt member of the siginfo union.
Therefore replace kill_pid_info_as_cred with kill_pid_usb_asyncio a
dedicated function for this one specific case. There are no other
users of kill_pid_info_as_cred so this specialization should have no
impact on the amount of code in the kernel. Have kill_pid_usb_asyncio
take instead of a siginfo_t which is difficult and error prone, 3
arguments, a signal number, an errno value, and an address enconded as
a sigval_t. The encoding of the address as a sigval_t allows the
code that reads the userspace request for a signal to handle this
compat issue along with all of the other compat issues.
Add BUILD_BUG_ONs in kernel/signal.c to ensure that we can now place
the pointer value at the in si_pid (instead of si_addr). That is the
code now verifies that si_pid and si_addr always occur at the same
location. Further the code veries that for native structures a value
placed in si_pid and spilling into si_uid will appear in userspace in
si_addr (on a byte by byte copy of siginfo or a field by field copy of
siginfo). The code also verifies that for a 64bit kernel and a 32bit
userspace the 32bit pointer will fit in si_pid.
I have used the usbsig.c program below written by Alan Stern and
slightly tweaked by me to run on a big endian machine to verify the
issue exists (on sparc64) and to confirm the patch below fixes the issue.
/* usbsig.c -- test USB async signal delivery */
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <endian.h>
#include <linux/usb/ch9.h>
#include <linux/usbdevice_fs.h>
static struct usbdevfs_urb urb;
static struct usbdevfs_disconnectsignal ds;
static volatile sig_atomic_t done = 0;
void urb_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p urb: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &urb);
printf("%s\n", (info->si_addr == &urb) ? "Good" : "Bad");
}
void ds_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p ds: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &ds);
printf("%s\n", (info->si_addr == &ds) ? "Good" : "Bad");
done = 1;
}
int main(int argc, char **argv)
{
char *devfilename;
int fd;
int rc;
struct sigaction act;
struct usb_ctrlrequest *req;
void *ptr;
char buf[80];
if (argc != 2) {
fprintf(stderr, "Usage: usbsig device-file-name\n");
return 1;
}
devfilename = argv[1];
fd = open(devfilename, O_RDWR);
if (fd == -1) {
perror("Error opening device file");
return 1;
}
act.sa_sigaction = urb_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR1, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
act.sa_sigaction = ds_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR2, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
memset(&urb, 0, sizeof(urb));
urb.type = USBDEVFS_URB_TYPE_CONTROL;
urb.endpoint = USB_DIR_IN | 0;
urb.buffer = buf;
urb.buffer_length = sizeof(buf);
urb.signr = SIGUSR1;
req = (struct usb_ctrlrequest *) buf;
req->bRequestType = USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_DEVICE;
req->bRequest = USB_REQ_GET_DESCRIPTOR;
req->wValue = htole16(USB_DT_DEVICE << 8);
req->wIndex = htole16(0);
req->wLength = htole16(sizeof(buf) - sizeof(*req));
rc = ioctl(fd, USBDEVFS_SUBMITURB, &urb);
if (rc == -1) {
perror("Error in SUBMITURB ioctl");
return 1;
}
rc = ioctl(fd, USBDEVFS_REAPURB, &ptr);
if (rc == -1) {
perror("Error in REAPURB ioctl");
return 1;
}
memset(&ds, 0, sizeof(ds));
ds.signr = SIGUSR2;
ds.context = &ds;
rc = ioctl(fd, USBDEVFS_DISCSIGNAL, &ds);
if (rc == -1) {
perror("Error in DISCSIGNAL ioctl");
return 1;
}
printf("Waiting for usb disconnect\n");
while (!done) {
sleep(1);
}
close(fd);
return 0;
}
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oneukum@suse.com>
Fixes: v2.3.39
Cc: stable@vger.kernel.org
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2019-02-08 09:44:12 +08:00
|
|
|
int ret = -EINVAL;
|
|
|
|
|
2020-03-30 10:18:33 +08:00
|
|
|
if (!valid_signal(sig))
|
|
|
|
return ret;
|
|
|
|
|
signal/usb: Replace kill_pid_info_as_cred with kill_pid_usb_asyncio
The usb support for asyncio encoded one of it's values in the wrong
field. It should have used si_value but instead used si_addr which is
not present in the _rt union member of struct siginfo.
The practical result of this is that on a 64bit big endian kernel
when delivering a signal to a 32bit process the si_addr field
is set to NULL, instead of the expected pointer value.
This issue can not be fixed in copy_siginfo_to_user32 as the usb
usage of the the _sigfault (aka si_addr) member of the siginfo
union when SI_ASYNCIO is set is incompatible with the POSIX and
glibc usage of the _rt member of the siginfo union.
Therefore replace kill_pid_info_as_cred with kill_pid_usb_asyncio a
dedicated function for this one specific case. There are no other
users of kill_pid_info_as_cred so this specialization should have no
impact on the amount of code in the kernel. Have kill_pid_usb_asyncio
take instead of a siginfo_t which is difficult and error prone, 3
arguments, a signal number, an errno value, and an address enconded as
a sigval_t. The encoding of the address as a sigval_t allows the
code that reads the userspace request for a signal to handle this
compat issue along with all of the other compat issues.
Add BUILD_BUG_ONs in kernel/signal.c to ensure that we can now place
the pointer value at the in si_pid (instead of si_addr). That is the
code now verifies that si_pid and si_addr always occur at the same
location. Further the code veries that for native structures a value
placed in si_pid and spilling into si_uid will appear in userspace in
si_addr (on a byte by byte copy of siginfo or a field by field copy of
siginfo). The code also verifies that for a 64bit kernel and a 32bit
userspace the 32bit pointer will fit in si_pid.
I have used the usbsig.c program below written by Alan Stern and
slightly tweaked by me to run on a big endian machine to verify the
issue exists (on sparc64) and to confirm the patch below fixes the issue.
/* usbsig.c -- test USB async signal delivery */
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <endian.h>
#include <linux/usb/ch9.h>
#include <linux/usbdevice_fs.h>
static struct usbdevfs_urb urb;
static struct usbdevfs_disconnectsignal ds;
static volatile sig_atomic_t done = 0;
void urb_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p urb: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &urb);
printf("%s\n", (info->si_addr == &urb) ? "Good" : "Bad");
}
void ds_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p ds: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &ds);
printf("%s\n", (info->si_addr == &ds) ? "Good" : "Bad");
done = 1;
}
int main(int argc, char **argv)
{
char *devfilename;
int fd;
int rc;
struct sigaction act;
struct usb_ctrlrequest *req;
void *ptr;
char buf[80];
if (argc != 2) {
fprintf(stderr, "Usage: usbsig device-file-name\n");
return 1;
}
devfilename = argv[1];
fd = open(devfilename, O_RDWR);
if (fd == -1) {
perror("Error opening device file");
return 1;
}
act.sa_sigaction = urb_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR1, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
act.sa_sigaction = ds_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR2, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
memset(&urb, 0, sizeof(urb));
urb.type = USBDEVFS_URB_TYPE_CONTROL;
urb.endpoint = USB_DIR_IN | 0;
urb.buffer = buf;
urb.buffer_length = sizeof(buf);
urb.signr = SIGUSR1;
req = (struct usb_ctrlrequest *) buf;
req->bRequestType = USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_DEVICE;
req->bRequest = USB_REQ_GET_DESCRIPTOR;
req->wValue = htole16(USB_DT_DEVICE << 8);
req->wIndex = htole16(0);
req->wLength = htole16(sizeof(buf) - sizeof(*req));
rc = ioctl(fd, USBDEVFS_SUBMITURB, &urb);
if (rc == -1) {
perror("Error in SUBMITURB ioctl");
return 1;
}
rc = ioctl(fd, USBDEVFS_REAPURB, &ptr);
if (rc == -1) {
perror("Error in REAPURB ioctl");
return 1;
}
memset(&ds, 0, sizeof(ds));
ds.signr = SIGUSR2;
ds.context = &ds;
rc = ioctl(fd, USBDEVFS_DISCSIGNAL, &ds);
if (rc == -1) {
perror("Error in DISCSIGNAL ioctl");
return 1;
}
printf("Waiting for usb disconnect\n");
while (!done) {
sleep(1);
}
close(fd);
return 0;
}
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oneukum@suse.com>
Fixes: v2.3.39
Cc: stable@vger.kernel.org
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2019-02-08 09:44:12 +08:00
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = sig;
|
|
|
|
info.si_errno = errno;
|
|
|
|
info.si_code = SI_ASYNCIO;
|
|
|
|
*((sigval_t *)&info.si_pid) = addr;
|
2005-10-11 01:44:29 +08:00
|
|
|
|
2009-12-10 08:53:17 +08:00
|
|
|
rcu_read_lock();
|
2006-10-02 17:17:28 +08:00
|
|
|
p = pid_task(pid, PIDTYPE_PID);
|
2005-10-11 01:44:29 +08:00
|
|
|
if (!p) {
|
|
|
|
ret = -ESRCH;
|
|
|
|
goto out_unlock;
|
|
|
|
}
|
signal/usb: Replace kill_pid_info_as_cred with kill_pid_usb_asyncio
The usb support for asyncio encoded one of it's values in the wrong
field. It should have used si_value but instead used si_addr which is
not present in the _rt union member of struct siginfo.
The practical result of this is that on a 64bit big endian kernel
when delivering a signal to a 32bit process the si_addr field
is set to NULL, instead of the expected pointer value.
This issue can not be fixed in copy_siginfo_to_user32 as the usb
usage of the the _sigfault (aka si_addr) member of the siginfo
union when SI_ASYNCIO is set is incompatible with the POSIX and
glibc usage of the _rt member of the siginfo union.
Therefore replace kill_pid_info_as_cred with kill_pid_usb_asyncio a
dedicated function for this one specific case. There are no other
users of kill_pid_info_as_cred so this specialization should have no
impact on the amount of code in the kernel. Have kill_pid_usb_asyncio
take instead of a siginfo_t which is difficult and error prone, 3
arguments, a signal number, an errno value, and an address enconded as
a sigval_t. The encoding of the address as a sigval_t allows the
code that reads the userspace request for a signal to handle this
compat issue along with all of the other compat issues.
Add BUILD_BUG_ONs in kernel/signal.c to ensure that we can now place
the pointer value at the in si_pid (instead of si_addr). That is the
code now verifies that si_pid and si_addr always occur at the same
location. Further the code veries that for native structures a value
placed in si_pid and spilling into si_uid will appear in userspace in
si_addr (on a byte by byte copy of siginfo or a field by field copy of
siginfo). The code also verifies that for a 64bit kernel and a 32bit
userspace the 32bit pointer will fit in si_pid.
I have used the usbsig.c program below written by Alan Stern and
slightly tweaked by me to run on a big endian machine to verify the
issue exists (on sparc64) and to confirm the patch below fixes the issue.
/* usbsig.c -- test USB async signal delivery */
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <endian.h>
#include <linux/usb/ch9.h>
#include <linux/usbdevice_fs.h>
static struct usbdevfs_urb urb;
static struct usbdevfs_disconnectsignal ds;
static volatile sig_atomic_t done = 0;
void urb_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p urb: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &urb);
printf("%s\n", (info->si_addr == &urb) ? "Good" : "Bad");
}
void ds_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p ds: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &ds);
printf("%s\n", (info->si_addr == &ds) ? "Good" : "Bad");
done = 1;
}
int main(int argc, char **argv)
{
char *devfilename;
int fd;
int rc;
struct sigaction act;
struct usb_ctrlrequest *req;
void *ptr;
char buf[80];
if (argc != 2) {
fprintf(stderr, "Usage: usbsig device-file-name\n");
return 1;
}
devfilename = argv[1];
fd = open(devfilename, O_RDWR);
if (fd == -1) {
perror("Error opening device file");
return 1;
}
act.sa_sigaction = urb_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR1, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
act.sa_sigaction = ds_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR2, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
memset(&urb, 0, sizeof(urb));
urb.type = USBDEVFS_URB_TYPE_CONTROL;
urb.endpoint = USB_DIR_IN | 0;
urb.buffer = buf;
urb.buffer_length = sizeof(buf);
urb.signr = SIGUSR1;
req = (struct usb_ctrlrequest *) buf;
req->bRequestType = USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_DEVICE;
req->bRequest = USB_REQ_GET_DESCRIPTOR;
req->wValue = htole16(USB_DT_DEVICE << 8);
req->wIndex = htole16(0);
req->wLength = htole16(sizeof(buf) - sizeof(*req));
rc = ioctl(fd, USBDEVFS_SUBMITURB, &urb);
if (rc == -1) {
perror("Error in SUBMITURB ioctl");
return 1;
}
rc = ioctl(fd, USBDEVFS_REAPURB, &ptr);
if (rc == -1) {
perror("Error in REAPURB ioctl");
return 1;
}
memset(&ds, 0, sizeof(ds));
ds.signr = SIGUSR2;
ds.context = &ds;
rc = ioctl(fd, USBDEVFS_DISCSIGNAL, &ds);
if (rc == -1) {
perror("Error in DISCSIGNAL ioctl");
return 1;
}
printf("Waiting for usb disconnect\n");
while (!done) {
sleep(1);
}
close(fd);
return 0;
}
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oneukum@suse.com>
Fixes: v2.3.39
Cc: stable@vger.kernel.org
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2019-02-08 09:44:12 +08:00
|
|
|
if (!kill_as_cred_perm(cred, p)) {
|
2005-10-11 01:44:29 +08:00
|
|
|
ret = -EPERM;
|
|
|
|
goto out_unlock;
|
|
|
|
}
|
signal/usb: Replace kill_pid_info_as_cred with kill_pid_usb_asyncio
The usb support for asyncio encoded one of it's values in the wrong
field. It should have used si_value but instead used si_addr which is
not present in the _rt union member of struct siginfo.
The practical result of this is that on a 64bit big endian kernel
when delivering a signal to a 32bit process the si_addr field
is set to NULL, instead of the expected pointer value.
This issue can not be fixed in copy_siginfo_to_user32 as the usb
usage of the the _sigfault (aka si_addr) member of the siginfo
union when SI_ASYNCIO is set is incompatible with the POSIX and
glibc usage of the _rt member of the siginfo union.
Therefore replace kill_pid_info_as_cred with kill_pid_usb_asyncio a
dedicated function for this one specific case. There are no other
users of kill_pid_info_as_cred so this specialization should have no
impact on the amount of code in the kernel. Have kill_pid_usb_asyncio
take instead of a siginfo_t which is difficult and error prone, 3
arguments, a signal number, an errno value, and an address enconded as
a sigval_t. The encoding of the address as a sigval_t allows the
code that reads the userspace request for a signal to handle this
compat issue along with all of the other compat issues.
Add BUILD_BUG_ONs in kernel/signal.c to ensure that we can now place
the pointer value at the in si_pid (instead of si_addr). That is the
code now verifies that si_pid and si_addr always occur at the same
location. Further the code veries that for native structures a value
placed in si_pid and spilling into si_uid will appear in userspace in
si_addr (on a byte by byte copy of siginfo or a field by field copy of
siginfo). The code also verifies that for a 64bit kernel and a 32bit
userspace the 32bit pointer will fit in si_pid.
I have used the usbsig.c program below written by Alan Stern and
slightly tweaked by me to run on a big endian machine to verify the
issue exists (on sparc64) and to confirm the patch below fixes the issue.
/* usbsig.c -- test USB async signal delivery */
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <endian.h>
#include <linux/usb/ch9.h>
#include <linux/usbdevice_fs.h>
static struct usbdevfs_urb urb;
static struct usbdevfs_disconnectsignal ds;
static volatile sig_atomic_t done = 0;
void urb_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p urb: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &urb);
printf("%s\n", (info->si_addr == &urb) ? "Good" : "Bad");
}
void ds_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p ds: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &ds);
printf("%s\n", (info->si_addr == &ds) ? "Good" : "Bad");
done = 1;
}
int main(int argc, char **argv)
{
char *devfilename;
int fd;
int rc;
struct sigaction act;
struct usb_ctrlrequest *req;
void *ptr;
char buf[80];
if (argc != 2) {
fprintf(stderr, "Usage: usbsig device-file-name\n");
return 1;
}
devfilename = argv[1];
fd = open(devfilename, O_RDWR);
if (fd == -1) {
perror("Error opening device file");
return 1;
}
act.sa_sigaction = urb_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR1, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
act.sa_sigaction = ds_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR2, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
memset(&urb, 0, sizeof(urb));
urb.type = USBDEVFS_URB_TYPE_CONTROL;
urb.endpoint = USB_DIR_IN | 0;
urb.buffer = buf;
urb.buffer_length = sizeof(buf);
urb.signr = SIGUSR1;
req = (struct usb_ctrlrequest *) buf;
req->bRequestType = USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_DEVICE;
req->bRequest = USB_REQ_GET_DESCRIPTOR;
req->wValue = htole16(USB_DT_DEVICE << 8);
req->wIndex = htole16(0);
req->wLength = htole16(sizeof(buf) - sizeof(*req));
rc = ioctl(fd, USBDEVFS_SUBMITURB, &urb);
if (rc == -1) {
perror("Error in SUBMITURB ioctl");
return 1;
}
rc = ioctl(fd, USBDEVFS_REAPURB, &ptr);
if (rc == -1) {
perror("Error in REAPURB ioctl");
return 1;
}
memset(&ds, 0, sizeof(ds));
ds.signr = SIGUSR2;
ds.context = &ds;
rc = ioctl(fd, USBDEVFS_DISCSIGNAL, &ds);
if (rc == -1) {
perror("Error in DISCSIGNAL ioctl");
return 1;
}
printf("Waiting for usb disconnect\n");
while (!done) {
sleep(1);
}
close(fd);
return 0;
}
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oneukum@suse.com>
Fixes: v2.3.39
Cc: stable@vger.kernel.org
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2019-02-08 09:44:12 +08:00
|
|
|
ret = security_task_kill(p, &info, sig, cred);
|
2006-06-30 16:55:47 +08:00
|
|
|
if (ret)
|
|
|
|
goto out_unlock;
|
2009-12-10 08:53:17 +08:00
|
|
|
|
|
|
|
if (sig) {
|
|
|
|
if (lock_task_sighand(p, &flags)) {
|
2022-04-22 22:48:54 +08:00
|
|
|
ret = __send_signal_locked(sig, &info, p, PIDTYPE_TGID, false);
|
2009-12-10 08:53:17 +08:00
|
|
|
unlock_task_sighand(p, &flags);
|
|
|
|
} else
|
|
|
|
ret = -ESRCH;
|
2005-10-11 01:44:29 +08:00
|
|
|
}
|
|
|
|
out_unlock:
|
2009-12-10 08:53:17 +08:00
|
|
|
rcu_read_unlock();
|
2005-10-11 01:44:29 +08:00
|
|
|
return ret;
|
|
|
|
}
|
signal/usb: Replace kill_pid_info_as_cred with kill_pid_usb_asyncio
The usb support for asyncio encoded one of it's values in the wrong
field. It should have used si_value but instead used si_addr which is
not present in the _rt union member of struct siginfo.
The practical result of this is that on a 64bit big endian kernel
when delivering a signal to a 32bit process the si_addr field
is set to NULL, instead of the expected pointer value.
This issue can not be fixed in copy_siginfo_to_user32 as the usb
usage of the the _sigfault (aka si_addr) member of the siginfo
union when SI_ASYNCIO is set is incompatible with the POSIX and
glibc usage of the _rt member of the siginfo union.
Therefore replace kill_pid_info_as_cred with kill_pid_usb_asyncio a
dedicated function for this one specific case. There are no other
users of kill_pid_info_as_cred so this specialization should have no
impact on the amount of code in the kernel. Have kill_pid_usb_asyncio
take instead of a siginfo_t which is difficult and error prone, 3
arguments, a signal number, an errno value, and an address enconded as
a sigval_t. The encoding of the address as a sigval_t allows the
code that reads the userspace request for a signal to handle this
compat issue along with all of the other compat issues.
Add BUILD_BUG_ONs in kernel/signal.c to ensure that we can now place
the pointer value at the in si_pid (instead of si_addr). That is the
code now verifies that si_pid and si_addr always occur at the same
location. Further the code veries that for native structures a value
placed in si_pid and spilling into si_uid will appear in userspace in
si_addr (on a byte by byte copy of siginfo or a field by field copy of
siginfo). The code also verifies that for a 64bit kernel and a 32bit
userspace the 32bit pointer will fit in si_pid.
I have used the usbsig.c program below written by Alan Stern and
slightly tweaked by me to run on a big endian machine to verify the
issue exists (on sparc64) and to confirm the patch below fixes the issue.
/* usbsig.c -- test USB async signal delivery */
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <endian.h>
#include <linux/usb/ch9.h>
#include <linux/usbdevice_fs.h>
static struct usbdevfs_urb urb;
static struct usbdevfs_disconnectsignal ds;
static volatile sig_atomic_t done = 0;
void urb_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p urb: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &urb);
printf("%s\n", (info->si_addr == &urb) ? "Good" : "Bad");
}
void ds_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p ds: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &ds);
printf("%s\n", (info->si_addr == &ds) ? "Good" : "Bad");
done = 1;
}
int main(int argc, char **argv)
{
char *devfilename;
int fd;
int rc;
struct sigaction act;
struct usb_ctrlrequest *req;
void *ptr;
char buf[80];
if (argc != 2) {
fprintf(stderr, "Usage: usbsig device-file-name\n");
return 1;
}
devfilename = argv[1];
fd = open(devfilename, O_RDWR);
if (fd == -1) {
perror("Error opening device file");
return 1;
}
act.sa_sigaction = urb_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR1, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
act.sa_sigaction = ds_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR2, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
memset(&urb, 0, sizeof(urb));
urb.type = USBDEVFS_URB_TYPE_CONTROL;
urb.endpoint = USB_DIR_IN | 0;
urb.buffer = buf;
urb.buffer_length = sizeof(buf);
urb.signr = SIGUSR1;
req = (struct usb_ctrlrequest *) buf;
req->bRequestType = USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_DEVICE;
req->bRequest = USB_REQ_GET_DESCRIPTOR;
req->wValue = htole16(USB_DT_DEVICE << 8);
req->wIndex = htole16(0);
req->wLength = htole16(sizeof(buf) - sizeof(*req));
rc = ioctl(fd, USBDEVFS_SUBMITURB, &urb);
if (rc == -1) {
perror("Error in SUBMITURB ioctl");
return 1;
}
rc = ioctl(fd, USBDEVFS_REAPURB, &ptr);
if (rc == -1) {
perror("Error in REAPURB ioctl");
return 1;
}
memset(&ds, 0, sizeof(ds));
ds.signr = SIGUSR2;
ds.context = &ds;
rc = ioctl(fd, USBDEVFS_DISCSIGNAL, &ds);
if (rc == -1) {
perror("Error in DISCSIGNAL ioctl");
return 1;
}
printf("Waiting for usb disconnect\n");
while (!done) {
sleep(1);
}
close(fd);
return 0;
}
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oneukum@suse.com>
Fixes: v2.3.39
Cc: stable@vger.kernel.org
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2019-02-08 09:44:12 +08:00
|
|
|
EXPORT_SYMBOL_GPL(kill_pid_usb_asyncio);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* kill_something_info() interprets pid in interesting ways just like kill(2).
|
|
|
|
*
|
|
|
|
* POSIX specifies that kill(-1,sig) is unspecified, but what we have
|
|
|
|
* is probably wrong. Should make it like BSD or SYSV.
|
|
|
|
*/
|
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
static int kill_something_info(int sig, struct kernel_siginfo *info, pid_t pid)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2007-02-12 16:52:55 +08:00
|
|
|
int ret;
|
2008-02-08 20:19:22 +08:00
|
|
|
|
2020-03-30 10:44:43 +08:00
|
|
|
if (pid > 0)
|
|
|
|
return kill_proc_info(sig, info, pid);
|
2008-02-08 20:19:22 +08:00
|
|
|
|
2017-07-11 06:52:57 +08:00
|
|
|
/* -INT_MIN is undefined. Exclude this case to avoid a UBSAN warning */
|
|
|
|
if (pid == INT_MIN)
|
|
|
|
return -ESRCH;
|
|
|
|
|
2008-02-08 20:19:22 +08:00
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
if (pid != -1) {
|
|
|
|
ret = __kill_pgrp_info(sig, info,
|
|
|
|
pid ? find_vpid(-pid) : task_pgrp(current));
|
|
|
|
} else {
|
2005-04-17 06:20:36 +08:00
|
|
|
int retval = 0, count = 0;
|
|
|
|
struct task_struct * p;
|
|
|
|
|
|
|
|
for_each_process(p) {
|
2008-10-30 05:01:11 +08:00
|
|
|
if (task_pid_vnr(p) > 1 &&
|
|
|
|
!same_thread_group(p, current)) {
|
2018-07-14 07:40:57 +08:00
|
|
|
int err = group_send_sig_info(sig, info, p,
|
|
|
|
PIDTYPE_MAX);
|
2005-04-17 06:20:36 +08:00
|
|
|
++count;
|
|
|
|
if (err != -EPERM)
|
|
|
|
retval = err;
|
|
|
|
}
|
|
|
|
}
|
2007-02-12 16:52:55 +08:00
|
|
|
ret = count ? retval : -ESRCH;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2008-02-08 20:19:22 +08:00
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
|
2007-02-12 16:52:55 +08:00
|
|
|
return ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* These are for backward compatibility with the rest of the kernel source.
|
|
|
|
*/
|
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
int send_sig_info(int sig, struct kernel_siginfo *info, struct task_struct *p)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Make sure legacy kernel users don't send in bad values
|
|
|
|
* (normal paths check this in check_kill_permission).
|
|
|
|
*/
|
2005-05-01 23:59:14 +08:00
|
|
|
if (!valid_signal(sig))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
2018-07-21 23:45:15 +08:00
|
|
|
return do_send_sig_info(sig, info, p, PIDTYPE_PID);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2018-09-14 01:26:35 +08:00
|
|
|
EXPORT_SYMBOL(send_sig_info);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2005-10-31 07:03:44 +08:00
|
|
|
#define __si_special(priv) \
|
|
|
|
((priv) ? SEND_SIG_PRIV : SEND_SIG_NOINFO)
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
int
|
|
|
|
send_sig(int sig, struct task_struct *p, int priv)
|
|
|
|
{
|
2005-10-31 07:03:44 +08:00
|
|
|
return send_sig_info(sig, __si_special(priv), p);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2018-09-14 01:26:35 +08:00
|
|
|
EXPORT_SYMBOL(send_sig);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2019-05-23 23:17:27 +08:00
|
|
|
void force_sig(int sig)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2019-05-15 08:17:47 +08:00
|
|
|
struct kernel_siginfo info;
|
|
|
|
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = sig;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = SI_KERNEL;
|
|
|
|
info.si_pid = 0;
|
|
|
|
info.si_uid = 0;
|
2019-05-15 23:11:09 +08:00
|
|
|
force_sig_info(&info);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2018-09-14 01:26:35 +08:00
|
|
|
EXPORT_SYMBOL(force_sig);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2021-10-21 01:43:59 +08:00
|
|
|
void force_fatal_sig(int sig)
|
|
|
|
{
|
|
|
|
struct kernel_siginfo info;
|
|
|
|
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = sig;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = SI_KERNEL;
|
|
|
|
info.si_pid = 0;
|
|
|
|
info.si_uid = 0;
|
2021-11-19 01:11:13 +08:00
|
|
|
force_sig_info_to_task(&info, current, HANDLER_SIG_DFL);
|
2021-10-21 01:43:59 +08:00
|
|
|
}
|
|
|
|
|
2021-11-19 04:23:21 +08:00
|
|
|
void force_exit_sig(int sig)
|
|
|
|
{
|
|
|
|
struct kernel_siginfo info;
|
|
|
|
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = sig;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = SI_KERNEL;
|
|
|
|
info.si_pid = 0;
|
|
|
|
info.si_uid = 0;
|
|
|
|
force_sig_info_to_task(&info, current, HANDLER_EXIT);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* When things go south during signal handling, we
|
|
|
|
* will force a SIGSEGV. And if the signal that caused
|
|
|
|
* the problem was already a SIGSEGV, we'll want to
|
|
|
|
* make sure we don't even try to deliver the signal..
|
|
|
|
*/
|
2019-05-21 23:03:48 +08:00
|
|
|
void force_sigsegv(int sig)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2021-10-21 01:43:59 +08:00
|
|
|
if (sig == SIGSEGV)
|
|
|
|
force_fatal_sig(SIGSEGV);
|
|
|
|
else
|
|
|
|
force_sig(SIGSEGV);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2019-02-07 06:39:13 +08:00
|
|
|
int force_sig_fault_to_task(int sig, int code, void __user *addr
|
2018-01-19 04:54:54 +08:00
|
|
|
___ARCH_SI_IA64(int imm, unsigned int flags, unsigned long isr)
|
|
|
|
, struct task_struct *t)
|
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
struct kernel_siginfo info;
|
2018-01-19 04:54:54 +08:00
|
|
|
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = sig;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = code;
|
|
|
|
info.si_addr = addr;
|
|
|
|
#ifdef __ia64__
|
|
|
|
info.si_imm = imm;
|
|
|
|
info.si_flags = flags;
|
|
|
|
info.si_isr = isr;
|
|
|
|
#endif
|
2021-11-19 01:11:13 +08:00
|
|
|
return force_sig_info_to_task(&info, t, HANDLER_CURRENT);
|
2018-01-19 04:54:54 +08:00
|
|
|
}
|
|
|
|
|
2019-02-07 06:39:13 +08:00
|
|
|
int force_sig_fault(int sig, int code, void __user *addr
|
2019-05-24 00:04:24 +08:00
|
|
|
___ARCH_SI_IA64(int imm, unsigned int flags, unsigned long isr))
|
2019-02-07 06:39:13 +08:00
|
|
|
{
|
|
|
|
return force_sig_fault_to_task(sig, code, addr
|
2019-05-24 00:04:24 +08:00
|
|
|
___ARCH_SI_IA64(imm, flags, isr), current);
|
2018-01-19 04:54:54 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
int send_sig_fault(int sig, int code, void __user *addr
|
|
|
|
___ARCH_SI_IA64(int imm, unsigned int flags, unsigned long isr)
|
|
|
|
, struct task_struct *t)
|
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
struct kernel_siginfo info;
|
2018-01-19 04:54:54 +08:00
|
|
|
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = sig;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = code;
|
|
|
|
info.si_addr = addr;
|
|
|
|
#ifdef __ia64__
|
|
|
|
info.si_imm = imm;
|
|
|
|
info.si_flags = flags;
|
|
|
|
info.si_isr = isr;
|
|
|
|
#endif
|
|
|
|
return send_sig_info(info.si_signo, &info, t);
|
|
|
|
}
|
|
|
|
|
2019-02-06 08:14:19 +08:00
|
|
|
int force_sig_mceerr(int code, void __user *addr, short lsb)
|
2018-01-19 08:54:31 +08:00
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
struct kernel_siginfo info;
|
2018-01-19 08:54:31 +08:00
|
|
|
|
|
|
|
WARN_ON((code != BUS_MCEERR_AO) && (code != BUS_MCEERR_AR));
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = SIGBUS;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = code;
|
|
|
|
info.si_addr = addr;
|
|
|
|
info.si_addr_lsb = lsb;
|
2019-05-15 23:11:09 +08:00
|
|
|
return force_sig_info(&info);
|
2018-01-19 08:54:31 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
int send_sig_mceerr(int code, void __user *addr, short lsb, struct task_struct *t)
|
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
struct kernel_siginfo info;
|
2018-01-19 08:54:31 +08:00
|
|
|
|
|
|
|
WARN_ON((code != BUS_MCEERR_AO) && (code != BUS_MCEERR_AR));
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = SIGBUS;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = code;
|
|
|
|
info.si_addr = addr;
|
|
|
|
info.si_addr_lsb = lsb;
|
|
|
|
return send_sig_info(info.si_signo, &info, t);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(send_sig_mceerr);
|
|
|
|
|
|
|
|
int force_sig_bnderr(void __user *addr, void __user *lower, void __user *upper)
|
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
struct kernel_siginfo info;
|
2018-01-19 08:54:31 +08:00
|
|
|
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = SIGSEGV;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = SEGV_BNDERR;
|
|
|
|
info.si_addr = addr;
|
|
|
|
info.si_lower = lower;
|
|
|
|
info.si_upper = upper;
|
2019-05-15 23:11:09 +08:00
|
|
|
return force_sig_info(&info);
|
2018-01-19 08:54:31 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef SEGV_PKUERR
|
|
|
|
int force_sig_pkuerr(void __user *addr, u32 pkey)
|
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
struct kernel_siginfo info;
|
2018-01-19 08:54:31 +08:00
|
|
|
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = SIGSEGV;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = SEGV_PKUERR;
|
|
|
|
info.si_addr = addr;
|
|
|
|
info.si_pkey = pkey;
|
2019-05-15 23:11:09 +08:00
|
|
|
return force_sig_info(&info);
|
2018-01-19 08:54:31 +08:00
|
|
|
}
|
|
|
|
#endif
|
2018-01-19 04:54:54 +08:00
|
|
|
|
signal: Deliver SIGTRAP on perf event asynchronously if blocked
With SIGTRAP on perf events, we have encountered termination of
processes due to user space attempting to block delivery of SIGTRAP.
Consider this case:
<set up SIGTRAP on a perf event>
...
sigset_t s;
sigemptyset(&s);
sigaddset(&s, SIGTRAP | <and others>);
sigprocmask(SIG_BLOCK, &s, ...);
...
<perf event triggers>
When the perf event triggers, while SIGTRAP is blocked, force_sig_perf()
will force the signal, but revert back to the default handler, thus
terminating the task.
This makes sense for error conditions, but not so much for explicitly
requested monitoring. However, the expectation is still that signals
generated by perf events are synchronous, which will no longer be the
case if the signal is blocked and delivered later.
To give user space the ability to clearly distinguish synchronous from
asynchronous signals, introduce siginfo_t::si_perf_flags and
TRAP_PERF_FLAG_ASYNC (opted for flags in case more binary information is
required in future).
The resolution to the problem is then to (a) no longer force the signal
(avoiding the terminations), but (b) tell user space via si_perf_flags
if the signal was synchronous or not, so that such signals can be
handled differently (e.g. let user space decide to ignore or consider
the data imprecise).
The alternative of making the kernel ignore SIGTRAP on perf events if
the signal is blocked may work for some usecases, but likely causes
issues in others that then have to revert back to interception of
sigprocmask() (which we want to avoid). [ A concrete example: when using
breakpoint perf events to track data-flow, in a region of code where
signals are blocked, data-flow can no longer be tracked accurately.
When a relevant asynchronous signal is received after unblocking the
signal, the data-flow tracking logic needs to know its state is
imprecise. ]
Fixes: 97ba62b27867 ("perf: Add support for SIGTRAP on perf events")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Link: https://lore.kernel.org/r/20220404111204.935357-1-elver@google.com
2022-04-04 19:12:04 +08:00
|
|
|
int send_sig_perf(void __user *addr, u32 type, u64 sig_data)
|
2021-05-03 03:27:24 +08:00
|
|
|
{
|
|
|
|
struct kernel_siginfo info;
|
|
|
|
|
|
|
|
clear_siginfo(&info);
|
2021-05-03 06:28:31 +08:00
|
|
|
info.si_signo = SIGTRAP;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = TRAP_PERF;
|
|
|
|
info.si_addr = addr;
|
|
|
|
info.si_perf_data = sig_data;
|
|
|
|
info.si_perf_type = type;
|
|
|
|
|
signal: Deliver SIGTRAP on perf event asynchronously if blocked
With SIGTRAP on perf events, we have encountered termination of
processes due to user space attempting to block delivery of SIGTRAP.
Consider this case:
<set up SIGTRAP on a perf event>
...
sigset_t s;
sigemptyset(&s);
sigaddset(&s, SIGTRAP | <and others>);
sigprocmask(SIG_BLOCK, &s, ...);
...
<perf event triggers>
When the perf event triggers, while SIGTRAP is blocked, force_sig_perf()
will force the signal, but revert back to the default handler, thus
terminating the task.
This makes sense for error conditions, but not so much for explicitly
requested monitoring. However, the expectation is still that signals
generated by perf events are synchronous, which will no longer be the
case if the signal is blocked and delivered later.
To give user space the ability to clearly distinguish synchronous from
asynchronous signals, introduce siginfo_t::si_perf_flags and
TRAP_PERF_FLAG_ASYNC (opted for flags in case more binary information is
required in future).
The resolution to the problem is then to (a) no longer force the signal
(avoiding the terminations), but (b) tell user space via si_perf_flags
if the signal was synchronous or not, so that such signals can be
handled differently (e.g. let user space decide to ignore or consider
the data imprecise).
The alternative of making the kernel ignore SIGTRAP on perf events if
the signal is blocked may work for some usecases, but likely causes
issues in others that then have to revert back to interception of
sigprocmask() (which we want to avoid). [ A concrete example: when using
breakpoint perf events to track data-flow, in a region of code where
signals are blocked, data-flow can no longer be tracked accurately.
When a relevant asynchronous signal is received after unblocking the
signal, the data-flow tracking logic needs to know its state is
imprecise. ]
Fixes: 97ba62b27867 ("perf: Add support for SIGTRAP on perf events")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Link: https://lore.kernel.org/r/20220404111204.935357-1-elver@google.com
2022-04-04 19:12:04 +08:00
|
|
|
/*
|
|
|
|
* Signals generated by perf events should not terminate the whole
|
|
|
|
* process if SIGTRAP is blocked, however, delivering the signal
|
|
|
|
* asynchronously is better than not delivering at all. But tell user
|
|
|
|
* space if the signal was asynchronous, so it can clearly be
|
|
|
|
* distinguished from normal synchronous ones.
|
|
|
|
*/
|
|
|
|
info.si_perf_flags = sigismember(¤t->blocked, info.si_signo) ?
|
|
|
|
TRAP_PERF_FLAG_ASYNC :
|
|
|
|
0;
|
|
|
|
|
|
|
|
return send_sig_info(info.si_signo, &info, current);
|
2021-05-03 03:27:24 +08:00
|
|
|
}
|
|
|
|
|
2021-06-24 05:44:32 +08:00
|
|
|
/**
|
|
|
|
* force_sig_seccomp - signals the task to allow in-process syscall emulation
|
|
|
|
* @syscall: syscall number to send to userland
|
|
|
|
* @reason: filter-supplied reason code to send to userland (via si_errno)
|
2021-12-22 11:10:27 +08:00
|
|
|
* @force_coredump: true to trigger a coredump
|
2021-06-24 05:44:32 +08:00
|
|
|
*
|
|
|
|
* Forces a SIGSYS with a code of SYS_SECCOMP and related sigsys info.
|
|
|
|
*/
|
|
|
|
int force_sig_seccomp(int syscall, int reason, bool force_coredump)
|
|
|
|
{
|
|
|
|
struct kernel_siginfo info;
|
|
|
|
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = SIGSYS;
|
|
|
|
info.si_code = SYS_SECCOMP;
|
|
|
|
info.si_call_addr = (void __user *)KSTK_EIP(current);
|
|
|
|
info.si_errno = reason;
|
|
|
|
info.si_arch = syscall_get_arch(current);
|
|
|
|
info.si_syscall = syscall;
|
2021-11-19 01:11:13 +08:00
|
|
|
return force_sig_info_to_task(&info, current,
|
|
|
|
force_coredump ? HANDLER_EXIT : HANDLER_CURRENT);
|
2021-06-24 05:44:32 +08:00
|
|
|
}
|
|
|
|
|
2018-01-23 04:37:25 +08:00
|
|
|
/* For the crazy architectures that include trap information in
|
|
|
|
* the errno field, instead of an actual errno value.
|
|
|
|
*/
|
|
|
|
int force_sig_ptrace_errno_trap(int errno, void __user *addr)
|
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
struct kernel_siginfo info;
|
2018-01-23 04:37:25 +08:00
|
|
|
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = SIGTRAP;
|
|
|
|
info.si_errno = errno;
|
|
|
|
info.si_code = TRAP_HWBKPT;
|
|
|
|
info.si_addr = addr;
|
2019-05-15 23:11:09 +08:00
|
|
|
return force_sig_info(&info);
|
2018-01-23 04:37:25 +08:00
|
|
|
}
|
|
|
|
|
2021-05-29 02:38:19 +08:00
|
|
|
/* For the rare architectures that include trap information using
|
|
|
|
* si_trapno.
|
|
|
|
*/
|
|
|
|
int force_sig_fault_trapno(int sig, int code, void __user *addr, int trapno)
|
|
|
|
{
|
|
|
|
struct kernel_siginfo info;
|
|
|
|
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = sig;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = code;
|
|
|
|
info.si_addr = addr;
|
|
|
|
info.si_trapno = trapno;
|
|
|
|
return force_sig_info(&info);
|
|
|
|
}
|
|
|
|
|
2021-05-29 03:15:51 +08:00
|
|
|
/* For the rare architectures that include trap information using
|
|
|
|
* si_trapno.
|
|
|
|
*/
|
|
|
|
int send_sig_fault_trapno(int sig, int code, void __user *addr, int trapno,
|
|
|
|
struct task_struct *t)
|
|
|
|
{
|
|
|
|
struct kernel_siginfo info;
|
|
|
|
|
|
|
|
clear_siginfo(&info);
|
|
|
|
info.si_signo = sig;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = code;
|
|
|
|
info.si_addr = addr;
|
|
|
|
info.si_trapno = trapno;
|
|
|
|
return send_sig_info(info.si_signo, &info, t);
|
|
|
|
}
|
|
|
|
|
2006-10-02 17:17:10 +08:00
|
|
|
int kill_pgrp(struct pid *pid, int sig, int priv)
|
|
|
|
{
|
2008-02-08 20:19:22 +08:00
|
|
|
int ret;
|
|
|
|
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
ret = __kill_pgrp_info(sig, __si_special(priv), pid);
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
|
|
|
|
return ret;
|
2006-10-02 17:17:10 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(kill_pgrp);
|
|
|
|
|
|
|
|
int kill_pid(struct pid *pid, int sig, int priv)
|
|
|
|
{
|
|
|
|
return kill_pid_info(sig, __si_special(priv), pid);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(kill_pid);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* These functions support sending signals using preallocated sigqueue
|
|
|
|
* structures. This is needed "because realtime applications cannot
|
|
|
|
* afford to lose notifications of asynchronous events, like timer
|
2011-04-05 05:59:31 +08:00
|
|
|
* expirations or I/O completions". In the case of POSIX Timers
|
2005-04-17 06:20:36 +08:00
|
|
|
* we allocate the sigqueue structure from the timer_create. If this
|
|
|
|
* allocation fails we are able to report the failure to the application
|
|
|
|
* with an EAGAIN error.
|
|
|
|
*/
|
|
|
|
struct sigqueue *sigqueue_alloc(void)
|
|
|
|
{
|
2021-03-22 17:19:42 +08:00
|
|
|
return __sigqueue_alloc(-1, current, GFP_KERNEL, 0, SIGQUEUE_PREALLOC);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void sigqueue_free(struct sigqueue *q)
|
|
|
|
{
|
|
|
|
unsigned long flags;
|
2007-08-31 14:56:35 +08:00
|
|
|
spinlock_t *lock = ¤t->sighand->siglock;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
BUG_ON(!(q->flags & SIGQUEUE_PREALLOC));
|
|
|
|
/*
|
2008-05-27 00:55:42 +08:00
|
|
|
* We must hold ->siglock while testing q->list
|
|
|
|
* to serialize with collect_signal() or with
|
2008-05-24 04:04:41 +08:00
|
|
|
* __exit_signal()->flush_sigqueue().
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2007-08-31 14:56:35 +08:00
|
|
|
spin_lock_irqsave(lock, flags);
|
2008-05-27 00:55:42 +08:00
|
|
|
q->flags &= ~SIGQUEUE_PREALLOC;
|
|
|
|
/*
|
|
|
|
* If it is queued it will be freed when dequeued,
|
|
|
|
* like the "regular" sigqueue.
|
|
|
|
*/
|
2007-08-31 14:56:35 +08:00
|
|
|
if (!list_empty(&q->list))
|
2008-05-27 00:55:42 +08:00
|
|
|
q = NULL;
|
2007-08-31 14:56:35 +08:00
|
|
|
spin_unlock_irqrestore(lock, flags);
|
|
|
|
|
2008-05-27 00:55:42 +08:00
|
|
|
if (q)
|
|
|
|
__sigqueue_free(q);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2018-07-21 03:30:23 +08:00
|
|
|
int send_sigqueue(struct sigqueue *q, struct pid *pid, enum pid_type type)
|
2008-04-30 15:52:41 +08:00
|
|
|
{
|
2008-04-30 15:52:56 +08:00
|
|
|
int sig = q->info.si_signo;
|
2008-04-30 15:52:54 +08:00
|
|
|
struct sigpending *pending;
|
2018-07-21 03:30:23 +08:00
|
|
|
struct task_struct *t;
|
2008-04-30 15:52:56 +08:00
|
|
|
unsigned long flags;
|
2011-11-23 04:37:41 +08:00
|
|
|
int ret, result;
|
2008-04-30 15:52:54 +08:00
|
|
|
|
2008-04-30 15:52:55 +08:00
|
|
|
BUG_ON(!(q->flags & SIGQUEUE_PREALLOC));
|
2008-04-30 15:52:56 +08:00
|
|
|
|
|
|
|
ret = -1;
|
2018-07-21 03:30:23 +08:00
|
|
|
rcu_read_lock();
|
|
|
|
t = pid_task(pid, type);
|
|
|
|
if (!t || !likely(lock_task_sighand(t, &flags)))
|
2008-04-30 15:52:56 +08:00
|
|
|
goto ret;
|
|
|
|
|
2008-04-30 15:52:59 +08:00
|
|
|
ret = 1; /* the signal is ignored */
|
2011-11-23 04:37:41 +08:00
|
|
|
result = TRACE_SIGNAL_IGNORED;
|
2012-03-24 06:02:45 +08:00
|
|
|
if (!prepare_signal(sig, t, false))
|
2008-04-30 15:52:56 +08:00
|
|
|
goto out;
|
|
|
|
|
|
|
|
ret = 0;
|
2008-04-30 15:52:41 +08:00
|
|
|
if (unlikely(!list_empty(&q->list))) {
|
|
|
|
/*
|
|
|
|
* If an SI_TIMER entry is already queue just increment
|
|
|
|
* the overrun count.
|
|
|
|
*/
|
|
|
|
BUG_ON(q->info.si_code != SI_TIMER);
|
|
|
|
q->info.si_overrun++;
|
2011-11-23 04:37:41 +08:00
|
|
|
result = TRACE_SIGNAL_ALREADY_PENDING;
|
2008-04-30 15:52:56 +08:00
|
|
|
goto out;
|
2008-04-30 15:52:41 +08:00
|
|
|
}
|
posix-timers: fix posix_timer_event() vs dequeue_signal() race
The bug was reported and analysed by Mark McLoughlin <markmc@redhat.com>,
the patch is based on his and Roland's suggestions.
posix_timer_event() always rewrites the pre-allocated siginfo before sending
the signal. Most of the written info is the same all the time, but memset(0)
is very wrong. If ->sigq is queued we can race with collect_signal() which
can fail to find this siginfo looking at .si_signo, or copy_siginfo() can
copy the wrong .si_code/si_tid/etc.
In short, sys_timer_settime() can in fact stop the active timer, or the user
can receive the siginfo with the wrong .si_xxx values.
Move "memset(->info, 0)" from posix_timer_event() to alloc_posix_timer(),
change send_sigqueue() to set .si_overrun = 0 when ->sigq is not queued.
It would be nice to move the whole sigq->info initialization from send to
create path, but this is not easy to do without uglifying timer_create()
further.
As Roland rightly pointed out, we need more cleanups/fixes here, see the
"FIXME" comment in the patch. Hopefully this patch makes sense anyway, and
it can mask the most bad implications.
Reported-by: Mark McLoughlin <markmc@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Mark McLoughlin <markmc@redhat.com>
Cc: Oliver Pinter <oliver.pntr@gmail.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: stable@kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
kernel/posix-timers.c | 17 +++++++++++++----
kernel/signal.c | 1 +
2 files changed, 14 insertions(+), 4 deletions(-)
2008-07-24 00:52:05 +08:00
|
|
|
q->info.si_overrun = 0;
|
2008-04-30 15:52:41 +08:00
|
|
|
|
|
|
|
signalfd_notify(t, sig);
|
2018-07-21 03:30:23 +08:00
|
|
|
pending = (type != PIDTYPE_PID) ? &t->signal->shared_pending : &t->pending;
|
2008-04-30 15:52:41 +08:00
|
|
|
list_add_tail(&q->list, &pending->list);
|
|
|
|
sigaddset(&pending->signal, sig);
|
2018-07-14 10:39:13 +08:00
|
|
|
complete_signal(sig, t, type);
|
2011-11-23 04:37:41 +08:00
|
|
|
result = TRACE_SIGNAL_DELIVERED;
|
2008-04-30 15:52:56 +08:00
|
|
|
out:
|
2018-07-21 03:30:23 +08:00
|
|
|
trace_signal_generate(sig, &q->info, t, type != PIDTYPE_PID, result);
|
2008-04-30 15:52:56 +08:00
|
|
|
unlock_task_sighand(t, &flags);
|
|
|
|
ret:
|
2018-07-21 03:30:23 +08:00
|
|
|
rcu_read_unlock();
|
2008-04-30 15:52:56 +08:00
|
|
|
return ret;
|
2008-04-30 15:52:41 +08:00
|
|
|
}
|
|
|
|
|
2019-05-01 00:21:53 +08:00
|
|
|
static void do_notify_pidfd(struct task_struct *task)
|
|
|
|
{
|
|
|
|
struct pid *pid;
|
|
|
|
|
2019-07-25 00:48:16 +08:00
|
|
|
WARN_ON(task->exit_state == 0);
|
2019-05-01 00:21:53 +08:00
|
|
|
pid = task_pid(task);
|
|
|
|
wake_up_all(&pid->wait_pidfd);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Let a parent know about the death of a child.
|
|
|
|
* For a stopped/continued status change, use do_notify_parent_cldstop instead.
|
2008-07-26 10:45:54 +08:00
|
|
|
*
|
2011-06-23 05:08:18 +08:00
|
|
|
* Returns true if our parent ignored us and so we've switched to
|
|
|
|
* self-reaping.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2011-06-23 05:08:18 +08:00
|
|
|
bool do_notify_parent(struct task_struct *tsk, int sig)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
struct kernel_siginfo info;
|
2005-04-17 06:20:36 +08:00
|
|
|
unsigned long flags;
|
|
|
|
struct sighand_struct *psig;
|
2011-06-23 05:08:18 +08:00
|
|
|
bool autoreap = false;
|
2017-01-31 11:09:31 +08:00
|
|
|
u64 utime, stime;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2022-07-07 03:20:59 +08:00
|
|
|
WARN_ON_ONCE(sig == -1);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2022-07-07 03:20:59 +08:00
|
|
|
/* do_notify_parent_cldstop should have been called instead. */
|
|
|
|
WARN_ON_ONCE(task_is_stopped_or_traced(tsk));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2022-07-07 03:20:59 +08:00
|
|
|
WARN_ON_ONCE(!tsk->ptrace &&
|
2005-04-17 06:20:36 +08:00
|
|
|
(tsk->group_leader != tsk || !thread_group_empty(tsk)));
|
|
|
|
|
2019-05-01 00:21:53 +08:00
|
|
|
/* Wake up all pidfd waiters */
|
|
|
|
do_notify_pidfd(tsk);
|
|
|
|
|
2012-03-20 00:03:41 +08:00
|
|
|
if (sig != SIGCHLD) {
|
|
|
|
/*
|
|
|
|
* This is only possible if parent == real_parent.
|
|
|
|
* Check if it has changed security domain.
|
|
|
|
*/
|
2020-03-31 08:01:04 +08:00
|
|
|
if (tsk->parent_exec_id != READ_ONCE(tsk->parent->self_exec_id))
|
2012-03-20 00:03:41 +08:00
|
|
|
sig = SIGCHLD;
|
|
|
|
}
|
|
|
|
|
2018-01-06 07:27:42 +08:00
|
|
|
clear_siginfo(&info);
|
2005-04-17 06:20:36 +08:00
|
|
|
info.si_signo = sig;
|
|
|
|
info.si_errno = 0;
|
2007-10-19 14:40:14 +08:00
|
|
|
/*
|
2012-06-01 07:26:39 +08:00
|
|
|
* We are under tasklist_lock here so our parent is tied to
|
|
|
|
* us and cannot change.
|
2007-10-19 14:40:14 +08:00
|
|
|
*
|
2012-06-01 07:26:39 +08:00
|
|
|
* task_active_pid_ns will always return the same pid namespace
|
|
|
|
* until a task passes through release_task.
|
2007-10-19 14:40:14 +08:00
|
|
|
*
|
|
|
|
* write_lock() currently calls preempt_disable() which is the
|
|
|
|
* same as rcu_read_lock(), but according to Oleg, this is not
|
|
|
|
* correct to rely on this
|
|
|
|
*/
|
|
|
|
rcu_read_lock();
|
2012-06-01 07:26:39 +08:00
|
|
|
info.si_pid = task_pid_nr_ns(tsk, task_active_pid_ns(tsk->parent));
|
2012-03-14 07:04:35 +08:00
|
|
|
info.si_uid = from_kuid_munged(task_cred_xxx(tsk->parent, user_ns),
|
|
|
|
task_uid(tsk));
|
2007-10-19 14:40:14 +08:00
|
|
|
rcu_read_unlock();
|
|
|
|
|
2017-01-31 11:09:31 +08:00
|
|
|
task_cputime(tsk, &utime, &stime);
|
|
|
|
info.si_utime = nsec_to_clock_t(utime + tsk->signal->utime);
|
|
|
|
info.si_stime = nsec_to_clock_t(stime + tsk->signal->stime);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
info.si_status = tsk->exit_code & 0x7f;
|
|
|
|
if (tsk->exit_code & 0x80)
|
|
|
|
info.si_code = CLD_DUMPED;
|
|
|
|
else if (tsk->exit_code & 0x7f)
|
|
|
|
info.si_code = CLD_KILLED;
|
|
|
|
else {
|
|
|
|
info.si_code = CLD_EXITED;
|
|
|
|
info.si_status = tsk->exit_code >> 8;
|
|
|
|
}
|
|
|
|
|
|
|
|
psig = tsk->parent->sighand;
|
|
|
|
spin_lock_irqsave(&psig->siglock, flags);
|
2011-06-17 22:50:34 +08:00
|
|
|
if (!tsk->ptrace && sig == SIGCHLD &&
|
2005-04-17 06:20:36 +08:00
|
|
|
(psig->action[SIGCHLD-1].sa.sa_handler == SIG_IGN ||
|
|
|
|
(psig->action[SIGCHLD-1].sa.sa_flags & SA_NOCLDWAIT))) {
|
|
|
|
/*
|
|
|
|
* We are exiting and our parent doesn't care. POSIX.1
|
|
|
|
* defines special semantics for setting SIGCHLD to SIG_IGN
|
|
|
|
* or setting the SA_NOCLDWAIT flag: we should be reaped
|
|
|
|
* automatically and not left for our parent's wait4 call.
|
|
|
|
* Rather than having the parent do it as a magic kind of
|
|
|
|
* signal handler, we just set this to tell do_exit that we
|
|
|
|
* can be cleaned up without becoming a zombie. Note that
|
|
|
|
* we still call __wake_up_parent in this case, because a
|
|
|
|
* blocked sys_wait4 might now return -ECHILD.
|
|
|
|
*
|
|
|
|
* Whether we send SIGCHLD or not for SA_NOCLDWAIT
|
|
|
|
* is implementation-defined: we do (if you don't want
|
|
|
|
* it, just use SIG_IGN instead).
|
|
|
|
*/
|
2011-06-23 05:08:18 +08:00
|
|
|
autoreap = true;
|
2005-04-17 06:20:36 +08:00
|
|
|
if (psig->action[SIGCHLD-1].sa.sa_handler == SIG_IGN)
|
2011-06-23 05:08:18 +08:00
|
|
|
sig = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
signal: Avoid corrupting si_pid and si_uid in do_notify_parent
Christof Meerwald <cmeerw@cmeerw.org> writes:
> Hi,
>
> this is probably related to commit
> 7a0cf094944e2540758b7f957eb6846d5126f535 (signal: Correct namespace
> fixups of si_pid and si_uid).
>
> With a 5.6.5 kernel I am seeing SIGCHLD signals that don't include a
> properly set si_pid field - this seems to happen for multi-threaded
> child processes.
>
> A simple test program (based on the sample from the signalfd man page):
>
> #include <sys/signalfd.h>
> #include <signal.h>
> #include <unistd.h>
> #include <spawn.h>
> #include <stdlib.h>
> #include <stdio.h>
>
> #define handle_error(msg) \
> do { perror(msg); exit(EXIT_FAILURE); } while (0)
>
> int main(int argc, char *argv[])
> {
> sigset_t mask;
> int sfd;
> struct signalfd_siginfo fdsi;
> ssize_t s;
>
> sigemptyset(&mask);
> sigaddset(&mask, SIGCHLD);
>
> if (sigprocmask(SIG_BLOCK, &mask, NULL) == -1)
> handle_error("sigprocmask");
>
> pid_t chldpid;
> char *chldargv[] = { "./sfdclient", NULL };
> posix_spawn(&chldpid, "./sfdclient", NULL, NULL, chldargv, NULL);
>
> sfd = signalfd(-1, &mask, 0);
> if (sfd == -1)
> handle_error("signalfd");
>
> for (;;) {
> s = read(sfd, &fdsi, sizeof(struct signalfd_siginfo));
> if (s != sizeof(struct signalfd_siginfo))
> handle_error("read");
>
> if (fdsi.ssi_signo == SIGCHLD) {
> printf("Got SIGCHLD %d %d %d %d\n",
> fdsi.ssi_status, fdsi.ssi_code,
> fdsi.ssi_uid, fdsi.ssi_pid);
> return 0;
> } else {
> printf("Read unexpected signal\n");
> }
> }
> }
>
>
> and a multi-threaded client to test with:
>
> #include <unistd.h>
> #include <pthread.h>
>
> void *f(void *arg)
> {
> sleep(100);
> }
>
> int main()
> {
> pthread_t t[8];
>
> for (int i = 0; i != 8; ++i)
> {
> pthread_create(&t[i], NULL, f, NULL);
> }
> }
>
> I tried to do a bit of debugging and what seems to be happening is
> that
>
> /* From an ancestor pid namespace? */
> if (!task_pid_nr_ns(current, task_active_pid_ns(t))) {
>
> fails inside task_pid_nr_ns because the check for "pid_alive" fails.
>
> This code seems to be called from do_notify_parent and there we
> actually have "tsk != current" (I am assuming both are threads of the
> current process?)
I instrumented the code with a warning and received the following backtrace:
> WARNING: CPU: 0 PID: 777 at kernel/pid.c:501 __task_pid_nr_ns.cold.6+0xc/0x15
> Modules linked in:
> CPU: 0 PID: 777 Comm: sfdclient Not tainted 5.7.0-rc1userns+ #2924
> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> RIP: 0010:__task_pid_nr_ns.cold.6+0xc/0x15
> Code: ff 66 90 48 83 ec 08 89 7c 24 04 48 8d 7e 08 48 8d 74 24 04 e8 9a b6 44 00 48 83 c4 08 c3 48 c7 c7 59 9f ac 82 e8 c2 c4 04 00 <0f> 0b e9 3fd
> RSP: 0018:ffffc9000042fbf8 EFLAGS: 00010046
> RAX: 000000000000000c RBX: 0000000000000000 RCX: ffffc9000042faf4
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81193d29
> RBP: ffffc9000042fc18 R08: 0000000000000000 R09: 0000000000000001
> R10: 000000100f938416 R11: 0000000000000309 R12: ffff8880b941c140
> R13: 0000000000000000 R14: 0000000000000000 R15: ffff8880b941c140
> FS: 0000000000000000(0000) GS:ffff8880bca00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f2e8c0a32e0 CR3: 0000000002e10000 CR4: 00000000000006f0
> Call Trace:
> send_signal+0x1c8/0x310
> do_notify_parent+0x50f/0x550
> release_task.part.21+0x4fd/0x620
> do_exit+0x6f6/0xaf0
> do_group_exit+0x42/0xb0
> get_signal+0x13b/0xbb0
> do_signal+0x2b/0x670
> ? __audit_syscall_exit+0x24d/0x2b0
> ? rcu_read_lock_sched_held+0x4d/0x60
> ? kfree+0x24c/0x2b0
> do_syscall_64+0x176/0x640
> ? trace_hardirqs_off_thunk+0x1a/0x1c
> entry_SYSCALL_64_after_hwframe+0x49/0xb3
The immediate problem is as Christof noticed that "pid_alive(current) == false".
This happens because do_notify_parent is called from the last thread to exit
in a process after that thread has been reaped.
The bigger issue is that do_notify_parent can be called from any
process that manages to wait on a thread of a multi-threaded process
from wait_task_zombie. So any logic based upon current for
do_notify_parent is just nonsense, as current can be pretty much
anything.
So change do_notify_parent to call __send_signal directly.
Inspecting the code it appears this problem has existed since the pid
namespace support started handling this case in 2.6.30. This fix only
backports to 7a0cf094944e ("signal: Correct namespace fixups of si_pid and si_uid")
where the problem logic was moved out of __send_signal and into send_signal.
Cc: stable@vger.kernel.org
Fixes: 6588c1e3ff01 ("signals: SI_USER: Masquerade si_pid when crossing pid ns boundary")
Ref: 921cf9f63089 ("signals: protect cinit from unblocked SIG_DFL signals")
Link: https://lore.kernel.org/lkml/20200419201336.GI22017@edge.cmeerw.net/
Reported-by: Christof Meerwald <cmeerw@cmeerw.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2020-04-21 00:41:50 +08:00
|
|
|
/*
|
|
|
|
* Send with __send_signal as si_pid and si_uid are in the
|
|
|
|
* parent's namespaces.
|
|
|
|
*/
|
2011-06-23 05:08:18 +08:00
|
|
|
if (valid_signal(sig) && sig)
|
2022-04-22 22:48:54 +08:00
|
|
|
__send_signal_locked(sig, &info, tsk->parent, PIDTYPE_TGID, false);
|
2005-04-17 06:20:36 +08:00
|
|
|
__wake_up_parent(tsk, tsk->parent);
|
|
|
|
spin_unlock_irqrestore(&psig->siglock, flags);
|
2008-07-26 10:45:54 +08:00
|
|
|
|
2011-06-23 05:08:18 +08:00
|
|
|
return autoreap;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2011-03-23 17:37:01 +08:00
|
|
|
/**
|
|
|
|
* do_notify_parent_cldstop - notify parent of stopped/continued state change
|
|
|
|
* @tsk: task reporting the state change
|
|
|
|
* @for_ptracer: the notification is for ptracer
|
|
|
|
* @why: CLD_{CONTINUED|STOPPED|TRAPPED} to report
|
|
|
|
*
|
|
|
|
* Notify @tsk's parent that the stopped/continued state has changed. If
|
|
|
|
* @for_ptracer is %false, @tsk's group leader notifies to its real parent.
|
|
|
|
* If %true, @tsk reports to @tsk->parent which should be the ptracer.
|
|
|
|
*
|
|
|
|
* CONTEXT:
|
|
|
|
* Must be called with tasklist_lock at least read locked.
|
|
|
|
*/
|
|
|
|
static void do_notify_parent_cldstop(struct task_struct *tsk,
|
|
|
|
bool for_ptracer, int why)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
struct kernel_siginfo info;
|
2005-04-17 06:20:36 +08:00
|
|
|
unsigned long flags;
|
2005-09-07 06:17:32 +08:00
|
|
|
struct task_struct *parent;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct sighand_struct *sighand;
|
2017-01-31 11:09:31 +08:00
|
|
|
u64 utime, stime;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-03-23 17:37:01 +08:00
|
|
|
if (for_ptracer) {
|
2005-09-07 06:17:32 +08:00
|
|
|
parent = tsk->parent;
|
2011-03-23 17:37:01 +08:00
|
|
|
} else {
|
2005-09-07 06:17:32 +08:00
|
|
|
tsk = tsk->group_leader;
|
|
|
|
parent = tsk->real_parent;
|
|
|
|
}
|
|
|
|
|
2018-01-06 07:27:42 +08:00
|
|
|
clear_siginfo(&info);
|
2005-04-17 06:20:36 +08:00
|
|
|
info.si_signo = SIGCHLD;
|
|
|
|
info.si_errno = 0;
|
2007-10-19 14:40:14 +08:00
|
|
|
/*
|
2011-04-05 05:59:31 +08:00
|
|
|
* see comment in do_notify_parent() about the following 4 lines
|
2007-10-19 14:40:14 +08:00
|
|
|
*/
|
|
|
|
rcu_read_lock();
|
2010-03-03 06:51:53 +08:00
|
|
|
info.si_pid = task_pid_nr_ns(tsk, task_active_pid_ns(parent));
|
2012-03-14 07:04:35 +08:00
|
|
|
info.si_uid = from_kuid_munged(task_cred_xxx(parent, user_ns), task_uid(tsk));
|
2007-10-19 14:40:14 +08:00
|
|
|
rcu_read_unlock();
|
|
|
|
|
2017-01-31 11:09:31 +08:00
|
|
|
task_cputime(tsk, &utime, &stime);
|
|
|
|
info.si_utime = nsec_to_clock_t(utime);
|
|
|
|
info.si_stime = nsec_to_clock_t(stime);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
info.si_code = why;
|
|
|
|
switch (why) {
|
|
|
|
case CLD_CONTINUED:
|
|
|
|
info.si_status = SIGCONT;
|
|
|
|
break;
|
|
|
|
case CLD_STOPPED:
|
|
|
|
info.si_status = tsk->signal->group_exit_code & 0x7f;
|
|
|
|
break;
|
|
|
|
case CLD_TRAPPED:
|
|
|
|
info.si_status = tsk->exit_code & 0x7f;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
BUG();
|
|
|
|
}
|
|
|
|
|
|
|
|
sighand = parent->sighand;
|
|
|
|
spin_lock_irqsave(&sighand->siglock, flags);
|
|
|
|
if (sighand->action[SIGCHLD-1].sa.sa_handler != SIG_IGN &&
|
|
|
|
!(sighand->action[SIGCHLD-1].sa.sa_flags & SA_NOCLDSTOP))
|
2022-04-22 22:28:50 +08:00
|
|
|
send_signal_locked(SIGCHLD, &info, parent, PIDTYPE_TGID);
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Even if SIGCHLD is not generated, we must wake up wait4 calls.
|
|
|
|
*/
|
|
|
|
__wake_up_parent(tsk, parent);
|
|
|
|
spin_unlock_irqrestore(&sighand->siglock, flags);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This must be called with current->sighand->siglock held.
|
|
|
|
*
|
|
|
|
* This should be the path for all ptrace stops.
|
|
|
|
* We always set current->last_siginfo while stopped here.
|
|
|
|
* That makes it a way to test a stopped process for
|
|
|
|
* being ptrace-stopped vs being job-control-stopped.
|
|
|
|
*
|
2022-01-28 02:19:13 +08:00
|
|
|
* Returns the signal the ptracer requested the code resume
|
|
|
|
* with. If the code did not stop because the tracer is gone,
|
|
|
|
* the stop signal remains unchanged unless clear_code.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2022-05-05 02:39:58 +08:00
|
|
|
static int ptrace_stop(int exit_code, int why, unsigned long message,
|
|
|
|
kernel_siginfo_t *info)
|
2010-10-28 06:34:07 +08:00
|
|
|
__releases(¤t->sighand->siglock)
|
|
|
|
__acquires(¤t->sighand->siglock)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
job control: Notify the real parent of job control events regardless of ptrace
With recent changes, job control and ptrace stopped states are
properly separated and accessible to the real parent and the ptracer
respectively; however, notifications of job control stopped/continued
events to the real parent while ptraced are still missing.
A ptracee participates in group stop in ptrace_stop() but the
completion isn't notified. If participation results in completion of
group stop, notify the real parent of the event. The ptrace and group
stops are separate and can be handled as such.
However, when the real parent and the ptracer are in the same thread
group, only the ptrace stop event is visible through wait(2) and the
duplicate notifications are different from the current behavior and
are confusing. Suppress group stop notification in such cases.
The continued state is shared between the real parent and the ptracer
but is only meaningful to the real parent. Always notify the real
parent and notify the ptracer too for backward compatibility. Similar
to stop notification, if the real parent is the ptracer, suppress a
duplicate notification.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
const struct timespec ts100ms = { .tv_nsec = 100000000 };
pid_t tracee, tracer;
siginfo_t si;
int i;
tracee = fork();
if (tracee == 0) {
while (1) {
printf("tracee: SIGSTOP\n");
raise(SIGSTOP);
nanosleep(&ts100ms, NULL);
printf("tracee: SIGCONT\n");
raise(SIGCONT);
nanosleep(&ts100ms, NULL);
}
}
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG | WNOWAIT);
tracer = fork();
if (tracer == 0) {
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
for (i = 0; i < 11; i++) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED);
if (si.si_pid && si.si_code == CLD_TRAPPED)
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
printf("tracer: EXITING\n");
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED | WCONTINUED | WEXITED);
if (si.si_pid)
printf("mommy : WAIT status=%02d code=%02d\n",
si.si_status, si.si_code);
}
return 0;
}
Before this patch, while ptraced, the real parent doesn't get
notifications for job control events, so although it can access those
events, the later waitid(2) call never wakes up.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
After this patch, it works as expected.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
-v2: Oleg pointed out that
* Group stop notification to the real parent should also happen
when ptracer detach races with ptrace_stop().
* real_parent_is_ptracer() should be testing thread group
equality not the task itself as wait(2) and stop/cont
notifications are normally thread-group wide.
Both issues are fixed accordingly.
-v3: real_parent_is_ptracer() updated to test child->real_parent
instead of child->group_leader->real_parent per Oleg's
suggestion.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
bool gstop_done = false;
|
|
|
|
|
2021-09-03 05:10:11 +08:00
|
|
|
if (arch_ptrace_stop_needed()) {
|
2008-02-06 17:37:37 +08:00
|
|
|
/*
|
|
|
|
* The arch code has something special to do before a
|
|
|
|
* ptrace stop. This is allowed to block, e.g. for faults
|
|
|
|
* on user stack pages. We can't keep the siglock while
|
|
|
|
* calling arch_ptrace_stop, so we must release it now.
|
|
|
|
* To preserve proper semantics, we must do this before
|
|
|
|
* any signal bookkeeping like checking group_stop_count.
|
|
|
|
*/
|
|
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
2021-09-03 05:10:11 +08:00
|
|
|
arch_ptrace_stop();
|
2008-02-06 17:37:37 +08:00
|
|
|
spin_lock_irq(¤t->sighand->siglock);
|
|
|
|
}
|
|
|
|
|
2021-09-02 02:21:34 +08:00
|
|
|
/*
|
2022-04-29 21:43:34 +08:00
|
|
|
* After this point ptrace_signal_wake_up or signal_wake_up
|
|
|
|
* will clear TASK_TRACED if ptrace_unlink happens or a fatal
|
|
|
|
* signal comes in. Handle previous ptrace_unlinks and fatal
|
|
|
|
* signals here to prevent ptrace_stop sleeping in schedule.
|
2021-09-02 02:21:34 +08:00
|
|
|
*/
|
2022-04-29 21:43:34 +08:00
|
|
|
if (!current->ptrace || __fatal_signal_pending(current))
|
2022-05-05 02:39:58 +08:00
|
|
|
return exit_code;
|
|
|
|
|
2018-04-30 20:51:01 +08:00
|
|
|
set_special_state(TASK_TRACED);
|
2022-05-04 04:57:47 +08:00
|
|
|
current->jobctl |= JOBCTL_TRACED;
|
2018-04-30 20:51:01 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2011-06-02 17:13:59 +08:00
|
|
|
* We're committing to trapping. TRACED should be visible before
|
|
|
|
* TRAPPING is cleared; otherwise, the tracer might fail do_wait().
|
|
|
|
* Also, transition to TRACED and updates to ->jobctl should be
|
|
|
|
* atomic with respect to siglock and should be done after the arch
|
|
|
|
* hook as siglock is released and regrabbed across it.
|
2018-04-30 20:51:01 +08:00
|
|
|
*
|
|
|
|
* TRACER TRACEE
|
|
|
|
*
|
|
|
|
* ptrace_attach()
|
|
|
|
* [L] wait_on_bit(JOBCTL_TRAPPING) [S] set_special_state(TRACED)
|
|
|
|
* do_wait()
|
|
|
|
* set_current_state() smp_wmb();
|
|
|
|
* ptrace_do_wait()
|
|
|
|
* wait_task_stopped()
|
|
|
|
* task_stopped_code()
|
|
|
|
* [L] task_is_traced() [S] task_clear_jobctl_trapping();
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2018-04-30 20:51:01 +08:00
|
|
|
smp_wmb();
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2022-01-28 02:15:32 +08:00
|
|
|
current->ptrace_message = message;
|
2005-04-17 06:20:36 +08:00
|
|
|
current->last_siginfo = info;
|
|
|
|
current->exit_code = exit_code;
|
|
|
|
|
2011-03-23 17:37:00 +08:00
|
|
|
/*
|
2011-03-23 17:37:00 +08:00
|
|
|
* If @why is CLD_STOPPED, we're trapping to participate in a group
|
|
|
|
* stop. Do the bookkeeping. Note that if SIGCONT was delievered
|
2011-06-14 17:20:14 +08:00
|
|
|
* across siglock relocks since INTERRUPT was scheduled, PENDING
|
|
|
|
* could be clear now. We act as if SIGCONT is received after
|
|
|
|
* TASK_TRACED is entered - ignore it.
|
2011-03-23 17:37:00 +08:00
|
|
|
*/
|
2011-06-02 17:13:59 +08:00
|
|
|
if (why == CLD_STOPPED && (current->jobctl & JOBCTL_STOP_PENDING))
|
job control: Notify the real parent of job control events regardless of ptrace
With recent changes, job control and ptrace stopped states are
properly separated and accessible to the real parent and the ptracer
respectively; however, notifications of job control stopped/continued
events to the real parent while ptraced are still missing.
A ptracee participates in group stop in ptrace_stop() but the
completion isn't notified. If participation results in completion of
group stop, notify the real parent of the event. The ptrace and group
stops are separate and can be handled as such.
However, when the real parent and the ptracer are in the same thread
group, only the ptrace stop event is visible through wait(2) and the
duplicate notifications are different from the current behavior and
are confusing. Suppress group stop notification in such cases.
The continued state is shared between the real parent and the ptracer
but is only meaningful to the real parent. Always notify the real
parent and notify the ptracer too for backward compatibility. Similar
to stop notification, if the real parent is the ptracer, suppress a
duplicate notification.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
const struct timespec ts100ms = { .tv_nsec = 100000000 };
pid_t tracee, tracer;
siginfo_t si;
int i;
tracee = fork();
if (tracee == 0) {
while (1) {
printf("tracee: SIGSTOP\n");
raise(SIGSTOP);
nanosleep(&ts100ms, NULL);
printf("tracee: SIGCONT\n");
raise(SIGCONT);
nanosleep(&ts100ms, NULL);
}
}
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG | WNOWAIT);
tracer = fork();
if (tracer == 0) {
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
for (i = 0; i < 11; i++) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED);
if (si.si_pid && si.si_code == CLD_TRAPPED)
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
printf("tracer: EXITING\n");
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED | WCONTINUED | WEXITED);
if (si.si_pid)
printf("mommy : WAIT status=%02d code=%02d\n",
si.si_status, si.si_code);
}
return 0;
}
Before this patch, while ptraced, the real parent doesn't get
notifications for job control events, so although it can access those
events, the later waitid(2) call never wakes up.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
After this patch, it works as expected.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
-v2: Oleg pointed out that
* Group stop notification to the real parent should also happen
when ptracer detach races with ptrace_stop().
* real_parent_is_ptracer() should be testing thread group
equality not the task itself as wait(2) and stop/cont
notifications are normally thread-group wide.
Both issues are fixed accordingly.
-v3: real_parent_is_ptracer() updated to test child->real_parent
instead of child->group_leader->real_parent per Oleg's
suggestion.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
gstop_done = task_participate_group_stop(current);
|
2011-03-23 17:37:00 +08:00
|
|
|
|
ptrace: implement TRAP_NOTIFY and use it for group stop events
Currently there's no way for ptracer to find out whether group stop
finished other than polling with INTERRUPT - GETSIGINFO - CONT
sequence. This patch implements group stop notification for ptracer
using STOP traps.
When group stop state of a seized tracee changes, JOBCTL_TRAP_NOTIFY
is set, which schedules a STOP trap which is sticky - it isn't cleared
by other traps and at least one STOP trap will happen eventually.
STOP trap is synchronization point for event notification and the
tracer can determine the current group stop state by looking at the
signal number portion of exit code (si_status from waitid(2) or
si_code from PTRACE_GETSIGINFO).
Notifications are generated both on start and end of group stops but,
because group stop participation always happens before STOP trap, this
doesn't cause an extra trap while tracee is participating in group
stop. The symmetry will be useful later.
Note that this notification works iff tracee is not trapped.
Currently there is no way to be notified of group stop state changes
while tracee is trapped. This will be addressed by a later patch.
An example program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
In the above program, tracer keeps tracee running and gets
notification of each group stop state changes.
# ./test-notify
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:17 +08:00
|
|
|
/* any trap clears pending STOP trap, STOP trap clears NOTIFY */
|
2011-06-14 17:20:14 +08:00
|
|
|
task_clear_jobctl_pending(current, JOBCTL_TRAP_STOP);
|
ptrace: implement TRAP_NOTIFY and use it for group stop events
Currently there's no way for ptracer to find out whether group stop
finished other than polling with INTERRUPT - GETSIGINFO - CONT
sequence. This patch implements group stop notification for ptracer
using STOP traps.
When group stop state of a seized tracee changes, JOBCTL_TRAP_NOTIFY
is set, which schedules a STOP trap which is sticky - it isn't cleared
by other traps and at least one STOP trap will happen eventually.
STOP trap is synchronization point for event notification and the
tracer can determine the current group stop state by looking at the
signal number portion of exit code (si_status from waitid(2) or
si_code from PTRACE_GETSIGINFO).
Notifications are generated both on start and end of group stops but,
because group stop participation always happens before STOP trap, this
doesn't cause an extra trap while tracee is participating in group
stop. The symmetry will be useful later.
Note that this notification works iff tracee is not trapped.
Currently there is no way to be notified of group stop state changes
while tracee is trapped. This will be addressed by a later patch.
An example program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
In the above program, tracer keeps tracee running and gets
notification of each group stop state changes.
# ./test-notify
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:17 +08:00
|
|
|
if (info && info->si_code >> 8 == PTRACE_EVENT_STOP)
|
|
|
|
task_clear_jobctl_pending(current, JOBCTL_TRAP_NOTIFY);
|
2011-06-14 17:20:14 +08:00
|
|
|
|
2011-06-02 17:13:59 +08:00
|
|
|
/* entering a trap, clear TRAPPING */
|
2011-06-02 17:13:59 +08:00
|
|
|
task_clear_jobctl_trapping(current);
|
2011-03-23 17:37:00 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
|
|
|
read_lock(&tasklist_lock);
|
2022-05-05 02:39:58 +08:00
|
|
|
/*
|
|
|
|
* Notify parents of the stop.
|
|
|
|
*
|
|
|
|
* While ptraced, there are two parents - the ptracer and
|
|
|
|
* the real_parent of the group_leader. The ptracer should
|
|
|
|
* know about every stop while the real parent is only
|
|
|
|
* interested in the completion of group stop. The states
|
|
|
|
* for the two don't interact with each other. Notify
|
|
|
|
* separately unless they're gonna be duplicates.
|
|
|
|
*/
|
|
|
|
if (current->ptrace)
|
job control: Notify the real parent of job control events regardless of ptrace
With recent changes, job control and ptrace stopped states are
properly separated and accessible to the real parent and the ptracer
respectively; however, notifications of job control stopped/continued
events to the real parent while ptraced are still missing.
A ptracee participates in group stop in ptrace_stop() but the
completion isn't notified. If participation results in completion of
group stop, notify the real parent of the event. The ptrace and group
stops are separate and can be handled as such.
However, when the real parent and the ptracer are in the same thread
group, only the ptrace stop event is visible through wait(2) and the
duplicate notifications are different from the current behavior and
are confusing. Suppress group stop notification in such cases.
The continued state is shared between the real parent and the ptracer
but is only meaningful to the real parent. Always notify the real
parent and notify the ptracer too for backward compatibility. Similar
to stop notification, if the real parent is the ptracer, suppress a
duplicate notification.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
const struct timespec ts100ms = { .tv_nsec = 100000000 };
pid_t tracee, tracer;
siginfo_t si;
int i;
tracee = fork();
if (tracee == 0) {
while (1) {
printf("tracee: SIGSTOP\n");
raise(SIGSTOP);
nanosleep(&ts100ms, NULL);
printf("tracee: SIGCONT\n");
raise(SIGCONT);
nanosleep(&ts100ms, NULL);
}
}
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG | WNOWAIT);
tracer = fork();
if (tracer == 0) {
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
for (i = 0; i < 11; i++) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED);
if (si.si_pid && si.si_code == CLD_TRAPPED)
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
printf("tracer: EXITING\n");
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED | WCONTINUED | WEXITED);
if (si.si_pid)
printf("mommy : WAIT status=%02d code=%02d\n",
si.si_status, si.si_code);
}
return 0;
}
Before this patch, while ptraced, the real parent doesn't get
notifications for job control events, so although it can access those
events, the later waitid(2) call never wakes up.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
After this patch, it works as expected.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
-v2: Oleg pointed out that
* Group stop notification to the real parent should also happen
when ptracer detach races with ptrace_stop().
* real_parent_is_ptracer() should be testing thread group
equality not the task itself as wait(2) and stop/cont
notifications are normally thread-group wide.
Both issues are fixed accordingly.
-v3: real_parent_is_ptracer() updated to test child->real_parent
instead of child->group_leader->real_parent per Oleg's
suggestion.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
do_notify_parent_cldstop(current, true, why);
|
2022-05-05 02:39:58 +08:00
|
|
|
if (gstop_done && (!current->ptrace || ptrace_reparented(current)))
|
|
|
|
do_notify_parent_cldstop(current, false, why);
|
job control: Notify the real parent of job control events regardless of ptrace
With recent changes, job control and ptrace stopped states are
properly separated and accessible to the real parent and the ptracer
respectively; however, notifications of job control stopped/continued
events to the real parent while ptraced are still missing.
A ptracee participates in group stop in ptrace_stop() but the
completion isn't notified. If participation results in completion of
group stop, notify the real parent of the event. The ptrace and group
stops are separate and can be handled as such.
However, when the real parent and the ptracer are in the same thread
group, only the ptrace stop event is visible through wait(2) and the
duplicate notifications are different from the current behavior and
are confusing. Suppress group stop notification in such cases.
The continued state is shared between the real parent and the ptracer
but is only meaningful to the real parent. Always notify the real
parent and notify the ptracer too for backward compatibility. Similar
to stop notification, if the real parent is the ptracer, suppress a
duplicate notification.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
const struct timespec ts100ms = { .tv_nsec = 100000000 };
pid_t tracee, tracer;
siginfo_t si;
int i;
tracee = fork();
if (tracee == 0) {
while (1) {
printf("tracee: SIGSTOP\n");
raise(SIGSTOP);
nanosleep(&ts100ms, NULL);
printf("tracee: SIGCONT\n");
raise(SIGCONT);
nanosleep(&ts100ms, NULL);
}
}
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG | WNOWAIT);
tracer = fork();
if (tracer == 0) {
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
for (i = 0; i < 11; i++) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED);
if (si.si_pid && si.si_code == CLD_TRAPPED)
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
printf("tracer: EXITING\n");
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED | WCONTINUED | WEXITED);
if (si.si_pid)
printf("mommy : WAIT status=%02d code=%02d\n",
si.si_status, si.si_code);
}
return 0;
}
Before this patch, while ptraced, the real parent doesn't get
notifications for job control events, so although it can access those
events, the later waitid(2) call never wakes up.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
After this patch, it works as expected.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
-v2: Oleg pointed out that
* Group stop notification to the real parent should also happen
when ptracer detach races with ptrace_stop().
* real_parent_is_ptracer() should be testing thread group
equality not the task itself as wait(2) and stop/cont
notifications are normally thread-group wide.
Both issues are fixed accordingly.
-v3: real_parent_is_ptracer() updated to test child->real_parent
instead of child->group_leader->real_parent per Oleg's
suggestion.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
|
2022-05-05 02:39:58 +08:00
|
|
|
/*
|
|
|
|
* Don't want to allow preemption here, because
|
|
|
|
* sys_ptrace() needs this task to be inactive.
|
|
|
|
*
|
|
|
|
* XXX: implement read_unlock_no_resched().
|
|
|
|
*/
|
|
|
|
preempt_disable();
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
cgroup_enter_frozen();
|
|
|
|
preempt_enable_no_resched();
|
freezer,sched: Rewrite core freezer logic
Rewrite the core freezer to behave better wrt thawing and be simpler
in general.
By replacing PF_FROZEN with TASK_FROZEN, a special block state, it is
ensured frozen tasks stay frozen until thawed and don't randomly wake
up early, as is currently possible.
As such, it does away with PF_FROZEN and PF_FREEZER_SKIP, freeing up
two PF_flags (yay!).
Specifically; the current scheme works a little like:
freezer_do_not_count();
schedule();
freezer_count();
And either the task is blocked, or it lands in try_to_freezer()
through freezer_count(). Now, when it is blocked, the freezer
considers it frozen and continues.
However, on thawing, once pm_freezing is cleared, freezer_count()
stops working, and any random/spurious wakeup will let a task run
before its time.
That is, thawing tries to thaw things in explicit order; kernel
threads and workqueues before doing bringing SMP back before userspace
etc.. However due to the above mentioned races it is entirely possible
for userspace tasks to thaw (by accident) before SMP is back.
This can be a fatal problem in asymmetric ISA architectures (eg ARMv9)
where the userspace task requires a special CPU to run.
As said; replace this with a special task state TASK_FROZEN and add
the following state transitions:
TASK_FREEZABLE -> TASK_FROZEN
__TASK_STOPPED -> TASK_FROZEN
__TASK_TRACED -> TASK_FROZEN
The new TASK_FREEZABLE can be set on any state part of TASK_NORMAL
(IOW. TASK_INTERRUPTIBLE and TASK_UNINTERRUPTIBLE) -- any such state
is already required to deal with spurious wakeups and the freezer
causes one such when thawing the task (since the original state is
lost).
The special __TASK_{STOPPED,TRACED} states *can* be restored since
their canonical state is in ->jobctl.
With this, frozen tasks need an explicit TASK_FROZEN wakeup and are
free of undue (early / spurious) wakeups.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/20220822114649.055452969@infradead.org
2022-08-22 19:18:22 +08:00
|
|
|
schedule();
|
2022-05-05 02:39:58 +08:00
|
|
|
cgroup_leave_frozen(true);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* We are back. Now reacquire the siglock before touching
|
|
|
|
* last_siginfo, so that we are sure to have synchronized with
|
|
|
|
* any signal-sending on another CPU that wants to examine it.
|
|
|
|
*/
|
|
|
|
spin_lock_irq(¤t->sighand->siglock);
|
2022-05-05 02:39:58 +08:00
|
|
|
exit_code = current->exit_code;
|
2005-04-17 06:20:36 +08:00
|
|
|
current->last_siginfo = NULL;
|
2022-01-28 02:15:32 +08:00
|
|
|
current->ptrace_message = 0;
|
2022-01-28 02:19:13 +08:00
|
|
|
current->exit_code = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
ptrace: implement PTRACE_LISTEN
The previous patch implemented async notification for ptrace but it
only worked while trace is running. This patch introduces
PTRACE_LISTEN which is suggested by Oleg Nestrov.
It's allowed iff tracee is in STOP trap and puts tracee into
quasi-running state - tracee never really runs but wait(2) and
ptrace(2) consider it to be running. While ptracer is listening,
tracee is allowed to re-enter STOP to notify an async event.
Listening state is cleared on the first notification. Ptracer can
also clear it by issuing INTERRUPT - tracee will re-trap into STOP
with listening state cleared.
This allows ptracer to monitor group stop state without running tracee
- use INTERRUPT to put tracee into STOP trap, issue LISTEN and then
wait(2) to wait for the next group stop event. When it happens,
PTRACE_GETSIGINFO provides information to determine the current state.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_LISTEN 0x4208
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
if (si.si_signo != SIGTRAP)
ptrace(PTRACE_LISTEN, tracee, NULL, NULL);
else
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
This is identical to the program to test TRAP_NOTIFY except that
tracee is PTRACE_LISTEN'd instead of PTRACE_CONT'd when group stopped.
This allows ptracer to monitor when group stop ends without running
tracee.
# ./test-listen
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
-v2: Moved JOBCTL_LISTENING check in wait_task_stopped() into
task_stopped_code() as suggested by Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:18 +08:00
|
|
|
/* LISTENING can be set only during STOP traps, clear it */
|
2022-04-29 21:43:34 +08:00
|
|
|
current->jobctl &= ~(JOBCTL_LISTENING | JOBCTL_PTRACE_FROZEN);
|
ptrace: implement PTRACE_LISTEN
The previous patch implemented async notification for ptrace but it
only worked while trace is running. This patch introduces
PTRACE_LISTEN which is suggested by Oleg Nestrov.
It's allowed iff tracee is in STOP trap and puts tracee into
quasi-running state - tracee never really runs but wait(2) and
ptrace(2) consider it to be running. While ptracer is listening,
tracee is allowed to re-enter STOP to notify an async event.
Listening state is cleared on the first notification. Ptracer can
also clear it by issuing INTERRUPT - tracee will re-trap into STOP
with listening state cleared.
This allows ptracer to monitor group stop state without running tracee
- use INTERRUPT to put tracee into STOP trap, issue LISTEN and then
wait(2) to wait for the next group stop event. When it happens,
PTRACE_GETSIGINFO provides information to determine the current state.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_LISTEN 0x4208
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
if (si.si_signo != SIGTRAP)
ptrace(PTRACE_LISTEN, tracee, NULL, NULL);
else
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
This is identical to the program to test TRAP_NOTIFY except that
tracee is PTRACE_LISTEN'd instead of PTRACE_CONT'd when group stopped.
This allows ptracer to monitor when group stop ends without running
tracee.
# ./test-listen
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
-v2: Moved JOBCTL_LISTENING check in wait_task_stopped() into
task_stopped_code() as suggested by Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:18 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Queued signals ignored us while we were stopped for tracing.
|
|
|
|
* So check for any that we should take before resuming user mode.
|
2007-06-06 18:59:00 +08:00
|
|
|
* This sets TIF_SIGPENDING, but never clears it.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2007-06-06 18:59:00 +08:00
|
|
|
recalc_sigpending_tsk(current);
|
2022-01-28 02:19:13 +08:00
|
|
|
return exit_code;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2022-01-28 02:19:13 +08:00
|
|
|
static int ptrace_do_notify(int signr, int exit_code, int why, unsigned long message)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
kernel_siginfo_t info;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-01-06 07:27:42 +08:00
|
|
|
clear_siginfo(&info);
|
ptrace: implement PTRACE_SEIZE
PTRACE_ATTACH implicitly issues SIGSTOP on attach which has side
effects on tracee signal and job control states. This patch
implements a new ptrace request PTRACE_SEIZE which attaches a tracee
without trapping it or affecting its signal and job control states.
The usage is the same with PTRACE_ATTACH but it takes PTRACE_SEIZE_*
flags in @data. Currently, the only defined flag is
PTRACE_SEIZE_DEVEL which is a temporary flag to enable PTRACE_SEIZE.
PTRACE_SEIZE will change ptrace behaviors outside of attach itself.
The changes will be implemented gradually and the DEVEL flag is to
prevent programs which expect full SEIZE behavior from using it before
all the behavior modifications are complete while allowing unit
testing. The flag will be removed once SEIZE behaviors are completely
implemented.
* PTRACE_SEIZE, unlike ATTACH, doesn't force tracee to trap. After
attaching tracee continues to run unless a trap condition occurs.
* PTRACE_SEIZE doesn't affect signal or group stop state.
* If PTRACE_SEIZE'd, group stop uses PTRACE_EVENT_STOP trap which uses
exit_code of (signr | PTRACE_EVENT_STOP << 8) where signr is one of
the stopping signals if group stop is in effect or SIGTRAP
otherwise, and returns usual trap siginfo on PTRACE_GETSIGINFO
instead of NULL.
Seizing sets PT_SEIZED in ->ptrace of the tracee. This flag will be
used to determine whether new SEIZE behaviors should be enabled.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts100ms = { .tv_nsec = 100000000 };
static const struct timespec ts1s = { .tv_sec = 1 };
static const struct timespec ts3s = { .tv_sec = 3 };
int main(int argc, char **argv)
{
pid_t tracee;
tracee = fork();
if (tracee == 0) {
nanosleep(&ts100ms, NULL);
while (1) {
printf("tracee: alive\n");
nanosleep(&ts1s, NULL);
}
}
if (argc > 1)
kill(tracee, SIGSTOP);
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
if (argc > 1) {
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
}
nanosleep(&ts3s, NULL);
printf("tracer: exiting\n");
return 0;
}
When the above program is called w/o argument, tracee is seized while
running and remains running. When tracer exits, tracee continues to
run and print out messages.
# ./test-seize-simple
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
tracee: alive
tracee: alive
When called with an argument, tracee is seized from stopped state and
continued, and returns to stopped state when tracer exits.
# ./test-seize
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
# ps -el|grep test-seize
1 T 0 4720 1 0 80 0 - 941 signal ttyS0 00:00:00 test-seize
-v2: SEIZE doesn't schedule TRAP_STOP and leaves tracee running as Jan
suggested.
-v3: PTRACE_EVENT_STOP traps now report group stop state by signr. If
group stop is in effect the stop signal number is returned as
part of exit_code; otherwise, SIGTRAP. This was suggested by
Denys and Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:15 +08:00
|
|
|
info.si_signo = signr;
|
2005-04-17 06:20:36 +08:00
|
|
|
info.si_code = exit_code;
|
2007-10-19 14:40:14 +08:00
|
|
|
info.si_pid = task_pid_vnr(current);
|
2012-02-08 23:00:08 +08:00
|
|
|
info.si_uid = from_kuid_munged(current_user_ns(), current_uid());
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* Let the debugger run. */
|
2022-05-05 02:39:58 +08:00
|
|
|
return ptrace_stop(exit_code, why, message, &info);
|
ptrace: implement PTRACE_SEIZE
PTRACE_ATTACH implicitly issues SIGSTOP on attach which has side
effects on tracee signal and job control states. This patch
implements a new ptrace request PTRACE_SEIZE which attaches a tracee
without trapping it or affecting its signal and job control states.
The usage is the same with PTRACE_ATTACH but it takes PTRACE_SEIZE_*
flags in @data. Currently, the only defined flag is
PTRACE_SEIZE_DEVEL which is a temporary flag to enable PTRACE_SEIZE.
PTRACE_SEIZE will change ptrace behaviors outside of attach itself.
The changes will be implemented gradually and the DEVEL flag is to
prevent programs which expect full SEIZE behavior from using it before
all the behavior modifications are complete while allowing unit
testing. The flag will be removed once SEIZE behaviors are completely
implemented.
* PTRACE_SEIZE, unlike ATTACH, doesn't force tracee to trap. After
attaching tracee continues to run unless a trap condition occurs.
* PTRACE_SEIZE doesn't affect signal or group stop state.
* If PTRACE_SEIZE'd, group stop uses PTRACE_EVENT_STOP trap which uses
exit_code of (signr | PTRACE_EVENT_STOP << 8) where signr is one of
the stopping signals if group stop is in effect or SIGTRAP
otherwise, and returns usual trap siginfo on PTRACE_GETSIGINFO
instead of NULL.
Seizing sets PT_SEIZED in ->ptrace of the tracee. This flag will be
used to determine whether new SEIZE behaviors should be enabled.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts100ms = { .tv_nsec = 100000000 };
static const struct timespec ts1s = { .tv_sec = 1 };
static const struct timespec ts3s = { .tv_sec = 3 };
int main(int argc, char **argv)
{
pid_t tracee;
tracee = fork();
if (tracee == 0) {
nanosleep(&ts100ms, NULL);
while (1) {
printf("tracee: alive\n");
nanosleep(&ts1s, NULL);
}
}
if (argc > 1)
kill(tracee, SIGSTOP);
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
if (argc > 1) {
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
}
nanosleep(&ts3s, NULL);
printf("tracer: exiting\n");
return 0;
}
When the above program is called w/o argument, tracee is seized while
running and remains running. When tracer exits, tracee continues to
run and print out messages.
# ./test-seize-simple
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
tracee: alive
tracee: alive
When called with an argument, tracee is seized from stopped state and
continued, and returns to stopped state when tracer exits.
# ./test-seize
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
# ps -el|grep test-seize
1 T 0 4720 1 0 80 0 - 941 signal ttyS0 00:00:00 test-seize
-v2: SEIZE doesn't schedule TRAP_STOP and leaves tracee running as Jan
suggested.
-v3: PTRACE_EVENT_STOP traps now report group stop state by signr. If
group stop is in effect the stop signal number is returned as
part of exit_code; otherwise, SIGTRAP. This was suggested by
Denys and Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:15 +08:00
|
|
|
}
|
|
|
|
|
2022-01-28 02:19:13 +08:00
|
|
|
int ptrace_notify(int exit_code, unsigned long message)
|
ptrace: implement PTRACE_SEIZE
PTRACE_ATTACH implicitly issues SIGSTOP on attach which has side
effects on tracee signal and job control states. This patch
implements a new ptrace request PTRACE_SEIZE which attaches a tracee
without trapping it or affecting its signal and job control states.
The usage is the same with PTRACE_ATTACH but it takes PTRACE_SEIZE_*
flags in @data. Currently, the only defined flag is
PTRACE_SEIZE_DEVEL which is a temporary flag to enable PTRACE_SEIZE.
PTRACE_SEIZE will change ptrace behaviors outside of attach itself.
The changes will be implemented gradually and the DEVEL flag is to
prevent programs which expect full SEIZE behavior from using it before
all the behavior modifications are complete while allowing unit
testing. The flag will be removed once SEIZE behaviors are completely
implemented.
* PTRACE_SEIZE, unlike ATTACH, doesn't force tracee to trap. After
attaching tracee continues to run unless a trap condition occurs.
* PTRACE_SEIZE doesn't affect signal or group stop state.
* If PTRACE_SEIZE'd, group stop uses PTRACE_EVENT_STOP trap which uses
exit_code of (signr | PTRACE_EVENT_STOP << 8) where signr is one of
the stopping signals if group stop is in effect or SIGTRAP
otherwise, and returns usual trap siginfo on PTRACE_GETSIGINFO
instead of NULL.
Seizing sets PT_SEIZED in ->ptrace of the tracee. This flag will be
used to determine whether new SEIZE behaviors should be enabled.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts100ms = { .tv_nsec = 100000000 };
static const struct timespec ts1s = { .tv_sec = 1 };
static const struct timespec ts3s = { .tv_sec = 3 };
int main(int argc, char **argv)
{
pid_t tracee;
tracee = fork();
if (tracee == 0) {
nanosleep(&ts100ms, NULL);
while (1) {
printf("tracee: alive\n");
nanosleep(&ts1s, NULL);
}
}
if (argc > 1)
kill(tracee, SIGSTOP);
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
if (argc > 1) {
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
}
nanosleep(&ts3s, NULL);
printf("tracer: exiting\n");
return 0;
}
When the above program is called w/o argument, tracee is seized while
running and remains running. When tracer exits, tracee continues to
run and print out messages.
# ./test-seize-simple
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
tracee: alive
tracee: alive
When called with an argument, tracee is seized from stopped state and
continued, and returns to stopped state when tracer exits.
# ./test-seize
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
# ps -el|grep test-seize
1 T 0 4720 1 0 80 0 - 941 signal ttyS0 00:00:00 test-seize
-v2: SEIZE doesn't schedule TRAP_STOP and leaves tracee running as Jan
suggested.
-v3: PTRACE_EVENT_STOP traps now report group stop state by signr. If
group stop is in effect the stop signal number is returned as
part of exit_code; otherwise, SIGTRAP. This was suggested by
Denys and Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:15 +08:00
|
|
|
{
|
2022-01-28 02:19:13 +08:00
|
|
|
int signr;
|
|
|
|
|
ptrace: implement PTRACE_SEIZE
PTRACE_ATTACH implicitly issues SIGSTOP on attach which has side
effects on tracee signal and job control states. This patch
implements a new ptrace request PTRACE_SEIZE which attaches a tracee
without trapping it or affecting its signal and job control states.
The usage is the same with PTRACE_ATTACH but it takes PTRACE_SEIZE_*
flags in @data. Currently, the only defined flag is
PTRACE_SEIZE_DEVEL which is a temporary flag to enable PTRACE_SEIZE.
PTRACE_SEIZE will change ptrace behaviors outside of attach itself.
The changes will be implemented gradually and the DEVEL flag is to
prevent programs which expect full SEIZE behavior from using it before
all the behavior modifications are complete while allowing unit
testing. The flag will be removed once SEIZE behaviors are completely
implemented.
* PTRACE_SEIZE, unlike ATTACH, doesn't force tracee to trap. After
attaching tracee continues to run unless a trap condition occurs.
* PTRACE_SEIZE doesn't affect signal or group stop state.
* If PTRACE_SEIZE'd, group stop uses PTRACE_EVENT_STOP trap which uses
exit_code of (signr | PTRACE_EVENT_STOP << 8) where signr is one of
the stopping signals if group stop is in effect or SIGTRAP
otherwise, and returns usual trap siginfo on PTRACE_GETSIGINFO
instead of NULL.
Seizing sets PT_SEIZED in ->ptrace of the tracee. This flag will be
used to determine whether new SEIZE behaviors should be enabled.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts100ms = { .tv_nsec = 100000000 };
static const struct timespec ts1s = { .tv_sec = 1 };
static const struct timespec ts3s = { .tv_sec = 3 };
int main(int argc, char **argv)
{
pid_t tracee;
tracee = fork();
if (tracee == 0) {
nanosleep(&ts100ms, NULL);
while (1) {
printf("tracee: alive\n");
nanosleep(&ts1s, NULL);
}
}
if (argc > 1)
kill(tracee, SIGSTOP);
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
if (argc > 1) {
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
}
nanosleep(&ts3s, NULL);
printf("tracer: exiting\n");
return 0;
}
When the above program is called w/o argument, tracee is seized while
running and remains running. When tracer exits, tracee continues to
run and print out messages.
# ./test-seize-simple
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
tracee: alive
tracee: alive
When called with an argument, tracee is seized from stopped state and
continued, and returns to stopped state when tracer exits.
# ./test-seize
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
# ps -el|grep test-seize
1 T 0 4720 1 0 80 0 - 941 signal ttyS0 00:00:00 test-seize
-v2: SEIZE doesn't schedule TRAP_STOP and leaves tracee running as Jan
suggested.
-v3: PTRACE_EVENT_STOP traps now report group stop state by signr. If
group stop is in effect the stop signal number is returned as
part of exit_code; otherwise, SIGTRAP. This was suggested by
Denys and Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:15 +08:00
|
|
|
BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
|
2022-02-09 22:52:41 +08:00
|
|
|
if (unlikely(task_work_pending(current)))
|
2012-08-27 03:12:17 +08:00
|
|
|
task_work_run();
|
ptrace: implement PTRACE_SEIZE
PTRACE_ATTACH implicitly issues SIGSTOP on attach which has side
effects on tracee signal and job control states. This patch
implements a new ptrace request PTRACE_SEIZE which attaches a tracee
without trapping it or affecting its signal and job control states.
The usage is the same with PTRACE_ATTACH but it takes PTRACE_SEIZE_*
flags in @data. Currently, the only defined flag is
PTRACE_SEIZE_DEVEL which is a temporary flag to enable PTRACE_SEIZE.
PTRACE_SEIZE will change ptrace behaviors outside of attach itself.
The changes will be implemented gradually and the DEVEL flag is to
prevent programs which expect full SEIZE behavior from using it before
all the behavior modifications are complete while allowing unit
testing. The flag will be removed once SEIZE behaviors are completely
implemented.
* PTRACE_SEIZE, unlike ATTACH, doesn't force tracee to trap. After
attaching tracee continues to run unless a trap condition occurs.
* PTRACE_SEIZE doesn't affect signal or group stop state.
* If PTRACE_SEIZE'd, group stop uses PTRACE_EVENT_STOP trap which uses
exit_code of (signr | PTRACE_EVENT_STOP << 8) where signr is one of
the stopping signals if group stop is in effect or SIGTRAP
otherwise, and returns usual trap siginfo on PTRACE_GETSIGINFO
instead of NULL.
Seizing sets PT_SEIZED in ->ptrace of the tracee. This flag will be
used to determine whether new SEIZE behaviors should be enabled.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts100ms = { .tv_nsec = 100000000 };
static const struct timespec ts1s = { .tv_sec = 1 };
static const struct timespec ts3s = { .tv_sec = 3 };
int main(int argc, char **argv)
{
pid_t tracee;
tracee = fork();
if (tracee == 0) {
nanosleep(&ts100ms, NULL);
while (1) {
printf("tracee: alive\n");
nanosleep(&ts1s, NULL);
}
}
if (argc > 1)
kill(tracee, SIGSTOP);
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
if (argc > 1) {
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
}
nanosleep(&ts3s, NULL);
printf("tracer: exiting\n");
return 0;
}
When the above program is called w/o argument, tracee is seized while
running and remains running. When tracer exits, tracee continues to
run and print out messages.
# ./test-seize-simple
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
tracee: alive
tracee: alive
When called with an argument, tracee is seized from stopped state and
continued, and returns to stopped state when tracer exits.
# ./test-seize
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
# ps -el|grep test-seize
1 T 0 4720 1 0 80 0 - 941 signal ttyS0 00:00:00 test-seize
-v2: SEIZE doesn't schedule TRAP_STOP and leaves tracee running as Jan
suggested.
-v3: PTRACE_EVENT_STOP traps now report group stop state by signr. If
group stop is in effect the stop signal number is returned as
part of exit_code; otherwise, SIGTRAP. This was suggested by
Denys and Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:15 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
spin_lock_irq(¤t->sighand->siglock);
|
2022-01-28 02:19:13 +08:00
|
|
|
signr = ptrace_do_notify(SIGTRAP, exit_code, CLD_TRAPPED, message);
|
2005-04-17 06:20:36 +08:00
|
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
2022-01-28 02:19:13 +08:00
|
|
|
return signr;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2011-06-14 17:20:14 +08:00
|
|
|
/**
|
|
|
|
* do_signal_stop - handle group stop for SIGSTOP and other stop signals
|
|
|
|
* @signr: signr causing group stop if initiating
|
|
|
|
*
|
|
|
|
* If %JOBCTL_STOP_PENDING is not set yet, initiate group stop with @signr
|
|
|
|
* and participate in it. If already set, participate in the existing
|
|
|
|
* group stop. If participated in a group stop (and thus slept), %true is
|
|
|
|
* returned with siglock released.
|
|
|
|
*
|
|
|
|
* If ptraced, this function doesn't handle stop itself. Instead,
|
|
|
|
* %JOBCTL_TRAP_STOP is scheduled and %false is returned with siglock
|
|
|
|
* untouched. The caller must ensure that INTERRUPT trap handling takes
|
|
|
|
* places afterwards.
|
|
|
|
*
|
|
|
|
* CONTEXT:
|
|
|
|
* Must be called with @current->sighand->siglock held, which is released
|
|
|
|
* on %true return.
|
|
|
|
*
|
|
|
|
* RETURNS:
|
|
|
|
* %false if group stop is already cancelled or ptrace trap is scheduled.
|
|
|
|
* %true if participated in group stop.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2011-06-14 17:20:14 +08:00
|
|
|
static bool do_signal_stop(int signr)
|
|
|
|
__releases(¤t->sighand->siglock)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct signal_struct *sig = current->signal;
|
|
|
|
|
2011-06-02 17:13:59 +08:00
|
|
|
if (!(current->jobctl & JOBCTL_STOP_PENDING)) {
|
2015-05-01 12:19:57 +08:00
|
|
|
unsigned long gstop = JOBCTL_STOP_PENDING | JOBCTL_STOP_CONSUME;
|
2008-02-05 14:27:24 +08:00
|
|
|
struct task_struct *t;
|
|
|
|
|
2011-06-02 17:13:59 +08:00
|
|
|
/* signr will be recorded in task->jobctl for retries */
|
|
|
|
WARN_ON_ONCE(signr & ~JOBCTL_STOP_SIGMASK);
|
2011-03-23 17:37:00 +08:00
|
|
|
|
2011-06-02 17:13:59 +08:00
|
|
|
if (!likely(current->jobctl & JOBCTL_STOP_DEQUEUED) ||
|
2021-06-24 15:14:30 +08:00
|
|
|
unlikely(sig->flags & SIGNAL_GROUP_EXIT) ||
|
|
|
|
unlikely(sig->group_exec_task))
|
2011-06-14 17:20:14 +08:00
|
|
|
return false;
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
job control: Don't set group_stop exit_code if re-entering job control stop
While ptraced, a task may be resumed while the containing process is
still job control stopped. If the task receives another stop signal
in this state, it will still initiate group stop, which generates
group_exit_code, which the real parent would be able to see once the
ptracer detaches.
In this scenario, the real parent may see two consecutive CLD_STOPPED
events from two stop signals without intervening SIGCONT, which
normally is impossible.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
pid_t tracee;
siginfo_t si;
tracee = fork();
if (!tracee)
while (1)
pause();
kill(tracee, SIGSTOP);
waitid(P_PID, tracee, &si, WSTOPPED);
if (!fork()) {
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_DETACH, tracee, NULL, NULL);
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG);
if (si.si_pid)
printf("st=%02d c=%02d\n", si.si_status, si.si_code);
}
return 0;
}
Before the patch, the latter waitid() in polling mode reports the
second stopped event generated by the implied SIGSTOP of
PTRACE_ATTACH.
st=19 c=05
^C
After the patch, the second event is not reported.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
* There is no group stop already in progress. We must
|
|
|
|
* initiate one now.
|
|
|
|
*
|
|
|
|
* While ptraced, a task may be resumed while group stop is
|
|
|
|
* still in effect and then receive a stop signal and
|
|
|
|
* initiate another group stop. This deviates from the
|
|
|
|
* usual behavior as two consecutive stop signals can't
|
2011-04-02 02:12:16 +08:00
|
|
|
* cause two group stops when !ptraced. That is why we
|
|
|
|
* also check !task_is_stopped(t) below.
|
job control: Don't set group_stop exit_code if re-entering job control stop
While ptraced, a task may be resumed while the containing process is
still job control stopped. If the task receives another stop signal
in this state, it will still initiate group stop, which generates
group_exit_code, which the real parent would be able to see once the
ptracer detaches.
In this scenario, the real parent may see two consecutive CLD_STOPPED
events from two stop signals without intervening SIGCONT, which
normally is impossible.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
pid_t tracee;
siginfo_t si;
tracee = fork();
if (!tracee)
while (1)
pause();
kill(tracee, SIGSTOP);
waitid(P_PID, tracee, &si, WSTOPPED);
if (!fork()) {
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_DETACH, tracee, NULL, NULL);
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG);
if (si.si_pid)
printf("st=%02d c=%02d\n", si.si_status, si.si_code);
}
return 0;
}
Before the patch, the latter waitid() in polling mode reports the
second stopped event generated by the implied SIGSTOP of
PTRACE_ATTACH.
st=19 c=05
^C
After the patch, the second event is not reported.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
*
|
|
|
|
* The condition can be distinguished by testing whether
|
|
|
|
* SIGNAL_STOP_STOPPED is already set. Don't generate
|
|
|
|
* group_exit_code in such case.
|
|
|
|
*
|
|
|
|
* This is not necessary for SIGNAL_STOP_CONTINUED because
|
|
|
|
* an intervening stop signal is required to cause two
|
|
|
|
* continued events regardless of ptrace.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
job control: Don't set group_stop exit_code if re-entering job control stop
While ptraced, a task may be resumed while the containing process is
still job control stopped. If the task receives another stop signal
in this state, it will still initiate group stop, which generates
group_exit_code, which the real parent would be able to see once the
ptracer detaches.
In this scenario, the real parent may see two consecutive CLD_STOPPED
events from two stop signals without intervening SIGCONT, which
normally is impossible.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
pid_t tracee;
siginfo_t si;
tracee = fork();
if (!tracee)
while (1)
pause();
kill(tracee, SIGSTOP);
waitid(P_PID, tracee, &si, WSTOPPED);
if (!fork()) {
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, (void *)(long)si.si_status);
waitid(P_PID, tracee, &si, WSTOPPED);
ptrace(PTRACE_DETACH, tracee, NULL, NULL);
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG);
if (si.si_pid)
printf("st=%02d c=%02d\n", si.si_status, si.si_code);
}
return 0;
}
Before the patch, the latter waitid() in polling mode reports the
second stopped event generated by the implied SIGSTOP of
PTRACE_ATTACH.
st=19 c=05
^C
After the patch, the second event is not reported.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
if (!(sig->flags & SIGNAL_STOP_STOPPED))
|
|
|
|
sig->group_exit_code = signr;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-06-02 17:14:00 +08:00
|
|
|
sig->group_stop_count = 0;
|
|
|
|
|
|
|
|
if (task_set_jobctl_pending(current, signr | gstop))
|
|
|
|
sig->group_stop_count++;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2014-01-24 07:55:56 +08:00
|
|
|
t = current;
|
|
|
|
while_each_thread(current, t) {
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2006-03-29 08:11:22 +08:00
|
|
|
* Setting state to TASK_STOPPED for a group
|
|
|
|
* stop is always done with the siglock held,
|
|
|
|
* so this check has no races.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2011-06-02 17:14:00 +08:00
|
|
|
if (!task_is_stopped(t) &&
|
|
|
|
task_set_jobctl_pending(t, signr | gstop)) {
|
2009-09-24 06:56:53 +08:00
|
|
|
sig->group_stop_count++;
|
ptrace: implement TRAP_NOTIFY and use it for group stop events
Currently there's no way for ptracer to find out whether group stop
finished other than polling with INTERRUPT - GETSIGINFO - CONT
sequence. This patch implements group stop notification for ptracer
using STOP traps.
When group stop state of a seized tracee changes, JOBCTL_TRAP_NOTIFY
is set, which schedules a STOP trap which is sticky - it isn't cleared
by other traps and at least one STOP trap will happen eventually.
STOP trap is synchronization point for event notification and the
tracer can determine the current group stop state by looking at the
signal number portion of exit code (si_status from waitid(2) or
si_code from PTRACE_GETSIGINFO).
Notifications are generated both on start and end of group stops but,
because group stop participation always happens before STOP trap, this
doesn't cause an extra trap while tracee is participating in group
stop. The symmetry will be useful later.
Note that this notification works iff tracee is not trapped.
Currently there is no way to be notified of group stop state changes
while tracee is trapped. This will be addressed by a later patch.
An example program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_INTERRUPT 0x4207
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts1s = { .tv_sec = 1 };
int main(int argc, char **argv)
{
pid_t tracee, tracer;
int i;
tracee = fork();
if (!tracee)
while (1)
pause();
tracer = fork();
if (!tracer) {
siginfo_t si;
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
ptrace(PTRACE_INTERRUPT, tracee, NULL, NULL);
repeat:
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_GETSIGINFO, tracee, NULL, &si);
if (!si.si_code) {
printf("tracer: SIG %d\n", si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(unsigned long)si.si_signo);
goto repeat;
}
printf("tracer: stopped=%d signo=%d\n",
si.si_signo != SIGTRAP, si.si_signo);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
goto repeat;
}
for (i = 0; i < 3; i++) {
nanosleep(&ts1s, NULL);
printf("mother: SIGSTOP\n");
kill(tracee, SIGSTOP);
nanosleep(&ts1s, NULL);
printf("mother: SIGCONT\n");
kill(tracee, SIGCONT);
}
nanosleep(&ts1s, NULL);
kill(tracer, SIGKILL);
kill(tracee, SIGKILL);
return 0;
}
In the above program, tracer keeps tracee running and gets
notification of each group stop state changes.
# ./test-notify
tracer: stopped=0 signo=5
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
mother: SIGSTOP
tracer: SIG 19
tracer: stopped=1 signo=19
mother: SIGCONT
tracer: stopped=0 signo=5
tracer: SIG 18
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:17 +08:00
|
|
|
if (likely(!(t->ptrace & PT_SEIZED)))
|
|
|
|
signal_wake_up(t, 0);
|
|
|
|
else
|
|
|
|
ptrace_trap_notify(t);
|
2006-03-29 08:11:22 +08:00
|
|
|
}
|
2011-03-23 17:37:00 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2011-06-14 17:20:14 +08:00
|
|
|
|
2011-06-17 22:50:34 +08:00
|
|
|
if (likely(!current->ptrace)) {
|
2011-03-23 17:37:00 +08:00
|
|
|
int notify = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-03-23 17:37:00 +08:00
|
|
|
/*
|
|
|
|
* If there are no other threads in the group, or if there
|
|
|
|
* is a group stop in progress and we are the last to stop,
|
|
|
|
* report to the parent.
|
|
|
|
*/
|
|
|
|
if (task_participate_group_stop(current))
|
|
|
|
notify = CLD_STOPPED;
|
|
|
|
|
2022-05-04 04:57:47 +08:00
|
|
|
current->jobctl |= JOBCTL_STOPPED;
|
2018-04-30 20:51:01 +08:00
|
|
|
set_special_state(TASK_STOPPED);
|
2011-03-23 17:37:00 +08:00
|
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
|
|
|
|
2011-03-23 17:37:01 +08:00
|
|
|
/*
|
|
|
|
* Notify the parent of the group stop completion. Because
|
|
|
|
* we're not holding either the siglock or tasklist_lock
|
|
|
|
* here, ptracer may attach inbetween; however, this is for
|
|
|
|
* group stop and should always be delivered to the real
|
|
|
|
* parent of the group leader. The new ptracer will get
|
|
|
|
* its notification when this task transitions into
|
|
|
|
* TASK_TRACED.
|
|
|
|
*/
|
2011-03-23 17:37:00 +08:00
|
|
|
if (notify) {
|
|
|
|
read_lock(&tasklist_lock);
|
2011-03-23 17:37:01 +08:00
|
|
|
do_notify_parent_cldstop(current, false, notify);
|
2011-03-23 17:37:00 +08:00
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Now we don't run again until woken by SIGCONT or SIGKILL */
|
cgroup: cgroup v2 freezer
Cgroup v1 implements the freezer controller, which provides an ability
to stop the workload in a cgroup and temporarily free up some
resources (cpu, io, network bandwidth and, potentially, memory)
for some other tasks. Cgroup v2 lacks this functionality.
This patch implements freezer for cgroup v2.
Cgroup v2 freezer tries to put tasks into a state similar to jobctl
stop. This means that tasks can be killed, ptraced (using
PTRACE_SEIZE*), and interrupted. It is possible to attach to
a frozen task, get some information (e.g. read registers) and detach.
It's also possible to migrate a frozen tasks to another cgroup.
This differs cgroup v2 freezer from cgroup v1 freezer, which mostly
tried to imitate the system-wide freezer. However uninterruptible
sleep is fine when all tasks are going to be frozen (hibernation case),
it's not the acceptable state for some subset of the system.
Cgroup v2 freezer is not supporting freezing kthreads.
If a non-root cgroup contains kthread, the cgroup still can be frozen,
but the kthread will remain running, the cgroup will be shown
as non-frozen, and the notification will not be delivered.
* PTRACE_ATTACH is not working because non-fatal signal delivery
is blocked in frozen state.
There are some interface differences between cgroup v1 and cgroup v2
freezer too, which are required to conform the cgroup v2 interface
design principles:
1) There is no separate controller, which has to be turned on:
the functionality is always available and is represented by
cgroup.freeze and cgroup.events cgroup control files.
2) The desired state is defined by the cgroup.freeze control file.
Any hierarchical configuration is allowed.
3) The interface is asynchronous. The actual state is available
using cgroup.events control file ("frozen" field). There are no
dedicated transitional states.
4) It's allowed to make any changes with the cgroup hierarchy
(create new cgroups, remove old cgroups, move tasks between cgroups)
no matter if some cgroups are frozen.
Signed-off-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
No-objection-from-me-by: Oleg Nesterov <oleg@redhat.com>
Cc: kernel-team@fb.com
2019-04-20 01:03:04 +08:00
|
|
|
cgroup_enter_frozen();
|
freezer,sched: Rewrite core freezer logic
Rewrite the core freezer to behave better wrt thawing and be simpler
in general.
By replacing PF_FROZEN with TASK_FROZEN, a special block state, it is
ensured frozen tasks stay frozen until thawed and don't randomly wake
up early, as is currently possible.
As such, it does away with PF_FROZEN and PF_FREEZER_SKIP, freeing up
two PF_flags (yay!).
Specifically; the current scheme works a little like:
freezer_do_not_count();
schedule();
freezer_count();
And either the task is blocked, or it lands in try_to_freezer()
through freezer_count(). Now, when it is blocked, the freezer
considers it frozen and continues.
However, on thawing, once pm_freezing is cleared, freezer_count()
stops working, and any random/spurious wakeup will let a task run
before its time.
That is, thawing tries to thaw things in explicit order; kernel
threads and workqueues before doing bringing SMP back before userspace
etc.. However due to the above mentioned races it is entirely possible
for userspace tasks to thaw (by accident) before SMP is back.
This can be a fatal problem in asymmetric ISA architectures (eg ARMv9)
where the userspace task requires a special CPU to run.
As said; replace this with a special task state TASK_FROZEN and add
the following state transitions:
TASK_FREEZABLE -> TASK_FROZEN
__TASK_STOPPED -> TASK_FROZEN
__TASK_TRACED -> TASK_FROZEN
The new TASK_FREEZABLE can be set on any state part of TASK_NORMAL
(IOW. TASK_INTERRUPTIBLE and TASK_UNINTERRUPTIBLE) -- any such state
is already required to deal with spurious wakeups and the freezer
causes one such when thawing the task (since the original state is
lost).
The special __TASK_{STOPPED,TRACED} states *can* be restored since
their canonical state is in ->jobctl.
With this, frozen tasks need an explicit TASK_FROZEN wakeup and are
free of undue (early / spurious) wakeups.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/20220822114649.055452969@infradead.org
2022-08-22 19:18:22 +08:00
|
|
|
schedule();
|
2011-06-14 17:20:14 +08:00
|
|
|
return true;
|
2011-03-23 17:37:00 +08:00
|
|
|
} else {
|
2011-06-14 17:20:14 +08:00
|
|
|
/*
|
|
|
|
* While ptraced, group stop is handled by STOP trap.
|
|
|
|
* Schedule it and let the caller deal with it.
|
|
|
|
*/
|
|
|
|
task_set_jobctl_pending(current, JOBCTL_TRAP_STOP);
|
|
|
|
return false;
|
2009-09-24 06:56:53 +08:00
|
|
|
}
|
2011-06-14 17:20:14 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-06-14 17:20:14 +08:00
|
|
|
/**
|
|
|
|
* do_jobctl_trap - take care of ptrace jobctl traps
|
|
|
|
*
|
ptrace: implement PTRACE_SEIZE
PTRACE_ATTACH implicitly issues SIGSTOP on attach which has side
effects on tracee signal and job control states. This patch
implements a new ptrace request PTRACE_SEIZE which attaches a tracee
without trapping it or affecting its signal and job control states.
The usage is the same with PTRACE_ATTACH but it takes PTRACE_SEIZE_*
flags in @data. Currently, the only defined flag is
PTRACE_SEIZE_DEVEL which is a temporary flag to enable PTRACE_SEIZE.
PTRACE_SEIZE will change ptrace behaviors outside of attach itself.
The changes will be implemented gradually and the DEVEL flag is to
prevent programs which expect full SEIZE behavior from using it before
all the behavior modifications are complete while allowing unit
testing. The flag will be removed once SEIZE behaviors are completely
implemented.
* PTRACE_SEIZE, unlike ATTACH, doesn't force tracee to trap. After
attaching tracee continues to run unless a trap condition occurs.
* PTRACE_SEIZE doesn't affect signal or group stop state.
* If PTRACE_SEIZE'd, group stop uses PTRACE_EVENT_STOP trap which uses
exit_code of (signr | PTRACE_EVENT_STOP << 8) where signr is one of
the stopping signals if group stop is in effect or SIGTRAP
otherwise, and returns usual trap siginfo on PTRACE_GETSIGINFO
instead of NULL.
Seizing sets PT_SEIZED in ->ptrace of the tracee. This flag will be
used to determine whether new SEIZE behaviors should be enabled.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts100ms = { .tv_nsec = 100000000 };
static const struct timespec ts1s = { .tv_sec = 1 };
static const struct timespec ts3s = { .tv_sec = 3 };
int main(int argc, char **argv)
{
pid_t tracee;
tracee = fork();
if (tracee == 0) {
nanosleep(&ts100ms, NULL);
while (1) {
printf("tracee: alive\n");
nanosleep(&ts1s, NULL);
}
}
if (argc > 1)
kill(tracee, SIGSTOP);
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
if (argc > 1) {
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
}
nanosleep(&ts3s, NULL);
printf("tracer: exiting\n");
return 0;
}
When the above program is called w/o argument, tracee is seized while
running and remains running. When tracer exits, tracee continues to
run and print out messages.
# ./test-seize-simple
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
tracee: alive
tracee: alive
When called with an argument, tracee is seized from stopped state and
continued, and returns to stopped state when tracer exits.
# ./test-seize
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
# ps -el|grep test-seize
1 T 0 4720 1 0 80 0 - 941 signal ttyS0 00:00:00 test-seize
-v2: SEIZE doesn't schedule TRAP_STOP and leaves tracee running as Jan
suggested.
-v3: PTRACE_EVENT_STOP traps now report group stop state by signr. If
group stop is in effect the stop signal number is returned as
part of exit_code; otherwise, SIGTRAP. This was suggested by
Denys and Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:15 +08:00
|
|
|
* When PT_SEIZED, it's used for both group stop and explicit
|
|
|
|
* SEIZE/INTERRUPT traps. Both generate PTRACE_EVENT_STOP trap with
|
|
|
|
* accompanying siginfo. If stopped, lower eight bits of exit_code contain
|
|
|
|
* the stop signal; otherwise, %SIGTRAP.
|
|
|
|
*
|
|
|
|
* When !PT_SEIZED, it's used only for group stop trap with stop signal
|
|
|
|
* number as exit_code and no siginfo.
|
2011-06-14 17:20:14 +08:00
|
|
|
*
|
|
|
|
* CONTEXT:
|
|
|
|
* Must be called with @current->sighand->siglock held, which may be
|
|
|
|
* released and re-acquired before returning with intervening sleep.
|
|
|
|
*/
|
|
|
|
static void do_jobctl_trap(void)
|
|
|
|
{
|
ptrace: implement PTRACE_SEIZE
PTRACE_ATTACH implicitly issues SIGSTOP on attach which has side
effects on tracee signal and job control states. This patch
implements a new ptrace request PTRACE_SEIZE which attaches a tracee
without trapping it or affecting its signal and job control states.
The usage is the same with PTRACE_ATTACH but it takes PTRACE_SEIZE_*
flags in @data. Currently, the only defined flag is
PTRACE_SEIZE_DEVEL which is a temporary flag to enable PTRACE_SEIZE.
PTRACE_SEIZE will change ptrace behaviors outside of attach itself.
The changes will be implemented gradually and the DEVEL flag is to
prevent programs which expect full SEIZE behavior from using it before
all the behavior modifications are complete while allowing unit
testing. The flag will be removed once SEIZE behaviors are completely
implemented.
* PTRACE_SEIZE, unlike ATTACH, doesn't force tracee to trap. After
attaching tracee continues to run unless a trap condition occurs.
* PTRACE_SEIZE doesn't affect signal or group stop state.
* If PTRACE_SEIZE'd, group stop uses PTRACE_EVENT_STOP trap which uses
exit_code of (signr | PTRACE_EVENT_STOP << 8) where signr is one of
the stopping signals if group stop is in effect or SIGTRAP
otherwise, and returns usual trap siginfo on PTRACE_GETSIGINFO
instead of NULL.
Seizing sets PT_SEIZED in ->ptrace of the tracee. This flag will be
used to determine whether new SEIZE behaviors should be enabled.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts100ms = { .tv_nsec = 100000000 };
static const struct timespec ts1s = { .tv_sec = 1 };
static const struct timespec ts3s = { .tv_sec = 3 };
int main(int argc, char **argv)
{
pid_t tracee;
tracee = fork();
if (tracee == 0) {
nanosleep(&ts100ms, NULL);
while (1) {
printf("tracee: alive\n");
nanosleep(&ts1s, NULL);
}
}
if (argc > 1)
kill(tracee, SIGSTOP);
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
if (argc > 1) {
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
}
nanosleep(&ts3s, NULL);
printf("tracer: exiting\n");
return 0;
}
When the above program is called w/o argument, tracee is seized while
running and remains running. When tracer exits, tracee continues to
run and print out messages.
# ./test-seize-simple
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
tracee: alive
tracee: alive
When called with an argument, tracee is seized from stopped state and
continued, and returns to stopped state when tracer exits.
# ./test-seize
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
# ps -el|grep test-seize
1 T 0 4720 1 0 80 0 - 941 signal ttyS0 00:00:00 test-seize
-v2: SEIZE doesn't schedule TRAP_STOP and leaves tracee running as Jan
suggested.
-v3: PTRACE_EVENT_STOP traps now report group stop state by signr. If
group stop is in effect the stop signal number is returned as
part of exit_code; otherwise, SIGTRAP. This was suggested by
Denys and Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:15 +08:00
|
|
|
struct signal_struct *signal = current->signal;
|
2011-06-14 17:20:14 +08:00
|
|
|
int signr = current->jobctl & JOBCTL_STOP_SIGMASK;
|
2009-09-24 06:56:53 +08:00
|
|
|
|
ptrace: implement PTRACE_SEIZE
PTRACE_ATTACH implicitly issues SIGSTOP on attach which has side
effects on tracee signal and job control states. This patch
implements a new ptrace request PTRACE_SEIZE which attaches a tracee
without trapping it or affecting its signal and job control states.
The usage is the same with PTRACE_ATTACH but it takes PTRACE_SEIZE_*
flags in @data. Currently, the only defined flag is
PTRACE_SEIZE_DEVEL which is a temporary flag to enable PTRACE_SEIZE.
PTRACE_SEIZE will change ptrace behaviors outside of attach itself.
The changes will be implemented gradually and the DEVEL flag is to
prevent programs which expect full SEIZE behavior from using it before
all the behavior modifications are complete while allowing unit
testing. The flag will be removed once SEIZE behaviors are completely
implemented.
* PTRACE_SEIZE, unlike ATTACH, doesn't force tracee to trap. After
attaching tracee continues to run unless a trap condition occurs.
* PTRACE_SEIZE doesn't affect signal or group stop state.
* If PTRACE_SEIZE'd, group stop uses PTRACE_EVENT_STOP trap which uses
exit_code of (signr | PTRACE_EVENT_STOP << 8) where signr is one of
the stopping signals if group stop is in effect or SIGTRAP
otherwise, and returns usual trap siginfo on PTRACE_GETSIGINFO
instead of NULL.
Seizing sets PT_SEIZED in ->ptrace of the tracee. This flag will be
used to determine whether new SEIZE behaviors should be enabled.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts100ms = { .tv_nsec = 100000000 };
static const struct timespec ts1s = { .tv_sec = 1 };
static const struct timespec ts3s = { .tv_sec = 3 };
int main(int argc, char **argv)
{
pid_t tracee;
tracee = fork();
if (tracee == 0) {
nanosleep(&ts100ms, NULL);
while (1) {
printf("tracee: alive\n");
nanosleep(&ts1s, NULL);
}
}
if (argc > 1)
kill(tracee, SIGSTOP);
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
if (argc > 1) {
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
}
nanosleep(&ts3s, NULL);
printf("tracer: exiting\n");
return 0;
}
When the above program is called w/o argument, tracee is seized while
running and remains running. When tracer exits, tracee continues to
run and print out messages.
# ./test-seize-simple
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
tracee: alive
tracee: alive
When called with an argument, tracee is seized from stopped state and
continued, and returns to stopped state when tracer exits.
# ./test-seize
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
# ps -el|grep test-seize
1 T 0 4720 1 0 80 0 - 941 signal ttyS0 00:00:00 test-seize
-v2: SEIZE doesn't schedule TRAP_STOP and leaves tracee running as Jan
suggested.
-v3: PTRACE_EVENT_STOP traps now report group stop state by signr. If
group stop is in effect the stop signal number is returned as
part of exit_code; otherwise, SIGTRAP. This was suggested by
Denys and Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:15 +08:00
|
|
|
if (current->ptrace & PT_SEIZED) {
|
|
|
|
if (!signal->group_stop_count &&
|
|
|
|
!(signal->flags & SIGNAL_STOP_STOPPED))
|
|
|
|
signr = SIGTRAP;
|
|
|
|
WARN_ON_ONCE(!signr);
|
|
|
|
ptrace_do_notify(signr, signr | (PTRACE_EVENT_STOP << 8),
|
2022-01-28 02:15:32 +08:00
|
|
|
CLD_STOPPED, 0);
|
ptrace: implement PTRACE_SEIZE
PTRACE_ATTACH implicitly issues SIGSTOP on attach which has side
effects on tracee signal and job control states. This patch
implements a new ptrace request PTRACE_SEIZE which attaches a tracee
without trapping it or affecting its signal and job control states.
The usage is the same with PTRACE_ATTACH but it takes PTRACE_SEIZE_*
flags in @data. Currently, the only defined flag is
PTRACE_SEIZE_DEVEL which is a temporary flag to enable PTRACE_SEIZE.
PTRACE_SEIZE will change ptrace behaviors outside of attach itself.
The changes will be implemented gradually and the DEVEL flag is to
prevent programs which expect full SEIZE behavior from using it before
all the behavior modifications are complete while allowing unit
testing. The flag will be removed once SEIZE behaviors are completely
implemented.
* PTRACE_SEIZE, unlike ATTACH, doesn't force tracee to trap. After
attaching tracee continues to run unless a trap condition occurs.
* PTRACE_SEIZE doesn't affect signal or group stop state.
* If PTRACE_SEIZE'd, group stop uses PTRACE_EVENT_STOP trap which uses
exit_code of (signr | PTRACE_EVENT_STOP << 8) where signr is one of
the stopping signals if group stop is in effect or SIGTRAP
otherwise, and returns usual trap siginfo on PTRACE_GETSIGINFO
instead of NULL.
Seizing sets PT_SEIZED in ->ptrace of the tracee. This flag will be
used to determine whether new SEIZE behaviors should be enabled.
Test program follows.
#define PTRACE_SEIZE 0x4206
#define PTRACE_SEIZE_DEVEL 0x80000000
static const struct timespec ts100ms = { .tv_nsec = 100000000 };
static const struct timespec ts1s = { .tv_sec = 1 };
static const struct timespec ts3s = { .tv_sec = 3 };
int main(int argc, char **argv)
{
pid_t tracee;
tracee = fork();
if (tracee == 0) {
nanosleep(&ts100ms, NULL);
while (1) {
printf("tracee: alive\n");
nanosleep(&ts1s, NULL);
}
}
if (argc > 1)
kill(tracee, SIGSTOP);
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_SEIZE, tracee, NULL,
(void *)(unsigned long)PTRACE_SEIZE_DEVEL);
if (argc > 1) {
waitid(P_PID, tracee, NULL, WSTOPPED);
ptrace(PTRACE_CONT, tracee, NULL, NULL);
}
nanosleep(&ts3s, NULL);
printf("tracer: exiting\n");
return 0;
}
When the above program is called w/o argument, tracee is seized while
running and remains running. When tracer exits, tracee continues to
run and print out messages.
# ./test-seize-simple
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
tracee: alive
tracee: alive
When called with an argument, tracee is seized from stopped state and
continued, and returns to stopped state when tracer exits.
# ./test-seize
tracee: alive
tracee: alive
tracee: alive
tracer: exiting
# ps -el|grep test-seize
1 T 0 4720 1 0 80 0 - 941 signal ttyS0 00:00:00 test-seize
-v2: SEIZE doesn't schedule TRAP_STOP and leaves tracee running as Jan
suggested.
-v3: PTRACE_EVENT_STOP traps now report group stop state by signr. If
group stop is in effect the stop signal number is returned as
part of exit_code; otherwise, SIGTRAP. This was suggested by
Denys and Oleg.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Denys Vlasenko <vda.linux@googlemail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
2011-06-14 17:20:15 +08:00
|
|
|
} else {
|
|
|
|
WARN_ON_ONCE(!signr);
|
2022-05-05 02:39:58 +08:00
|
|
|
ptrace_stop(signr, CLD_STOPPED, 0, NULL);
|
2009-09-24 06:56:53 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
cgroup: cgroup v2 freezer
Cgroup v1 implements the freezer controller, which provides an ability
to stop the workload in a cgroup and temporarily free up some
resources (cpu, io, network bandwidth and, potentially, memory)
for some other tasks. Cgroup v2 lacks this functionality.
This patch implements freezer for cgroup v2.
Cgroup v2 freezer tries to put tasks into a state similar to jobctl
stop. This means that tasks can be killed, ptraced (using
PTRACE_SEIZE*), and interrupted. It is possible to attach to
a frozen task, get some information (e.g. read registers) and detach.
It's also possible to migrate a frozen tasks to another cgroup.
This differs cgroup v2 freezer from cgroup v1 freezer, which mostly
tried to imitate the system-wide freezer. However uninterruptible
sleep is fine when all tasks are going to be frozen (hibernation case),
it's not the acceptable state for some subset of the system.
Cgroup v2 freezer is not supporting freezing kthreads.
If a non-root cgroup contains kthread, the cgroup still can be frozen,
but the kthread will remain running, the cgroup will be shown
as non-frozen, and the notification will not be delivered.
* PTRACE_ATTACH is not working because non-fatal signal delivery
is blocked in frozen state.
There are some interface differences between cgroup v1 and cgroup v2
freezer too, which are required to conform the cgroup v2 interface
design principles:
1) There is no separate controller, which has to be turned on:
the functionality is always available and is represented by
cgroup.freeze and cgroup.events cgroup control files.
2) The desired state is defined by the cgroup.freeze control file.
Any hierarchical configuration is allowed.
3) The interface is asynchronous. The actual state is available
using cgroup.events control file ("frozen" field). There are no
dedicated transitional states.
4) It's allowed to make any changes with the cgroup hierarchy
(create new cgroups, remove old cgroups, move tasks between cgroups)
no matter if some cgroups are frozen.
Signed-off-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
No-objection-from-me-by: Oleg Nesterov <oleg@redhat.com>
Cc: kernel-team@fb.com
2019-04-20 01:03:04 +08:00
|
|
|
/**
|
|
|
|
* do_freezer_trap - handle the freezer jobctl trap
|
|
|
|
*
|
|
|
|
* Puts the task into frozen state, if only the task is not about to quit.
|
|
|
|
* In this case it drops JOBCTL_TRAP_FREEZE.
|
|
|
|
*
|
|
|
|
* CONTEXT:
|
|
|
|
* Must be called with @current->sighand->siglock held,
|
|
|
|
* which is always released before returning.
|
|
|
|
*/
|
|
|
|
static void do_freezer_trap(void)
|
|
|
|
__releases(¤t->sighand->siglock)
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* If there are other trap bits pending except JOBCTL_TRAP_FREEZE,
|
|
|
|
* let's make another loop to give it a chance to be handled.
|
|
|
|
* In any case, we'll return back.
|
|
|
|
*/
|
|
|
|
if ((current->jobctl & (JOBCTL_PENDING_MASK | JOBCTL_TRAP_FREEZE)) !=
|
|
|
|
JOBCTL_TRAP_FREEZE) {
|
|
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now we're sure that there is no pending fatal signal and no
|
|
|
|
* pending traps. Clear TIF_SIGPENDING to not get out of schedule()
|
|
|
|
* immediately (if there is a non-fatal signal pending), and
|
|
|
|
* put the task into sleep.
|
|
|
|
*/
|
freezer,sched: Rewrite core freezer logic
Rewrite the core freezer to behave better wrt thawing and be simpler
in general.
By replacing PF_FROZEN with TASK_FROZEN, a special block state, it is
ensured frozen tasks stay frozen until thawed and don't randomly wake
up early, as is currently possible.
As such, it does away with PF_FROZEN and PF_FREEZER_SKIP, freeing up
two PF_flags (yay!).
Specifically; the current scheme works a little like:
freezer_do_not_count();
schedule();
freezer_count();
And either the task is blocked, or it lands in try_to_freezer()
through freezer_count(). Now, when it is blocked, the freezer
considers it frozen and continues.
However, on thawing, once pm_freezing is cleared, freezer_count()
stops working, and any random/spurious wakeup will let a task run
before its time.
That is, thawing tries to thaw things in explicit order; kernel
threads and workqueues before doing bringing SMP back before userspace
etc.. However due to the above mentioned races it is entirely possible
for userspace tasks to thaw (by accident) before SMP is back.
This can be a fatal problem in asymmetric ISA architectures (eg ARMv9)
where the userspace task requires a special CPU to run.
As said; replace this with a special task state TASK_FROZEN and add
the following state transitions:
TASK_FREEZABLE -> TASK_FROZEN
__TASK_STOPPED -> TASK_FROZEN
__TASK_TRACED -> TASK_FROZEN
The new TASK_FREEZABLE can be set on any state part of TASK_NORMAL
(IOW. TASK_INTERRUPTIBLE and TASK_UNINTERRUPTIBLE) -- any such state
is already required to deal with spurious wakeups and the freezer
causes one such when thawing the task (since the original state is
lost).
The special __TASK_{STOPPED,TRACED} states *can* be restored since
their canonical state is in ->jobctl.
With this, frozen tasks need an explicit TASK_FROZEN wakeup and are
free of undue (early / spurious) wakeups.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/20220822114649.055452969@infradead.org
2022-08-22 19:18:22 +08:00
|
|
|
__set_current_state(TASK_INTERRUPTIBLE|TASK_FREEZABLE);
|
cgroup: cgroup v2 freezer
Cgroup v1 implements the freezer controller, which provides an ability
to stop the workload in a cgroup and temporarily free up some
resources (cpu, io, network bandwidth and, potentially, memory)
for some other tasks. Cgroup v2 lacks this functionality.
This patch implements freezer for cgroup v2.
Cgroup v2 freezer tries to put tasks into a state similar to jobctl
stop. This means that tasks can be killed, ptraced (using
PTRACE_SEIZE*), and interrupted. It is possible to attach to
a frozen task, get some information (e.g. read registers) and detach.
It's also possible to migrate a frozen tasks to another cgroup.
This differs cgroup v2 freezer from cgroup v1 freezer, which mostly
tried to imitate the system-wide freezer. However uninterruptible
sleep is fine when all tasks are going to be frozen (hibernation case),
it's not the acceptable state for some subset of the system.
Cgroup v2 freezer is not supporting freezing kthreads.
If a non-root cgroup contains kthread, the cgroup still can be frozen,
but the kthread will remain running, the cgroup will be shown
as non-frozen, and the notification will not be delivered.
* PTRACE_ATTACH is not working because non-fatal signal delivery
is blocked in frozen state.
There are some interface differences between cgroup v1 and cgroup v2
freezer too, which are required to conform the cgroup v2 interface
design principles:
1) There is no separate controller, which has to be turned on:
the functionality is always available and is represented by
cgroup.freeze and cgroup.events cgroup control files.
2) The desired state is defined by the cgroup.freeze control file.
Any hierarchical configuration is allowed.
3) The interface is asynchronous. The actual state is available
using cgroup.events control file ("frozen" field). There are no
dedicated transitional states.
4) It's allowed to make any changes with the cgroup hierarchy
(create new cgroups, remove old cgroups, move tasks between cgroups)
no matter if some cgroups are frozen.
Signed-off-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
No-objection-from-me-by: Oleg Nesterov <oleg@redhat.com>
Cc: kernel-team@fb.com
2019-04-20 01:03:04 +08:00
|
|
|
clear_thread_flag(TIF_SIGPENDING);
|
|
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
|
|
|
cgroup_enter_frozen();
|
freezer,sched: Rewrite core freezer logic
Rewrite the core freezer to behave better wrt thawing and be simpler
in general.
By replacing PF_FROZEN with TASK_FROZEN, a special block state, it is
ensured frozen tasks stay frozen until thawed and don't randomly wake
up early, as is currently possible.
As such, it does away with PF_FROZEN and PF_FREEZER_SKIP, freeing up
two PF_flags (yay!).
Specifically; the current scheme works a little like:
freezer_do_not_count();
schedule();
freezer_count();
And either the task is blocked, or it lands in try_to_freezer()
through freezer_count(). Now, when it is blocked, the freezer
considers it frozen and continues.
However, on thawing, once pm_freezing is cleared, freezer_count()
stops working, and any random/spurious wakeup will let a task run
before its time.
That is, thawing tries to thaw things in explicit order; kernel
threads and workqueues before doing bringing SMP back before userspace
etc.. However due to the above mentioned races it is entirely possible
for userspace tasks to thaw (by accident) before SMP is back.
This can be a fatal problem in asymmetric ISA architectures (eg ARMv9)
where the userspace task requires a special CPU to run.
As said; replace this with a special task state TASK_FROZEN and add
the following state transitions:
TASK_FREEZABLE -> TASK_FROZEN
__TASK_STOPPED -> TASK_FROZEN
__TASK_TRACED -> TASK_FROZEN
The new TASK_FREEZABLE can be set on any state part of TASK_NORMAL
(IOW. TASK_INTERRUPTIBLE and TASK_UNINTERRUPTIBLE) -- any such state
is already required to deal with spurious wakeups and the freezer
causes one such when thawing the task (since the original state is
lost).
The special __TASK_{STOPPED,TRACED} states *can* be restored since
their canonical state is in ->jobctl.
With this, frozen tasks need an explicit TASK_FROZEN wakeup and are
free of undue (early / spurious) wakeups.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/20220822114649.055452969@infradead.org
2022-08-22 19:18:22 +08:00
|
|
|
schedule();
|
cgroup: cgroup v2 freezer
Cgroup v1 implements the freezer controller, which provides an ability
to stop the workload in a cgroup and temporarily free up some
resources (cpu, io, network bandwidth and, potentially, memory)
for some other tasks. Cgroup v2 lacks this functionality.
This patch implements freezer for cgroup v2.
Cgroup v2 freezer tries to put tasks into a state similar to jobctl
stop. This means that tasks can be killed, ptraced (using
PTRACE_SEIZE*), and interrupted. It is possible to attach to
a frozen task, get some information (e.g. read registers) and detach.
It's also possible to migrate a frozen tasks to another cgroup.
This differs cgroup v2 freezer from cgroup v1 freezer, which mostly
tried to imitate the system-wide freezer. However uninterruptible
sleep is fine when all tasks are going to be frozen (hibernation case),
it's not the acceptable state for some subset of the system.
Cgroup v2 freezer is not supporting freezing kthreads.
If a non-root cgroup contains kthread, the cgroup still can be frozen,
but the kthread will remain running, the cgroup will be shown
as non-frozen, and the notification will not be delivered.
* PTRACE_ATTACH is not working because non-fatal signal delivery
is blocked in frozen state.
There are some interface differences between cgroup v1 and cgroup v2
freezer too, which are required to conform the cgroup v2 interface
design principles:
1) There is no separate controller, which has to be turned on:
the functionality is always available and is represented by
cgroup.freeze and cgroup.events cgroup control files.
2) The desired state is defined by the cgroup.freeze control file.
Any hierarchical configuration is allowed.
3) The interface is asynchronous. The actual state is available
using cgroup.events control file ("frozen" field). There are no
dedicated transitional states.
4) It's allowed to make any changes with the cgroup hierarchy
(create new cgroups, remove old cgroups, move tasks between cgroups)
no matter if some cgroups are frozen.
Signed-off-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
No-objection-from-me-by: Oleg Nesterov <oleg@redhat.com>
Cc: kernel-team@fb.com
2019-04-20 01:03:04 +08:00
|
|
|
}
|
|
|
|
|
2021-11-16 03:47:13 +08:00
|
|
|
static int ptrace_signal(int signr, kernel_siginfo_t *info, enum pid_type type)
|
2008-04-18 09:44:38 +08:00
|
|
|
{
|
ptrace: fix ptrace_signal() && STOP_DEQUEUED interaction
Simple test-case,
int main(void)
{
int pid, status;
pid = fork();
if (!pid) {
pause();
assert(0);
return 0x23;
}
assert(ptrace(PTRACE_ATTACH, pid, 0,0) == 0);
assert(wait(&status) == pid);
assert(WIFSTOPPED(status) && WSTOPSIG(status) == SIGSTOP);
kill(pid, SIGCONT); // <--- also clears STOP_DEQUEUD
assert(ptrace(PTRACE_CONT, pid, 0,0) == 0);
assert(wait(&status) == pid);
assert(WIFSTOPPED(status) && WSTOPSIG(status) == SIGCONT);
assert(ptrace(PTRACE_CONT, pid, 0, SIGSTOP) == 0);
assert(wait(&status) == pid);
assert(WIFSTOPPED(status) && WSTOPSIG(status) == SIGSTOP);
kill(pid, SIGKILL);
return 0;
}
Without the patch it hangs. After the patch SIGSTOP "injected" by the
tracer is not ignored and stops the tracee.
Note also that if this test-case uses, say, SIGWINCH instead of SIGCONT,
everything works without the patch. This can't be right, and this is
confusing.
The problem is that SIGSTOP (or any other sig_kernel_stop() signal) has
no effect without JOBCTL_STOP_DEQUEUED. This means it is simply ignored
after PTRACE_CONT unless JOBCTL_STOP_DEQUEUED was set "by accident", say
it wasn't cleared after initial SIGSTOP sent by PTRACE_ATTACH.
At first glance we could change ptrace_signal() to add STOP_DEQUEUED
after return from ptrace_stop(), but this is not right in case when the
tracer does not change the reported SIGSTOP and SIGCONT comes in between.
This is even more wrong with PT_SEIZED, SIGCONT adds JOBCTL_TRAP_NOTIFY
which will be "lost" during the TRAP_STOP | TRAP_NOTIFY report.
So lets add STOP_DEQUEUED _before_ we report the signal. It has no effect
unless sig_kernel_stop() == T after the tracer resumes us, and in the
latter case the pending STOP_DEQUEUED means no SIGCONT in between, we
should stop.
Note also that if SIGCONT was sent, PT_SEIZED tracee will correctly
report PTRACE_EVENT_STOP/SIGTRAP and thus the tracer can notice the fact
SIGSTOP was cancelled.
Also, move the current->ptrace check from ptrace_signal() to its caller,
get_signal_to_deliver(), this looks more natural.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
2011-07-21 23:06:53 +08:00
|
|
|
/*
|
|
|
|
* We do not check sig_kernel_stop(signr) but set this marker
|
|
|
|
* unconditionally because we do not know whether debugger will
|
|
|
|
* change signr. This flag has no meaning unless we are going
|
|
|
|
* to stop after return from ptrace_stop(). In this case it will
|
|
|
|
* be checked in do_signal_stop(), we should only stop if it was
|
|
|
|
* not cleared by SIGCONT while we were sleeping. See also the
|
|
|
|
* comment in dequeue_signal().
|
|
|
|
*/
|
|
|
|
current->jobctl |= JOBCTL_STOP_DEQUEUED;
|
2022-05-05 02:39:58 +08:00
|
|
|
signr = ptrace_stop(signr, CLD_TRAPPED, 0, info);
|
2008-04-18 09:44:38 +08:00
|
|
|
|
|
|
|
/* We're back. Did the debugger cancel the sig? */
|
|
|
|
if (signr == 0)
|
|
|
|
return signr;
|
|
|
|
|
2011-04-05 05:59:31 +08:00
|
|
|
/*
|
|
|
|
* Update the siginfo structure if the signal has
|
|
|
|
* changed. If the debugger wanted something
|
|
|
|
* specific in the siginfo structure then it should
|
|
|
|
* have updated *info via PTRACE_SETSIGINFO.
|
|
|
|
*/
|
2008-04-18 09:44:38 +08:00
|
|
|
if (signr != info->si_signo) {
|
2018-01-06 07:27:42 +08:00
|
|
|
clear_siginfo(info);
|
2008-04-18 09:44:38 +08:00
|
|
|
info->si_signo = signr;
|
|
|
|
info->si_errno = 0;
|
|
|
|
info->si_code = SI_USER;
|
user namespace: make signal.c respect user namespaces
ipc/mqueue.c: for __SI_MESQ, convert the uid being sent to recipient's
user namespace. (new, thanks Oleg)
__send_signal: convert current's uid to the recipient's user namespace
for any siginfo which is not SI_FROMKERNEL (patch from Oleg, thanks
again :)
do_notify_parent and do_notify_parent_cldstop: map task's uid to parent's
user namespace
ptrace_signal maps parent's uid into current's user namespace before
including in signal to current. IIUC Oleg has argued that this shouldn't
matter as the debugger will play with it, but it seems like not converting
the value currently being set is misleading.
Changelog:
Sep 20: Inspired by Oleg's suggestion, define map_cred_ns() helper to
simplify callers and help make clear what we are translating
(which uid into which namespace). Passing the target task would
make callers even easier to read, but we pass in user_ns because
current_user_ns() != task_cred_xxx(current, user_ns).
Sep 20: As recommended by Oleg, also put task_pid_vnr() under rcu_read_lock
in ptrace_signal().
Sep 23: In send_signal(), detect when (user) signal is coming from an
ancestor or unrelated user namespace. Pass that on to __send_signal,
which sets si_uid to 0 or overflowuid if needed.
Oct 12: Base on Oleg's fixup_uid() patch. On top of that, handle all
SI_FROMKERNEL cases at callers, because we can't assume sender is
current in those cases.
Nov 10: (mhelsley) rename fixup_uid to more meaningful usern_fixup_signal_uid
Nov 10: (akpm) make the !CONFIG_USER_NS case clearer
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Matt Helsley <matthltc@us.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
From: Serge Hallyn <serge.hallyn@canonical.com>
Subject: __send_signal: pass q->info, not info, to userns_fixup_signal_uid (v2)
Eric Biederman pointed out that passing info is a bug and could lead to a
NULL pointer deref to boot.
A collection of signal, securebits, filecaps, cap_bounds, and a few other
ltp tests passed with this kernel.
Changelog:
Nov 18: previous patch missed a leading '&'
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: ipc/mqueue: lock() => unlock() typo
There was a double lock typo introduced in b085f4bd6b21 "user namespace:
make signal.c respect user namespaces"
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Matt Helsley <matthltc@us.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 07:11:37 +08:00
|
|
|
rcu_read_lock();
|
2008-04-18 09:44:38 +08:00
|
|
|
info->si_pid = task_pid_vnr(current->parent);
|
2012-03-14 07:04:35 +08:00
|
|
|
info->si_uid = from_kuid_munged(current_user_ns(),
|
|
|
|
task_uid(current->parent));
|
user namespace: make signal.c respect user namespaces
ipc/mqueue.c: for __SI_MESQ, convert the uid being sent to recipient's
user namespace. (new, thanks Oleg)
__send_signal: convert current's uid to the recipient's user namespace
for any siginfo which is not SI_FROMKERNEL (patch from Oleg, thanks
again :)
do_notify_parent and do_notify_parent_cldstop: map task's uid to parent's
user namespace
ptrace_signal maps parent's uid into current's user namespace before
including in signal to current. IIUC Oleg has argued that this shouldn't
matter as the debugger will play with it, but it seems like not converting
the value currently being set is misleading.
Changelog:
Sep 20: Inspired by Oleg's suggestion, define map_cred_ns() helper to
simplify callers and help make clear what we are translating
(which uid into which namespace). Passing the target task would
make callers even easier to read, but we pass in user_ns because
current_user_ns() != task_cred_xxx(current, user_ns).
Sep 20: As recommended by Oleg, also put task_pid_vnr() under rcu_read_lock
in ptrace_signal().
Sep 23: In send_signal(), detect when (user) signal is coming from an
ancestor or unrelated user namespace. Pass that on to __send_signal,
which sets si_uid to 0 or overflowuid if needed.
Oct 12: Base on Oleg's fixup_uid() patch. On top of that, handle all
SI_FROMKERNEL cases at callers, because we can't assume sender is
current in those cases.
Nov 10: (mhelsley) rename fixup_uid to more meaningful usern_fixup_signal_uid
Nov 10: (akpm) make the !CONFIG_USER_NS case clearer
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Matt Helsley <matthltc@us.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
From: Serge Hallyn <serge.hallyn@canonical.com>
Subject: __send_signal: pass q->info, not info, to userns_fixup_signal_uid (v2)
Eric Biederman pointed out that passing info is a bug and could lead to a
NULL pointer deref to boot.
A collection of signal, securebits, filecaps, cap_bounds, and a few other
ltp tests passed with this kernel.
Changelog:
Nov 18: previous patch missed a leading '&'
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: ipc/mqueue: lock() => unlock() typo
There was a double lock typo introduced in b085f4bd6b21 "user namespace:
make signal.c respect user namespaces"
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Matt Helsley <matthltc@us.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 07:11:37 +08:00
|
|
|
rcu_read_unlock();
|
2008-04-18 09:44:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* If the (new) signal is now blocked, requeue it. */
|
signal: Requeue ptrace signals
Kyle Huey <me@kylehuey.com> writes:
> rr, a userspace record and replay debugger[0], uses the recorded register
> state at PTRACE_EVENT_EXIT to find the point in time at which to cease
> executing the program during replay.
>
> If a SIGKILL races with processing another signal in get_signal, it is
> possible for the kernel to decline to notify the tracer of the original
> signal. But if the original signal had a handler, the kernel proceeds
> with setting up a signal handler frame as if the tracer had chosen to
> deliver the signal unmodified to the tracee. When the kernel goes to
> execute the signal handler that it has now modified the stack and registers
> for, it will discover the pending SIGKILL, and terminate the tracee
> without executing the handler. When PTRACE_EVENT_EXIT is delivered to
> the tracer, however, the effects of handler setup will be visible to
> the tracer.
>
> Because rr (the tracer) was never notified of the signal, it is not aware
> that a signal handler frame was set up and expects the state of the program
> at PTRACE_EVENT_EXIT to be a state that will be reconstructed naturally
> by allowing the program to execute from the last event. When that fails
> to happen during replay, rr will assert and die.
>
> The following patches add an explicit check for a newly pending SIGKILL
> after the ptracer has been notified and the siglock has been reacquired.
> If this happens, we stop processing the current signal and proceed
> immediately to handling the SIGKILL. This makes the state reported at
> PTRACE_EVENT_EXIT the unmodified state of the program, and also avoids the
> work to set up a signal handler frame that will never be used.
>
> [0] https://rr-project.org/
The problem is that while the traced process makes it into ptrace_stop,
the tracee is killed before the tracer manages to wait for the
tracee and discover which signal was about to be delivered.
More generally the problem is that while siglock was dropped a signal
with process wide effect is short cirucit delivered to the entire
process killing it, but the process continues to try and deliver another
signal.
In general it impossible to avoid all cases where work is performed
after the process has been killed. In particular if the process is
killed after get_signal returns the code will simply not know it has
been killed until after delivering the signal frame to userspace.
On the other hand when the code has already discovered the process
has been killed and taken user space visible action that shows
the kernel knows the process has been killed, it is just silly
to then write the signal frame to the user space stack.
Instead of being silly detect the process has been killed
in ptrace_signal and requeue the signal so the code can pretend
it was simply never dequeued for delivery.
To test the process has been killed I use fatal_signal_pending rather
than signal_group_exit to match the test in signal_pending_state which
is used in schedule which is where ptrace_stop detects the process has
been killed.
Requeuing the signal so the code can pretend it was simply never
dequeued improves the user space visible behavior that has been
present since ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4").
Kyle Huey verified that this change in behavior and makes rr happy.
Reported-by: Kyle Huey <khuey@kylehuey.com>
Reported-by: Marko Mäkelä <marko.makela@mariadb.com>
History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.gi
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lkml.kernel.org/r/87tugcd5p2.fsf_-_@email.froward.int.ebiederm.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2021-11-16 03:49:45 +08:00
|
|
|
if (sigismember(¤t->blocked, signr) ||
|
|
|
|
fatal_signal_pending(current)) {
|
2022-04-22 22:48:54 +08:00
|
|
|
send_signal_locked(signr, info, current, type);
|
2008-04-18 09:44:38 +08:00
|
|
|
signr = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return signr;
|
|
|
|
}
|
|
|
|
|
2020-11-21 04:33:45 +08:00
|
|
|
static void hide_si_addr_tag_bits(struct ksignal *ksig)
|
|
|
|
{
|
|
|
|
switch (siginfo_layout(ksig->sig, ksig->info.si_code)) {
|
|
|
|
case SIL_FAULT:
|
2021-05-01 06:29:36 +08:00
|
|
|
case SIL_FAULT_TRAPNO:
|
2020-11-21 04:33:45 +08:00
|
|
|
case SIL_FAULT_MCEERR:
|
|
|
|
case SIL_FAULT_BNDERR:
|
|
|
|
case SIL_FAULT_PKUERR:
|
2021-05-01 06:58:56 +08:00
|
|
|
case SIL_FAULT_PERF_EVENT:
|
2020-11-21 04:33:45 +08:00
|
|
|
ksig->info.si_addr = arch_untagged_si_addr(
|
|
|
|
ksig->info.si_addr, ksig->sig, ksig->info.si_code);
|
|
|
|
break;
|
|
|
|
case SIL_KILL:
|
|
|
|
case SIL_TIMER:
|
|
|
|
case SIL_POLL:
|
|
|
|
case SIL_CHLD:
|
|
|
|
case SIL_RT:
|
|
|
|
case SIL_SYS:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-08-22 13:00:54 +08:00
|
|
|
bool get_signal(struct ksignal *ksig)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2008-04-30 15:52:47 +08:00
|
|
|
struct sighand_struct *sighand = current->sighand;
|
|
|
|
struct signal_struct *signal = current->signal;
|
|
|
|
int signr;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2022-02-09 23:51:14 +08:00
|
|
|
clear_notify_signal();
|
2022-02-09 22:52:41 +08:00
|
|
|
if (unlikely(task_work_pending(current)))
|
2021-01-06 02:32:43 +08:00
|
|
|
task_work_run();
|
|
|
|
|
2022-02-09 23:51:14 +08:00
|
|
|
if (!task_sigpending(current))
|
|
|
|
return false;
|
2020-10-27 04:32:28 +08:00
|
|
|
|
uprobes/core: Handle breakpoint and singlestep exceptions
Uprobes uses exception notifiers to get to know if a thread hit
a breakpoint or a singlestep exception.
When a thread hits a uprobe or is singlestepping post a uprobe
hit, the uprobe exception notifier sets its TIF_UPROBE bit,
which will then be checked on its return to userspace path
(do_notify_resume() ->uprobe_notify_resume()), where the
consumers handlers are run (in task context) based on the
defined filters.
Uprobe hits are thread specific and hence we need to maintain
information about if a task hit a uprobe, what uprobe was hit,
the slot where the original instruction was copied for xol so
that it can be singlestepped with appropriate fixups.
In some cases, special care is needed for instructions that are
executed out of line (xol). These are architecture specific
artefacts, such as handling RIP relative instructions on x86_64.
Since the instruction at which the uprobe was inserted is
executed out of line, architecture specific fixups are added so
that the thread continues normal execution in the presence of a
uprobe.
Postpone the signals until we execute the probed insn.
post_xol() path does a recalc_sigpending() before return to
user-mode, this ensures the signal can't be lost.
Uprobes relies on DIE_DEBUG notification to notify if a
singlestep is complete.
Adds x86 specific uprobe exception notifiers and appropriate
hooks needed to determine a uprobe hit and subsequent post
processing.
Add requisite x86 fixups for xol for uprobes. Specific cases
needing fixups include relative jumps (x86_64), calls, etc.
Where possible, we check and skip singlestepping the
breakpointed instructions. For now we skip single byte as well
as few multibyte nop instructions. However this can be extended
to other instructions too.
Credits to Oleg Nesterov for suggestions/patches related to
signal, breakpoint, singlestep handling code.
Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
Cc: Jim Keniston <jkenisto@linux.vnet.ibm.com>
Cc: Linux-mm <linux-mm@kvack.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/20120313180011.29771.89027.sendpatchset@srdronam.in.ibm.com
[ Performed various cleanliness edits ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2012-03-14 02:00:11 +08:00
|
|
|
if (unlikely(uprobe_deny_signal()))
|
2018-08-22 13:00:54 +08:00
|
|
|
return false;
|
uprobes/core: Handle breakpoint and singlestep exceptions
Uprobes uses exception notifiers to get to know if a thread hit
a breakpoint or a singlestep exception.
When a thread hits a uprobe or is singlestepping post a uprobe
hit, the uprobe exception notifier sets its TIF_UPROBE bit,
which will then be checked on its return to userspace path
(do_notify_resume() ->uprobe_notify_resume()), where the
consumers handlers are run (in task context) based on the
defined filters.
Uprobe hits are thread specific and hence we need to maintain
information about if a task hit a uprobe, what uprobe was hit,
the slot where the original instruction was copied for xol so
that it can be singlestepped with appropriate fixups.
In some cases, special care is needed for instructions that are
executed out of line (xol). These are architecture specific
artefacts, such as handling RIP relative instructions on x86_64.
Since the instruction at which the uprobe was inserted is
executed out of line, architecture specific fixups are added so
that the thread continues normal execution in the presence of a
uprobe.
Postpone the signals until we execute the probed insn.
post_xol() path does a recalc_sigpending() before return to
user-mode, this ensures the signal can't be lost.
Uprobes relies on DIE_DEBUG notification to notify if a
singlestep is complete.
Adds x86 specific uprobe exception notifiers and appropriate
hooks needed to determine a uprobe hit and subsequent post
processing.
Add requisite x86 fixups for xol for uprobes. Specific cases
needing fixups include relative jumps (x86_64), calls, etc.
Where possible, we check and skip singlestepping the
breakpointed instructions. For now we skip single byte as well
as few multibyte nop instructions. However this can be extended
to other instructions too.
Credits to Oleg Nesterov for suggestions/patches related to
signal, breakpoint, singlestep handling code.
Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
Cc: Jim Keniston <jkenisto@linux.vnet.ibm.com>
Cc: Linux-mm <linux-mm@kvack.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Arnaldo Carvalho de Melo <acme@infradead.org>
Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/20120313180011.29771.89027.sendpatchset@srdronam.in.ibm.com
[ Performed various cleanliness edits ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2012-03-14 02:00:11 +08:00
|
|
|
|
2008-03-04 12:22:05 +08:00
|
|
|
/*
|
2012-10-27 01:46:06 +08:00
|
|
|
* Do this once, we can't return to user-mode if freezing() == T.
|
|
|
|
* do_signal_stop() and ptrace_stop() do freezable_schedule() and
|
|
|
|
* thus do not need another check after return.
|
2008-03-04 12:22:05 +08:00
|
|
|
*/
|
2006-03-23 19:00:05 +08:00
|
|
|
try_to_freeze();
|
|
|
|
|
2012-10-27 01:46:06 +08:00
|
|
|
relock:
|
2008-04-30 15:52:47 +08:00
|
|
|
spin_lock_irq(&sighand->siglock);
|
2020-06-30 23:32:54 +08:00
|
|
|
|
2008-04-30 15:53:00 +08:00
|
|
|
/*
|
|
|
|
* Every stopped thread goes here after wakeup. Check to see if
|
|
|
|
* we should notify the parent, prepare_signal(SIGCONT) encodes
|
|
|
|
* the CLD_ si_code into SIGNAL_CLD_MASK bits.
|
|
|
|
*/
|
2008-04-30 15:52:47 +08:00
|
|
|
if (unlikely(signal->flags & SIGNAL_CLD_MASK)) {
|
2011-03-23 17:36:59 +08:00
|
|
|
int why;
|
|
|
|
|
|
|
|
if (signal->flags & SIGNAL_CLD_CONTINUED)
|
|
|
|
why = CLD_CONTINUED;
|
|
|
|
else
|
|
|
|
why = CLD_STOPPED;
|
|
|
|
|
2008-04-30 15:52:47 +08:00
|
|
|
signal->flags &= ~SIGNAL_CLD_MASK;
|
2008-04-30 15:52:44 +08:00
|
|
|
|
2009-09-24 06:56:53 +08:00
|
|
|
spin_unlock_irq(&sighand->siglock);
|
2008-07-26 10:45:54 +08:00
|
|
|
|
job control: Notify the real parent of job control events regardless of ptrace
With recent changes, job control and ptrace stopped states are
properly separated and accessible to the real parent and the ptracer
respectively; however, notifications of job control stopped/continued
events to the real parent while ptraced are still missing.
A ptracee participates in group stop in ptrace_stop() but the
completion isn't notified. If participation results in completion of
group stop, notify the real parent of the event. The ptrace and group
stops are separate and can be handled as such.
However, when the real parent and the ptracer are in the same thread
group, only the ptrace stop event is visible through wait(2) and the
duplicate notifications are different from the current behavior and
are confusing. Suppress group stop notification in such cases.
The continued state is shared between the real parent and the ptracer
but is only meaningful to the real parent. Always notify the real
parent and notify the ptracer too for backward compatibility. Similar
to stop notification, if the real parent is the ptracer, suppress a
duplicate notification.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
const struct timespec ts100ms = { .tv_nsec = 100000000 };
pid_t tracee, tracer;
siginfo_t si;
int i;
tracee = fork();
if (tracee == 0) {
while (1) {
printf("tracee: SIGSTOP\n");
raise(SIGSTOP);
nanosleep(&ts100ms, NULL);
printf("tracee: SIGCONT\n");
raise(SIGCONT);
nanosleep(&ts100ms, NULL);
}
}
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG | WNOWAIT);
tracer = fork();
if (tracer == 0) {
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
for (i = 0; i < 11; i++) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED);
if (si.si_pid && si.si_code == CLD_TRAPPED)
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
printf("tracer: EXITING\n");
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED | WCONTINUED | WEXITED);
if (si.si_pid)
printf("mommy : WAIT status=%02d code=%02d\n",
si.si_status, si.si_code);
}
return 0;
}
Before this patch, while ptraced, the real parent doesn't get
notifications for job control events, so although it can access those
events, the later waitid(2) call never wakes up.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
After this patch, it works as expected.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
-v2: Oleg pointed out that
* Group stop notification to the real parent should also happen
when ptracer detach races with ptrace_stop().
* real_parent_is_ptracer() should be testing thread group
equality not the task itself as wait(2) and stop/cont
notifications are normally thread-group wide.
Both issues are fixed accordingly.
-v3: real_parent_is_ptracer() updated to test child->real_parent
instead of child->group_leader->real_parent per Oleg's
suggestion.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
/*
|
|
|
|
* Notify the parent that we're continuing. This event is
|
|
|
|
* always per-process and doesn't make whole lot of sense
|
|
|
|
* for ptracers, who shouldn't consume the state via
|
|
|
|
* wait(2) either, but, for backward compatibility, notify
|
|
|
|
* the ptracer of the group leader too unless it's gonna be
|
|
|
|
* a duplicate.
|
|
|
|
*/
|
2011-03-23 17:37:00 +08:00
|
|
|
read_lock(&tasklist_lock);
|
job control: Notify the real parent of job control events regardless of ptrace
With recent changes, job control and ptrace stopped states are
properly separated and accessible to the real parent and the ptracer
respectively; however, notifications of job control stopped/continued
events to the real parent while ptraced are still missing.
A ptracee participates in group stop in ptrace_stop() but the
completion isn't notified. If participation results in completion of
group stop, notify the real parent of the event. The ptrace and group
stops are separate and can be handled as such.
However, when the real parent and the ptracer are in the same thread
group, only the ptrace stop event is visible through wait(2) and the
duplicate notifications are different from the current behavior and
are confusing. Suppress group stop notification in such cases.
The continued state is shared between the real parent and the ptracer
but is only meaningful to the real parent. Always notify the real
parent and notify the ptracer too for backward compatibility. Similar
to stop notification, if the real parent is the ptracer, suppress a
duplicate notification.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
const struct timespec ts100ms = { .tv_nsec = 100000000 };
pid_t tracee, tracer;
siginfo_t si;
int i;
tracee = fork();
if (tracee == 0) {
while (1) {
printf("tracee: SIGSTOP\n");
raise(SIGSTOP);
nanosleep(&ts100ms, NULL);
printf("tracee: SIGCONT\n");
raise(SIGCONT);
nanosleep(&ts100ms, NULL);
}
}
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG | WNOWAIT);
tracer = fork();
if (tracer == 0) {
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
for (i = 0; i < 11; i++) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED);
if (si.si_pid && si.si_code == CLD_TRAPPED)
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
printf("tracer: EXITING\n");
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED | WCONTINUED | WEXITED);
if (si.si_pid)
printf("mommy : WAIT status=%02d code=%02d\n",
si.si_status, si.si_code);
}
return 0;
}
Before this patch, while ptraced, the real parent doesn't get
notifications for job control events, so although it can access those
events, the later waitid(2) call never wakes up.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
After this patch, it works as expected.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
-v2: Oleg pointed out that
* Group stop notification to the real parent should also happen
when ptracer detach races with ptrace_stop().
* real_parent_is_ptracer() should be testing thread group
equality not the task itself as wait(2) and stop/cont
notifications are normally thread-group wide.
Both issues are fixed accordingly.
-v3: real_parent_is_ptracer() updated to test child->real_parent
instead of child->group_leader->real_parent per Oleg's
suggestion.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
do_notify_parent_cldstop(current, false, why);
|
|
|
|
|
2011-06-24 23:34:23 +08:00
|
|
|
if (ptrace_reparented(current->group_leader))
|
|
|
|
do_notify_parent_cldstop(current->group_leader,
|
|
|
|
true, why);
|
2011-03-23 17:37:00 +08:00
|
|
|
read_unlock(&tasklist_lock);
|
job control: Notify the real parent of job control events regardless of ptrace
With recent changes, job control and ptrace stopped states are
properly separated and accessible to the real parent and the ptracer
respectively; however, notifications of job control stopped/continued
events to the real parent while ptraced are still missing.
A ptracee participates in group stop in ptrace_stop() but the
completion isn't notified. If participation results in completion of
group stop, notify the real parent of the event. The ptrace and group
stops are separate and can be handled as such.
However, when the real parent and the ptracer are in the same thread
group, only the ptrace stop event is visible through wait(2) and the
duplicate notifications are different from the current behavior and
are confusing. Suppress group stop notification in such cases.
The continued state is shared between the real parent and the ptracer
but is only meaningful to the real parent. Always notify the real
parent and notify the ptracer too for backward compatibility. Similar
to stop notification, if the real parent is the ptracer, suppress a
duplicate notification.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
const struct timespec ts100ms = { .tv_nsec = 100000000 };
pid_t tracee, tracer;
siginfo_t si;
int i;
tracee = fork();
if (tracee == 0) {
while (1) {
printf("tracee: SIGSTOP\n");
raise(SIGSTOP);
nanosleep(&ts100ms, NULL);
printf("tracee: SIGCONT\n");
raise(SIGCONT);
nanosleep(&ts100ms, NULL);
}
}
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG | WNOWAIT);
tracer = fork();
if (tracer == 0) {
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
for (i = 0; i < 11; i++) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED);
if (si.si_pid && si.si_code == CLD_TRAPPED)
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
printf("tracer: EXITING\n");
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED | WCONTINUED | WEXITED);
if (si.si_pid)
printf("mommy : WAIT status=%02d code=%02d\n",
si.si_status, si.si_code);
}
return 0;
}
Before this patch, while ptraced, the real parent doesn't get
notifications for job control events, so although it can access those
events, the later waitid(2) call never wakes up.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
After this patch, it works as expected.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
-v2: Oleg pointed out that
* Group stop notification to the real parent should also happen
when ptracer detach races with ptrace_stop().
* real_parent_is_ptracer() should be testing thread group
equality not the task itself as wait(2) and stop/cont
notifications are normally thread-group wide.
Both issues are fixed accordingly.
-v3: real_parent_is_ptracer() updated to test child->real_parent
instead of child->group_leader->real_parent per Oleg's
suggestion.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 17:37:01 +08:00
|
|
|
|
2008-04-30 15:52:44 +08:00
|
|
|
goto relock;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
for (;;) {
|
|
|
|
struct k_sigaction *ka;
|
2021-11-16 03:47:13 +08:00
|
|
|
enum pid_type type;
|
2009-12-16 08:47:26 +08:00
|
|
|
|
2021-11-16 01:55:57 +08:00
|
|
|
/* Has this task already been marked for death? */
|
2021-06-24 15:14:30 +08:00
|
|
|
if ((signal->flags & SIGNAL_GROUP_EXIT) ||
|
|
|
|
signal->group_exec_task) {
|
2022-11-28 14:56:06 +08:00
|
|
|
clear_siginfo(&ksig->info);
|
2021-11-16 01:55:57 +08:00
|
|
|
ksig->info.si_signo = signr = SIGKILL;
|
|
|
|
sigdelset(¤t->pending.signal, SIGKILL);
|
|
|
|
trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO,
|
|
|
|
&sighand->action[SIGKILL - 1]);
|
|
|
|
recalc_sigpending();
|
|
|
|
goto fatal;
|
|
|
|
}
|
2009-12-16 08:47:26 +08:00
|
|
|
|
2011-06-02 17:14:00 +08:00
|
|
|
if (unlikely(current->jobctl & JOBCTL_STOP_PENDING) &&
|
|
|
|
do_signal_stop(0))
|
2008-07-26 10:45:53 +08:00
|
|
|
goto relock;
|
2009-12-16 08:47:26 +08:00
|
|
|
|
cgroup: cgroup v2 freezer
Cgroup v1 implements the freezer controller, which provides an ability
to stop the workload in a cgroup and temporarily free up some
resources (cpu, io, network bandwidth and, potentially, memory)
for some other tasks. Cgroup v2 lacks this functionality.
This patch implements freezer for cgroup v2.
Cgroup v2 freezer tries to put tasks into a state similar to jobctl
stop. This means that tasks can be killed, ptraced (using
PTRACE_SEIZE*), and interrupted. It is possible to attach to
a frozen task, get some information (e.g. read registers) and detach.
It's also possible to migrate a frozen tasks to another cgroup.
This differs cgroup v2 freezer from cgroup v1 freezer, which mostly
tried to imitate the system-wide freezer. However uninterruptible
sleep is fine when all tasks are going to be frozen (hibernation case),
it's not the acceptable state for some subset of the system.
Cgroup v2 freezer is not supporting freezing kthreads.
If a non-root cgroup contains kthread, the cgroup still can be frozen,
but the kthread will remain running, the cgroup will be shown
as non-frozen, and the notification will not be delivered.
* PTRACE_ATTACH is not working because non-fatal signal delivery
is blocked in frozen state.
There are some interface differences between cgroup v1 and cgroup v2
freezer too, which are required to conform the cgroup v2 interface
design principles:
1) There is no separate controller, which has to be turned on:
the functionality is always available and is represented by
cgroup.freeze and cgroup.events cgroup control files.
2) The desired state is defined by the cgroup.freeze control file.
Any hierarchical configuration is allowed.
3) The interface is asynchronous. The actual state is available
using cgroup.events control file ("frozen" field). There are no
dedicated transitional states.
4) It's allowed to make any changes with the cgroup hierarchy
(create new cgroups, remove old cgroups, move tasks between cgroups)
no matter if some cgroups are frozen.
Signed-off-by: Roman Gushchin <guro@fb.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
No-objection-from-me-by: Oleg Nesterov <oleg@redhat.com>
Cc: kernel-team@fb.com
2019-04-20 01:03:04 +08:00
|
|
|
if (unlikely(current->jobctl &
|
|
|
|
(JOBCTL_TRAP_MASK | JOBCTL_TRAP_FREEZE))) {
|
|
|
|
if (current->jobctl & JOBCTL_TRAP_MASK) {
|
|
|
|
do_jobctl_trap();
|
|
|
|
spin_unlock_irq(&sighand->siglock);
|
|
|
|
} else if (current->jobctl & JOBCTL_TRAP_FREEZE)
|
|
|
|
do_freezer_trap();
|
|
|
|
|
|
|
|
goto relock;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If the task is leaving the frozen state, let's update
|
|
|
|
* cgroup counters and reset the frozen bit.
|
|
|
|
*/
|
|
|
|
if (unlikely(cgroup_task_frozen(current))) {
|
2011-06-14 17:20:14 +08:00
|
|
|
spin_unlock_irq(&sighand->siglock);
|
2019-04-27 01:59:44 +08:00
|
|
|
cgroup_leave_frozen(false);
|
2011-06-14 17:20:14 +08:00
|
|
|
goto relock;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2019-02-07 07:51:47 +08:00
|
|
|
/*
|
|
|
|
* Signals generated by the execution of an instruction
|
|
|
|
* need to be delivered before any other pending signals
|
|
|
|
* so that the instruction pointer in the signal stack
|
|
|
|
* frame points to the faulting instruction.
|
|
|
|
*/
|
2021-11-16 03:47:13 +08:00
|
|
|
type = PIDTYPE_PID;
|
2019-02-07 07:51:47 +08:00
|
|
|
signr = dequeue_synchronous_signal(&ksig->info);
|
|
|
|
if (!signr)
|
2021-11-16 03:47:13 +08:00
|
|
|
signr = dequeue_signal(current, ¤t->blocked,
|
|
|
|
&ksig->info, &type);
|
2008-07-26 10:45:53 +08:00
|
|
|
|
2011-06-02 17:14:00 +08:00
|
|
|
if (!signr)
|
|
|
|
break; /* will return 0 */
|
2008-07-26 10:45:53 +08:00
|
|
|
|
2021-10-29 22:14:19 +08:00
|
|
|
if (unlikely(current->ptrace) && (signr != SIGKILL) &&
|
|
|
|
!(sighand->action[signr -1].sa.sa_flags & SA_IMMUTABLE)) {
|
2021-11-16 03:47:13 +08:00
|
|
|
signr = ptrace_signal(signr, &ksig->info, type);
|
2011-06-02 17:14:00 +08:00
|
|
|
if (!signr)
|
|
|
|
continue;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2011-06-02 17:14:00 +08:00
|
|
|
ka = &sighand->action[signr-1];
|
|
|
|
|
2009-11-25 05:56:51 +08:00
|
|
|
/* Trace actually delivered signals. */
|
2013-10-07 21:26:57 +08:00
|
|
|
trace_signal_deliver(signr, &ksig->info, ka);
|
2009-11-25 05:56:51 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (ka->sa.sa_handler == SIG_IGN) /* Do nothing. */
|
|
|
|
continue;
|
|
|
|
if (ka->sa.sa_handler != SIG_DFL) {
|
|
|
|
/* Run the handler. */
|
2013-10-07 21:26:57 +08:00
|
|
|
ksig->ka = *ka;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
if (ka->sa.sa_flags & SA_ONESHOT)
|
|
|
|
ka->sa.sa_handler = SIG_DFL;
|
|
|
|
|
|
|
|
break; /* will return non-zero "signr" value */
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now we are doing the default action for this signal.
|
|
|
|
*/
|
|
|
|
if (sig_kernel_ignore(signr)) /* Default is nothing. */
|
|
|
|
continue;
|
|
|
|
|
2006-12-08 18:38:01 +08:00
|
|
|
/*
|
2007-10-19 14:40:13 +08:00
|
|
|
* Global init gets no signals it doesn't want.
|
2009-04-03 07:58:08 +08:00
|
|
|
* Container-init gets no signals it doesn't want from same
|
|
|
|
* container.
|
|
|
|
*
|
|
|
|
* Note that if global/container-init sees a sig_kernel_only()
|
|
|
|
* signal here, the signal must have been generated internally
|
|
|
|
* or must have come from an ancestor namespace. In either
|
|
|
|
* case, the signal cannot be dropped.
|
2006-12-08 18:38:01 +08:00
|
|
|
*/
|
2008-04-30 15:53:03 +08:00
|
|
|
if (unlikely(signal->flags & SIGNAL_UNKILLABLE) &&
|
2009-04-03 07:58:08 +08:00
|
|
|
!sig_kernel_only(signr))
|
2005-04-17 06:20:36 +08:00
|
|
|
continue;
|
|
|
|
|
|
|
|
if (sig_kernel_stop(signr)) {
|
|
|
|
/*
|
|
|
|
* The default action is to stop all threads in
|
|
|
|
* the thread group. The job control signals
|
|
|
|
* do nothing in an orphaned pgrp, but SIGSTOP
|
|
|
|
* always works. Note that siglock needs to be
|
|
|
|
* dropped during the call to is_orphaned_pgrp()
|
|
|
|
* because of lock ordering with tasklist_lock.
|
|
|
|
* This allows an intervening SIGCONT to be posted.
|
|
|
|
* We need to check for that and bail out if necessary.
|
|
|
|
*/
|
|
|
|
if (signr != SIGSTOP) {
|
2008-04-30 15:52:47 +08:00
|
|
|
spin_unlock_irq(&sighand->siglock);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* signals can be posted during this window */
|
|
|
|
|
2007-02-12 16:52:58 +08:00
|
|
|
if (is_current_pgrp_orphaned())
|
2005-04-17 06:20:36 +08:00
|
|
|
goto relock;
|
|
|
|
|
2008-04-30 15:52:47 +08:00
|
|
|
spin_lock_irq(&sighand->siglock);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2013-10-07 21:26:57 +08:00
|
|
|
if (likely(do_signal_stop(ksig->info.si_signo))) {
|
2005-04-17 06:20:36 +08:00
|
|
|
/* It released the siglock. */
|
|
|
|
goto relock;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We didn't actually stop, due to a race
|
|
|
|
* with SIGCONT or something like that.
|
|
|
|
*/
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2019-02-07 08:39:40 +08:00
|
|
|
fatal:
|
2008-04-30 15:52:47 +08:00
|
|
|
spin_unlock_irq(&sighand->siglock);
|
2019-05-09 04:34:20 +08:00
|
|
|
if (unlikely(cgroup_task_frozen(current)))
|
|
|
|
cgroup_leave_frozen(true);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Anything else is fatal, maybe with a core dump.
|
|
|
|
*/
|
|
|
|
current->flags |= PF_SIGNALED;
|
2008-04-30 15:52:58 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (sig_kernel_coredump(signr)) {
|
2008-04-30 15:52:58 +08:00
|
|
|
if (print_fatal_signals)
|
2013-10-07 21:26:57 +08:00
|
|
|
print_fatal_signal(ksig->info.si_signo);
|
2013-03-20 04:50:05 +08:00
|
|
|
proc_coredump_connector(current);
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* If it was able to dump core, this kills all
|
|
|
|
* other threads in the group and synchronizes with
|
|
|
|
* their demise. If we lost the race with another
|
|
|
|
* thread getting here, it set group_exit_code
|
|
|
|
* first and our do_group_exit call below will use
|
|
|
|
* that value and ignore the one we pass it.
|
|
|
|
*/
|
2013-10-07 21:26:57 +08:00
|
|
|
do_coredump(&ksig->info);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2021-03-26 22:57:10 +08:00
|
|
|
/*
|
|
|
|
* PF_IO_WORKER threads will catch and exit on fatal signals
|
|
|
|
* themselves. They have cleanup that must be performed, so
|
|
|
|
* we cannot call do_exit() on their behalf.
|
|
|
|
*/
|
|
|
|
if (current->flags & PF_IO_WORKER)
|
|
|
|
goto out;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Death signals, no core dump.
|
|
|
|
*/
|
2013-10-07 21:26:57 +08:00
|
|
|
do_group_exit(ksig->info.si_signo);
|
2005-04-17 06:20:36 +08:00
|
|
|
/* NOTREACHED */
|
|
|
|
}
|
2008-04-30 15:52:47 +08:00
|
|
|
spin_unlock_irq(&sighand->siglock);
|
2021-03-26 22:57:10 +08:00
|
|
|
out:
|
2013-10-07 21:26:57 +08:00
|
|
|
ksig->sig = signr;
|
2020-11-21 04:33:45 +08:00
|
|
|
|
|
|
|
if (!(ksig->ka.sa.sa_flags & SA_EXPOSE_TAGBITS))
|
|
|
|
hide_si_addr_tag_bits(ksig);
|
|
|
|
|
2013-10-07 21:26:57 +08:00
|
|
|
return ksig->sig > 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2012-01-11 07:11:17 +08:00
|
|
|
/**
|
2021-12-22 11:10:27 +08:00
|
|
|
* signal_delivered - called after signal delivery to update blocked signals
|
2014-07-13 19:36:04 +08:00
|
|
|
* @ksig: kernel signal struct
|
2012-04-28 14:04:15 +08:00
|
|
|
* @stepping: nonzero if debugger single-step or block-step in use
|
2012-01-11 07:11:17 +08:00
|
|
|
*
|
2014-02-18 21:54:36 +08:00
|
|
|
* This function should be called when a signal has successfully been
|
2014-07-13 19:36:04 +08:00
|
|
|
* delivered. It updates the blocked signals accordingly (@ksig->ka.sa.sa_mask
|
2021-12-22 11:10:27 +08:00
|
|
|
* is always blocked), and the signal itself is blocked unless %SA_NODEFER
|
2014-07-13 19:36:04 +08:00
|
|
|
* is set in @ksig->ka.sa.sa_flags. Tracing is notified.
|
2012-01-11 07:11:17 +08:00
|
|
|
*/
|
2014-07-13 19:36:04 +08:00
|
|
|
static void signal_delivered(struct ksignal *ksig, int stepping)
|
2012-01-11 07:11:17 +08:00
|
|
|
{
|
|
|
|
sigset_t blocked;
|
|
|
|
|
2012-05-22 11:42:15 +08:00
|
|
|
/* A signal was successfully delivered, and the
|
|
|
|
saved sigmask was stored on the signal frame,
|
|
|
|
and will be restored by sigreturn. So we can
|
|
|
|
simply clear the restore sigmask flag. */
|
|
|
|
clear_restore_sigmask();
|
|
|
|
|
2014-07-13 19:36:04 +08:00
|
|
|
sigorsets(&blocked, ¤t->blocked, &ksig->ka.sa.sa_mask);
|
|
|
|
if (!(ksig->ka.sa.sa_flags & SA_NODEFER))
|
|
|
|
sigaddset(&blocked, ksig->sig);
|
2012-01-11 07:11:17 +08:00
|
|
|
set_current_blocked(&blocked);
|
2021-07-01 09:56:43 +08:00
|
|
|
if (current->sas_ss_flags & SS_AUTODISARM)
|
|
|
|
sas_ss_reset(current);
|
2022-01-28 02:04:27 +08:00
|
|
|
if (stepping)
|
2022-01-28 02:15:32 +08:00
|
|
|
ptrace_notify(SIGTRAP, 0);
|
2012-01-11 07:11:17 +08:00
|
|
|
}
|
|
|
|
|
2012-11-08 04:11:25 +08:00
|
|
|
void signal_setup_done(int failed, struct ksignal *ksig, int stepping)
|
|
|
|
{
|
|
|
|
if (failed)
|
2019-05-21 23:03:48 +08:00
|
|
|
force_sigsegv(ksig->sig);
|
2012-11-08 04:11:25 +08:00
|
|
|
else
|
2014-07-13 19:36:04 +08:00
|
|
|
signal_delivered(ksig, stepping);
|
2012-11-08 04:11:25 +08:00
|
|
|
}
|
|
|
|
|
2011-04-28 01:17:37 +08:00
|
|
|
/*
|
|
|
|
* It could be that complete_signal() picked us to notify about the
|
2011-04-28 01:50:21 +08:00
|
|
|
* group-wide signal. Other threads should be notified now to take
|
|
|
|
* the shared signals in @which since we will not.
|
2011-04-28 01:17:37 +08:00
|
|
|
*/
|
2011-04-28 01:18:39 +08:00
|
|
|
static void retarget_shared_pending(struct task_struct *tsk, sigset_t *which)
|
2011-04-28 01:17:37 +08:00
|
|
|
{
|
2011-04-28 01:18:39 +08:00
|
|
|
sigset_t retarget;
|
2011-04-28 01:17:37 +08:00
|
|
|
struct task_struct *t;
|
|
|
|
|
2011-04-28 01:18:39 +08:00
|
|
|
sigandsets(&retarget, &tsk->signal->shared_pending.signal, which);
|
|
|
|
if (sigisemptyset(&retarget))
|
|
|
|
return;
|
|
|
|
|
2011-04-28 01:17:37 +08:00
|
|
|
t = tsk;
|
|
|
|
while_each_thread(tsk, t) {
|
2011-04-28 01:50:21 +08:00
|
|
|
if (t->flags & PF_EXITING)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (!has_pending_signals(&retarget, &t->blocked))
|
|
|
|
continue;
|
|
|
|
/* Remove the signals this thread can handle. */
|
|
|
|
sigandsets(&retarget, &retarget, &t->blocked);
|
|
|
|
|
2020-10-27 04:32:27 +08:00
|
|
|
if (!task_sigpending(t))
|
2011-04-28 01:50:21 +08:00
|
|
|
signal_wake_up(t, 0);
|
|
|
|
|
|
|
|
if (sigisemptyset(&retarget))
|
|
|
|
break;
|
2011-04-28 01:17:37 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2008-02-08 20:19:12 +08:00
|
|
|
void exit_signals(struct task_struct *tsk)
|
|
|
|
{
|
|
|
|
int group_stop = 0;
|
2011-04-28 01:18:39 +08:00
|
|
|
sigset_t unblocked;
|
2008-02-08 20:19:12 +08:00
|
|
|
|
2011-12-13 10:12:21 +08:00
|
|
|
/*
|
|
|
|
* @tsk is about to have PF_EXITING set - lock out users which
|
|
|
|
* expect stable threadgroup.
|
|
|
|
*/
|
2017-02-02 18:50:56 +08:00
|
|
|
cgroup_threadgroup_change_begin(tsk);
|
2011-12-13 10:12:21 +08:00
|
|
|
|
2021-06-24 15:14:30 +08:00
|
|
|
if (thread_group_empty(tsk) || (tsk->signal->flags & SIGNAL_GROUP_EXIT)) {
|
2008-02-08 20:19:13 +08:00
|
|
|
tsk->flags |= PF_EXITING;
|
2017-02-02 18:50:56 +08:00
|
|
|
cgroup_threadgroup_change_end(tsk);
|
2008-02-08 20:19:13 +08:00
|
|
|
return;
|
2008-02-08 20:19:12 +08:00
|
|
|
}
|
|
|
|
|
2008-02-08 20:19:13 +08:00
|
|
|
spin_lock_irq(&tsk->sighand->siglock);
|
2008-02-08 20:19:12 +08:00
|
|
|
/*
|
|
|
|
* From now this task is not visible for group-wide signals,
|
|
|
|
* see wants_signal(), do_signal_stop().
|
|
|
|
*/
|
|
|
|
tsk->flags |= PF_EXITING;
|
2011-12-13 10:12:21 +08:00
|
|
|
|
2017-02-02 18:50:56 +08:00
|
|
|
cgroup_threadgroup_change_end(tsk);
|
2011-12-13 10:12:21 +08:00
|
|
|
|
2020-10-27 04:32:27 +08:00
|
|
|
if (!task_sigpending(tsk))
|
2008-02-08 20:19:13 +08:00
|
|
|
goto out;
|
|
|
|
|
2011-04-28 01:18:39 +08:00
|
|
|
unblocked = tsk->blocked;
|
|
|
|
signotset(&unblocked);
|
|
|
|
retarget_shared_pending(tsk, &unblocked);
|
2008-02-08 20:19:13 +08:00
|
|
|
|
2011-06-02 17:13:59 +08:00
|
|
|
if (unlikely(tsk->jobctl & JOBCTL_STOP_PENDING) &&
|
signal: Fix premature completion of group stop when interfered by ptrace
task->signal->group_stop_count is used to track the progress of group
stop. It's initialized to the number of tasks which need to stop for
group stop to finish and each stopping or trapping task decrements.
However, each task doesn't keep track of whether it decremented the
counter or not and if woken up before the group stop is complete and
stops again, it can decrement the counter multiple times.
Please consider the following example code.
static void *worker(void *arg)
{
while (1) ;
return NULL;
}
int main(void)
{
pthread_t thread;
pid_t pid;
int i;
pid = fork();
if (!pid) {
for (i = 0; i < 5; i++)
pthread_create(&thread, NULL, worker, NULL);
while (1) ;
return 0;
}
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
while (1) {
waitid(P_PID, pid, NULL, WSTOPPED);
ptrace(PTRACE_SINGLESTEP, pid, NULL, (void *)(long)SIGSTOP);
}
return 0;
}
The child creates five threads and the parent continuously traps the
first thread and whenever the child gets a signal, SIGSTOP is
delivered. If an external process sends SIGSTOP to the child, all
other threads in the process should reliably stop. However, due to
the above bug, the first thread will often end up consuming
group_stop_count multiple times and SIGSTOP often ends up stopping
none or part of the other four threads.
This patch adds a new field task->group_stop which is protected by
siglock and uses GROUP_STOP_CONSUME flag to track which task is still
to consume group_stop_count to fix this bug.
task_clear_group_stop_pending() and task_participate_group_stop() are
added to help manipulating group stop states. As ptrace_stop() now
also uses task_participate_group_stop(), it will set
SIGNAL_STOP_STOPPED if it completes a group stop.
There still are many issues regarding the interaction between group
stop and ptrace. Patches to address them will follow.
- Oleg spotted duplicate GROUP_STOP_CONSUME. Dropped.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
2011-03-23 17:37:00 +08:00
|
|
|
task_participate_group_stop(tsk))
|
2011-03-23 17:37:00 +08:00
|
|
|
group_stop = CLD_STOPPED;
|
2008-02-08 20:19:13 +08:00
|
|
|
out:
|
2008-02-08 20:19:12 +08:00
|
|
|
spin_unlock_irq(&tsk->sighand->siglock);
|
|
|
|
|
2011-03-23 17:37:01 +08:00
|
|
|
/*
|
|
|
|
* If group stop has completed, deliver the notification. This
|
|
|
|
* should always go to the real parent of the group leader.
|
|
|
|
*/
|
2009-09-24 06:56:53 +08:00
|
|
|
if (unlikely(group_stop)) {
|
2008-02-08 20:19:12 +08:00
|
|
|
read_lock(&tasklist_lock);
|
2011-03-23 17:37:01 +08:00
|
|
|
do_notify_parent_cldstop(tsk, false, group_stop);
|
2008-02-08 20:19:12 +08:00
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* System call entry points.
|
|
|
|
*/
|
|
|
|
|
2011-04-05 06:00:26 +08:00
|
|
|
/**
|
|
|
|
* sys_restart_syscall - restart a system call
|
|
|
|
*/
|
2009-01-14 21:14:09 +08:00
|
|
|
SYSCALL_DEFINE0(restart_syscall)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2015-02-13 07:01:14 +08:00
|
|
|
struct restart_block *restart = ¤t->restart_block;
|
2005-04-17 06:20:36 +08:00
|
|
|
return restart->fn(restart);
|
|
|
|
}
|
|
|
|
|
|
|
|
long do_no_restart_syscall(struct restart_block *param)
|
|
|
|
{
|
|
|
|
return -EINTR;
|
|
|
|
}
|
|
|
|
|
2011-04-28 03:56:14 +08:00
|
|
|
static void __set_task_blocked(struct task_struct *tsk, const sigset_t *newset)
|
|
|
|
{
|
2020-10-27 04:32:27 +08:00
|
|
|
if (task_sigpending(tsk) && !thread_group_empty(tsk)) {
|
2011-04-28 03:56:14 +08:00
|
|
|
sigset_t newblocked;
|
|
|
|
/* A set of now blocked but previously unblocked signals. */
|
2011-04-28 04:01:27 +08:00
|
|
|
sigandnsets(&newblocked, newset, ¤t->blocked);
|
2011-04-28 03:56:14 +08:00
|
|
|
retarget_shared_pending(tsk, &newblocked);
|
|
|
|
}
|
|
|
|
tsk->blocked = *newset;
|
|
|
|
recalc_sigpending();
|
|
|
|
}
|
|
|
|
|
signal: sigprocmask() should do retarget_shared_pending()
In short, almost every changing of current->blocked is wrong, or at least
can lead to the unexpected results.
For example. Two threads T1 and T2, T1 sleeps in sigtimedwait/pause/etc.
kill(tgid, SIG) can pick T2 for TIF_SIGPENDING. If T2 calls sigprocmask()
and blocks SIG before it notices the pending signal, nobody else can handle
this pending shared signal.
I am not sure this is bug, but at least this looks strange imho. T1 should
not sleep forever, there is a signal which should wake it up.
This patch moves the code which actually changes ->blocked into the new
helper, set_current_blocked() and changes this code to call
retarget_shared_pending() as exit_signals() does. We should only care about
the signals we just blocked, we use "newset & ~current->blocked" as a mask.
We do not check !sigisemptyset(newblocked), retarget_shared_pending() is
cheap unless mask & shared_pending.
Note: for this particular case we could simply change sigprocmask() to
return -EINTR if signal_pending(), but then we should change other callers
and, more importantly, if we need this fix then set_current_blocked() will
have more callers and some of them can't restart. See the next patch as a
random example.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Matt Fleming <matt.fleming@linux.intel.com>
Acked-by: Tejun Heo <tj@kernel.org>
2011-04-28 02:59:41 +08:00
|
|
|
/**
|
|
|
|
* set_current_blocked - change current->blocked mask
|
|
|
|
* @newset: new mask
|
|
|
|
*
|
|
|
|
* It is wrong to change ->blocked directly, this helper should be used
|
|
|
|
* to ensure the process can't miss a shared signal we are going to block.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2012-04-28 01:58:59 +08:00
|
|
|
void set_current_blocked(sigset_t *newset)
|
|
|
|
{
|
|
|
|
sigdelsetmask(newset, sigmask(SIGKILL) | sigmask(SIGSTOP));
|
2013-01-06 02:13:29 +08:00
|
|
|
__set_current_blocked(newset);
|
2012-04-28 01:58:59 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void __set_current_blocked(const sigset_t *newset)
|
signal: sigprocmask() should do retarget_shared_pending()
In short, almost every changing of current->blocked is wrong, or at least
can lead to the unexpected results.
For example. Two threads T1 and T2, T1 sleeps in sigtimedwait/pause/etc.
kill(tgid, SIG) can pick T2 for TIF_SIGPENDING. If T2 calls sigprocmask()
and blocks SIG before it notices the pending signal, nobody else can handle
this pending shared signal.
I am not sure this is bug, but at least this looks strange imho. T1 should
not sleep forever, there is a signal which should wake it up.
This patch moves the code which actually changes ->blocked into the new
helper, set_current_blocked() and changes this code to call
retarget_shared_pending() as exit_signals() does. We should only care about
the signals we just blocked, we use "newset & ~current->blocked" as a mask.
We do not check !sigisemptyset(newblocked), retarget_shared_pending() is
cheap unless mask & shared_pending.
Note: for this particular case we could simply change sigprocmask() to
return -EINTR if signal_pending(), but then we should change other callers
and, more importantly, if we need this fix then set_current_blocked() will
have more callers and some of them can't restart. See the next patch as a
random example.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Matt Fleming <matt.fleming@linux.intel.com>
Acked-by: Tejun Heo <tj@kernel.org>
2011-04-28 02:59:41 +08:00
|
|
|
{
|
|
|
|
struct task_struct *tsk = current;
|
|
|
|
|
2016-12-15 07:04:10 +08:00
|
|
|
/*
|
|
|
|
* In case the signal mask hasn't changed, there is nothing we need
|
|
|
|
* to do. The current->blocked shouldn't be modified by other task.
|
|
|
|
*/
|
|
|
|
if (sigequalsets(&tsk->blocked, newset))
|
|
|
|
return;
|
|
|
|
|
signal: sigprocmask() should do retarget_shared_pending()
In short, almost every changing of current->blocked is wrong, or at least
can lead to the unexpected results.
For example. Two threads T1 and T2, T1 sleeps in sigtimedwait/pause/etc.
kill(tgid, SIG) can pick T2 for TIF_SIGPENDING. If T2 calls sigprocmask()
and blocks SIG before it notices the pending signal, nobody else can handle
this pending shared signal.
I am not sure this is bug, but at least this looks strange imho. T1 should
not sleep forever, there is a signal which should wake it up.
This patch moves the code which actually changes ->blocked into the new
helper, set_current_blocked() and changes this code to call
retarget_shared_pending() as exit_signals() does. We should only care about
the signals we just blocked, we use "newset & ~current->blocked" as a mask.
We do not check !sigisemptyset(newblocked), retarget_shared_pending() is
cheap unless mask & shared_pending.
Note: for this particular case we could simply change sigprocmask() to
return -EINTR if signal_pending(), but then we should change other callers
and, more importantly, if we need this fix then set_current_blocked() will
have more callers and some of them can't restart. See the next patch as a
random example.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Matt Fleming <matt.fleming@linux.intel.com>
Acked-by: Tejun Heo <tj@kernel.org>
2011-04-28 02:59:41 +08:00
|
|
|
spin_lock_irq(&tsk->sighand->siglock);
|
2011-04-28 03:56:14 +08:00
|
|
|
__set_task_blocked(tsk, newset);
|
signal: sigprocmask() should do retarget_shared_pending()
In short, almost every changing of current->blocked is wrong, or at least
can lead to the unexpected results.
For example. Two threads T1 and T2, T1 sleeps in sigtimedwait/pause/etc.
kill(tgid, SIG) can pick T2 for TIF_SIGPENDING. If T2 calls sigprocmask()
and blocks SIG before it notices the pending signal, nobody else can handle
this pending shared signal.
I am not sure this is bug, but at least this looks strange imho. T1 should
not sleep forever, there is a signal which should wake it up.
This patch moves the code which actually changes ->blocked into the new
helper, set_current_blocked() and changes this code to call
retarget_shared_pending() as exit_signals() does. We should only care about
the signals we just blocked, we use "newset & ~current->blocked" as a mask.
We do not check !sigisemptyset(newblocked), retarget_shared_pending() is
cheap unless mask & shared_pending.
Note: for this particular case we could simply change sigprocmask() to
return -EINTR if signal_pending(), but then we should change other callers
and, more importantly, if we need this fix then set_current_blocked() will
have more callers and some of them can't restart. See the next patch as a
random example.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Matt Fleming <matt.fleming@linux.intel.com>
Acked-by: Tejun Heo <tj@kernel.org>
2011-04-28 02:59:41 +08:00
|
|
|
spin_unlock_irq(&tsk->sighand->siglock);
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* This is also useful for kernel threads that want to temporarily
|
|
|
|
* (or permanently) block certain signals.
|
|
|
|
*
|
|
|
|
* NOTE! Unlike the user-mode sys_sigprocmask(), the kernel
|
|
|
|
* interface happily blocks "unblockable" signals like SIGKILL
|
|
|
|
* and friends.
|
|
|
|
*/
|
|
|
|
int sigprocmask(int how, sigset_t *set, sigset_t *oldset)
|
|
|
|
{
|
2011-04-28 01:54:20 +08:00
|
|
|
struct task_struct *tsk = current;
|
|
|
|
sigset_t newset;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-04-28 01:54:20 +08:00
|
|
|
/* Lockless, only current can change ->blocked, never from irq */
|
2006-03-23 19:00:49 +08:00
|
|
|
if (oldset)
|
2011-04-28 01:54:20 +08:00
|
|
|
*oldset = tsk->blocked;
|
2006-03-23 19:00:49 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
switch (how) {
|
|
|
|
case SIG_BLOCK:
|
2011-04-28 01:54:20 +08:00
|
|
|
sigorsets(&newset, &tsk->blocked, set);
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
|
|
|
case SIG_UNBLOCK:
|
2011-04-28 04:01:27 +08:00
|
|
|
sigandnsets(&newset, &tsk->blocked, set);
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
|
|
|
case SIG_SETMASK:
|
2011-04-28 01:54:20 +08:00
|
|
|
newset = *set;
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
|
|
|
default:
|
2011-04-28 01:54:20 +08:00
|
|
|
return -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2006-03-23 19:00:49 +08:00
|
|
|
|
2012-04-28 01:58:59 +08:00
|
|
|
__set_current_blocked(&newset);
|
2011-04-28 01:54:20 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2018-09-14 01:26:35 +08:00
|
|
|
EXPORT_SYMBOL(sigprocmask);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-09-20 12:41:04 +08:00
|
|
|
/*
|
|
|
|
* The api helps set app-provided sigmasks.
|
|
|
|
*
|
|
|
|
* This is useful for syscalls such as ppoll, pselect, io_pgetevents and
|
|
|
|
* epoll_pwait where a new sigmask is passed from userland for the syscalls.
|
2019-07-17 07:29:53 +08:00
|
|
|
*
|
|
|
|
* Note that it does set_restore_sigmask() in advance, so it must be always
|
|
|
|
* paired with restore_saved_sigmask_unless() before return from syscall.
|
2018-09-20 12:41:04 +08:00
|
|
|
*/
|
2019-07-17 07:29:53 +08:00
|
|
|
int set_user_sigmask(const sigset_t __user *umask, size_t sigsetsize)
|
2018-09-20 12:41:04 +08:00
|
|
|
{
|
2019-07-17 07:29:53 +08:00
|
|
|
sigset_t kmask;
|
2018-09-20 12:41:04 +08:00
|
|
|
|
2019-07-17 07:29:53 +08:00
|
|
|
if (!umask)
|
|
|
|
return 0;
|
2018-09-20 12:41:04 +08:00
|
|
|
if (sigsetsize != sizeof(sigset_t))
|
|
|
|
return -EINVAL;
|
2019-07-17 07:29:53 +08:00
|
|
|
if (copy_from_user(&kmask, umask, sizeof(sigset_t)))
|
2018-09-20 12:41:04 +08:00
|
|
|
return -EFAULT;
|
|
|
|
|
2019-07-17 07:29:53 +08:00
|
|
|
set_restore_sigmask();
|
|
|
|
current->saved_sigmask = current->blocked;
|
|
|
|
set_current_blocked(&kmask);
|
2018-09-20 12:41:04 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CONFIG_COMPAT
|
2019-07-17 07:29:53 +08:00
|
|
|
int set_compat_user_sigmask(const compat_sigset_t __user *umask,
|
2018-09-20 12:41:04 +08:00
|
|
|
size_t sigsetsize)
|
|
|
|
{
|
2019-07-17 07:29:53 +08:00
|
|
|
sigset_t kmask;
|
2018-09-20 12:41:04 +08:00
|
|
|
|
2019-07-17 07:29:53 +08:00
|
|
|
if (!umask)
|
|
|
|
return 0;
|
2018-09-20 12:41:04 +08:00
|
|
|
if (sigsetsize != sizeof(compat_sigset_t))
|
|
|
|
return -EINVAL;
|
2019-07-17 07:29:53 +08:00
|
|
|
if (get_compat_sigset(&kmask, umask))
|
2018-09-20 12:41:04 +08:00
|
|
|
return -EFAULT;
|
|
|
|
|
2019-07-17 07:29:53 +08:00
|
|
|
set_restore_sigmask();
|
|
|
|
current->saved_sigmask = current->blocked;
|
|
|
|
set_current_blocked(&kmask);
|
2018-09-20 12:41:04 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2011-04-05 06:00:26 +08:00
|
|
|
/**
|
|
|
|
* sys_rt_sigprocmask - change the list of currently blocked signals
|
|
|
|
* @how: whether to add, remove, or set signals
|
2011-06-15 06:50:11 +08:00
|
|
|
* @nset: stores pending signals
|
2011-04-05 06:00:26 +08:00
|
|
|
* @oset: previous value of signal mask if non-null
|
|
|
|
* @sigsetsize: size of sigset_t type
|
|
|
|
*/
|
2011-04-28 03:18:10 +08:00
|
|
|
SYSCALL_DEFINE4(rt_sigprocmask, int, how, sigset_t __user *, nset,
|
2009-01-14 21:14:10 +08:00
|
|
|
sigset_t __user *, oset, size_t, sigsetsize)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
sigset_t old_set, new_set;
|
2011-04-28 03:18:10 +08:00
|
|
|
int error;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* XXX: Don't preclude handling different sized sigset_t's. */
|
|
|
|
if (sigsetsize != sizeof(sigset_t))
|
2011-04-28 03:18:10 +08:00
|
|
|
return -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-04-28 03:18:10 +08:00
|
|
|
old_set = current->blocked;
|
|
|
|
|
|
|
|
if (nset) {
|
|
|
|
if (copy_from_user(&new_set, nset, sizeof(sigset_t)))
|
|
|
|
return -EFAULT;
|
2005-04-17 06:20:36 +08:00
|
|
|
sigdelsetmask(&new_set, sigmask(SIGKILL)|sigmask(SIGSTOP));
|
|
|
|
|
2011-04-28 03:18:10 +08:00
|
|
|
error = sigprocmask(how, &new_set, NULL);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (error)
|
2011-04-28 03:18:10 +08:00
|
|
|
return error;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-04-28 03:18:10 +08:00
|
|
|
if (oset) {
|
|
|
|
if (copy_to_user(oset, &old_set, sizeof(sigset_t)))
|
|
|
|
return -EFAULT;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2011-04-28 03:18:10 +08:00
|
|
|
|
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2012-12-26 02:32:58 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
COMPAT_SYSCALL_DEFINE4(rt_sigprocmask, int, how, compat_sigset_t __user *, nset,
|
|
|
|
compat_sigset_t __user *, oset, compat_size_t, sigsetsize)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2012-12-26 02:32:58 +08:00
|
|
|
sigset_t old_set = current->blocked;
|
|
|
|
|
|
|
|
/* XXX: Don't preclude handling different sized sigset_t's. */
|
|
|
|
if (sigsetsize != sizeof(sigset_t))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (nset) {
|
|
|
|
sigset_t new_set;
|
|
|
|
int error;
|
2017-09-04 09:45:17 +08:00
|
|
|
if (get_compat_sigset(&new_set, nset))
|
2012-12-26 02:32:58 +08:00
|
|
|
return -EFAULT;
|
|
|
|
sigdelsetmask(&new_set, sigmask(SIGKILL)|sigmask(SIGSTOP));
|
|
|
|
|
|
|
|
error = sigprocmask(how, &new_set, NULL);
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
}
|
2017-08-22 07:16:11 +08:00
|
|
|
return oset ? put_compat_sigset(oset, &old_set, sizeof(*oset)) : 0;
|
2012-12-26 02:32:58 +08:00
|
|
|
}
|
|
|
|
#endif
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-08-22 13:00:02 +08:00
|
|
|
static void do_sigpending(sigset_t *set)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
spin_lock_irq(¤t->sighand->siglock);
|
2012-12-26 03:31:38 +08:00
|
|
|
sigorsets(set, ¤t->pending.signal,
|
2005-04-17 06:20:36 +08:00
|
|
|
¤t->signal->shared_pending.signal);
|
|
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
|
|
|
|
|
|
|
/* Outside the lock because only this thread touches it. */
|
2012-12-26 03:31:38 +08:00
|
|
|
sigandsets(set, ¤t->blocked, set);
|
2011-04-05 05:59:31 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-04-05 06:00:26 +08:00
|
|
|
/**
|
|
|
|
* sys_rt_sigpending - examine a pending signal that has been raised
|
|
|
|
* while blocked
|
2013-03-05 06:32:59 +08:00
|
|
|
* @uset: stores pending signals
|
2011-04-05 06:00:26 +08:00
|
|
|
* @sigsetsize: size of sigset_t type or larger
|
|
|
|
*/
|
2012-12-26 03:31:38 +08:00
|
|
|
SYSCALL_DEFINE2(rt_sigpending, sigset_t __user *, uset, size_t, sigsetsize)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2012-12-26 03:31:38 +08:00
|
|
|
sigset_t set;
|
2017-08-22 07:16:43 +08:00
|
|
|
|
|
|
|
if (sigsetsize > sizeof(*uset))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2018-08-22 13:00:02 +08:00
|
|
|
do_sigpending(&set);
|
|
|
|
|
|
|
|
if (copy_to_user(uset, &set, sigsetsize))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
return 0;
|
2012-12-26 03:31:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
COMPAT_SYSCALL_DEFINE2(rt_sigpending, compat_sigset_t __user *, uset,
|
|
|
|
compat_size_t, sigsetsize)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2012-12-26 03:31:38 +08:00
|
|
|
sigset_t set;
|
2017-08-22 07:16:43 +08:00
|
|
|
|
|
|
|
if (sigsetsize > sizeof(*uset))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2018-08-22 13:00:02 +08:00
|
|
|
do_sigpending(&set);
|
|
|
|
|
|
|
|
return put_compat_sigset(uset, &set, sigsetsize);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2012-12-26 03:31:38 +08:00
|
|
|
#endif
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-09-25 18:59:31 +08:00
|
|
|
static const struct {
|
|
|
|
unsigned char limit, layout;
|
|
|
|
} sig_sicodes[] = {
|
|
|
|
[SIGILL] = { NSIGILL, SIL_FAULT },
|
|
|
|
[SIGFPE] = { NSIGFPE, SIL_FAULT },
|
|
|
|
[SIGSEGV] = { NSIGSEGV, SIL_FAULT },
|
|
|
|
[SIGBUS] = { NSIGBUS, SIL_FAULT },
|
|
|
|
[SIGTRAP] = { NSIGTRAP, SIL_FAULT },
|
|
|
|
#if defined(SIGEMT)
|
|
|
|
[SIGEMT] = { NSIGEMT, SIL_FAULT },
|
|
|
|
#endif
|
|
|
|
[SIGCHLD] = { NSIGCHLD, SIL_CHLD },
|
|
|
|
[SIGPOLL] = { NSIGPOLL, SIL_POLL },
|
|
|
|
[SIGSYS] = { NSIGSYS, SIL_SYS },
|
|
|
|
};
|
|
|
|
|
2018-10-11 09:11:25 +08:00
|
|
|
static bool known_siginfo_layout(unsigned sig, int si_code)
|
2018-09-25 18:59:31 +08:00
|
|
|
{
|
|
|
|
if (si_code == SI_KERNEL)
|
|
|
|
return true;
|
|
|
|
else if ((si_code > SI_USER)) {
|
|
|
|
if (sig_specific_sicodes(sig)) {
|
|
|
|
if (si_code <= sig_sicodes[sig].limit)
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
else if (si_code <= NSIGPOLL)
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
else if (si_code >= SI_DETHREAD)
|
|
|
|
return true;
|
|
|
|
else if (si_code == SI_ASYNCNL)
|
|
|
|
return true;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2018-10-11 09:29:44 +08:00
|
|
|
enum siginfo_layout siginfo_layout(unsigned sig, int si_code)
|
2017-07-17 11:36:59 +08:00
|
|
|
{
|
|
|
|
enum siginfo_layout layout = SIL_KILL;
|
|
|
|
if ((si_code > SI_USER) && (si_code < SI_KERNEL)) {
|
2018-09-25 18:59:31 +08:00
|
|
|
if ((sig < ARRAY_SIZE(sig_sicodes)) &&
|
|
|
|
(si_code <= sig_sicodes[sig].limit)) {
|
|
|
|
layout = sig_sicodes[sig].layout;
|
2018-04-25 09:59:47 +08:00
|
|
|
/* Handle the exceptions */
|
|
|
|
if ((sig == SIGBUS) &&
|
|
|
|
(si_code >= BUS_MCEERR_AR) && (si_code <= BUS_MCEERR_AO))
|
|
|
|
layout = SIL_FAULT_MCEERR;
|
|
|
|
else if ((sig == SIGSEGV) && (si_code == SEGV_BNDERR))
|
|
|
|
layout = SIL_FAULT_BNDERR;
|
|
|
|
#ifdef SEGV_PKUERR
|
|
|
|
else if ((sig == SIGSEGV) && (si_code == SEGV_PKUERR))
|
|
|
|
layout = SIL_FAULT_PKUERR;
|
|
|
|
#endif
|
2021-04-23 03:18:23 +08:00
|
|
|
else if ((sig == SIGTRAP) && (si_code == TRAP_PERF))
|
2021-05-01 06:58:56 +08:00
|
|
|
layout = SIL_FAULT_PERF_EVENT;
|
2021-05-29 02:38:19 +08:00
|
|
|
else if (IS_ENABLED(CONFIG_SPARC) &&
|
|
|
|
(sig == SIGILL) && (si_code == ILL_ILLTRP))
|
|
|
|
layout = SIL_FAULT_TRAPNO;
|
2021-05-29 03:15:51 +08:00
|
|
|
else if (IS_ENABLED(CONFIG_ALPHA) &&
|
|
|
|
((sig == SIGFPE) ||
|
|
|
|
((sig == SIGTRAP) && (si_code == TRAP_UNK))))
|
2021-05-01 06:29:36 +08:00
|
|
|
layout = SIL_FAULT_TRAPNO;
|
2018-04-25 09:59:47 +08:00
|
|
|
}
|
2017-07-17 11:36:59 +08:00
|
|
|
else if (si_code <= NSIGPOLL)
|
|
|
|
layout = SIL_POLL;
|
|
|
|
} else {
|
|
|
|
if (si_code == SI_TIMER)
|
|
|
|
layout = SIL_TIMER;
|
|
|
|
else if (si_code == SI_SIGIO)
|
|
|
|
layout = SIL_POLL;
|
|
|
|
else if (si_code < 0)
|
|
|
|
layout = SIL_RT;
|
|
|
|
}
|
|
|
|
return layout;
|
|
|
|
}
|
|
|
|
|
2018-09-25 18:59:31 +08:00
|
|
|
static inline char __user *si_expansion(const siginfo_t __user *info)
|
|
|
|
{
|
|
|
|
return ((char __user *)info) + sizeof(struct kernel_siginfo);
|
|
|
|
}
|
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
int copy_siginfo_to_user(siginfo_t __user *to, const kernel_siginfo_t *from)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2018-09-25 18:59:31 +08:00
|
|
|
char __user *expansion = si_expansion(to);
|
2018-09-25 17:27:20 +08:00
|
|
|
if (copy_to_user(to, from , sizeof(struct kernel_siginfo)))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EFAULT;
|
2018-09-25 18:59:31 +08:00
|
|
|
if (clear_user(expansion, SI_EXPANSION_SIZE))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EFAULT;
|
2018-04-15 02:03:25 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
static int post_copy_siginfo_from_user(kernel_siginfo_t *info,
|
|
|
|
const siginfo_t __user *from)
|
2018-04-19 06:30:19 +08:00
|
|
|
{
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
if (unlikely(!known_siginfo_layout(info->si_signo, info->si_code))) {
|
2018-09-25 18:59:31 +08:00
|
|
|
char __user *expansion = si_expansion(from);
|
|
|
|
char buf[SI_EXPANSION_SIZE];
|
|
|
|
int i;
|
|
|
|
/*
|
|
|
|
* An unknown si_code might need more than
|
|
|
|
* sizeof(struct kernel_siginfo) bytes. Verify all of the
|
|
|
|
* extra bytes are 0. This guarantees copy_siginfo_to_user
|
|
|
|
* will return this data to userspace exactly.
|
|
|
|
*/
|
|
|
|
if (copy_from_user(&buf, expansion, SI_EXPANSION_SIZE))
|
|
|
|
return -EFAULT;
|
|
|
|
for (i = 0; i < SI_EXPANSION_SIZE; i++) {
|
|
|
|
if (buf[i] != 0)
|
|
|
|
return -E2BIG;
|
|
|
|
}
|
|
|
|
}
|
2018-04-19 06:30:19 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
static int __copy_siginfo_from_user(int signo, kernel_siginfo_t *to,
|
|
|
|
const siginfo_t __user *from)
|
|
|
|
{
|
|
|
|
if (copy_from_user(to, from, sizeof(struct kernel_siginfo)))
|
|
|
|
return -EFAULT;
|
|
|
|
to->si_signo = signo;
|
|
|
|
return post_copy_siginfo_from_user(to, from);
|
|
|
|
}
|
|
|
|
|
|
|
|
int copy_siginfo_from_user(kernel_siginfo_t *to, const siginfo_t __user *from)
|
|
|
|
{
|
|
|
|
if (copy_from_user(to, from, sizeof(struct kernel_siginfo)))
|
|
|
|
return -EFAULT;
|
|
|
|
return post_copy_siginfo_from_user(to, from);
|
|
|
|
}
|
|
|
|
|
2017-08-01 06:15:31 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
2020-05-05 18:12:53 +08:00
|
|
|
/**
|
|
|
|
* copy_siginfo_to_external32 - copy a kernel siginfo into a compat user siginfo
|
|
|
|
* @to: compat siginfo destination
|
|
|
|
* @from: kernel siginfo source
|
|
|
|
*
|
|
|
|
* Note: This function does not work properly for the SIGCHLD on x32, but
|
|
|
|
* fortunately it doesn't have to. The only valid callers for this function are
|
|
|
|
* copy_siginfo_to_user32, which is overriden for x32 and the coredump code.
|
|
|
|
* The latter does not care because SIGCHLD will never cause a coredump.
|
|
|
|
*/
|
|
|
|
void copy_siginfo_to_external32(struct compat_siginfo *to,
|
|
|
|
const struct kernel_siginfo *from)
|
2018-01-16 08:03:33 +08:00
|
|
|
{
|
2020-05-05 18:12:53 +08:00
|
|
|
memset(to, 0, sizeof(*to));
|
2018-01-16 08:03:33 +08:00
|
|
|
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_signo = from->si_signo;
|
|
|
|
to->si_errno = from->si_errno;
|
|
|
|
to->si_code = from->si_code;
|
2018-01-16 08:03:33 +08:00
|
|
|
switch(siginfo_layout(from->si_signo, from->si_code)) {
|
|
|
|
case SIL_KILL:
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_pid = from->si_pid;
|
|
|
|
to->si_uid = from->si_uid;
|
2018-01-16 08:03:33 +08:00
|
|
|
break;
|
|
|
|
case SIL_TIMER:
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_tid = from->si_tid;
|
|
|
|
to->si_overrun = from->si_overrun;
|
|
|
|
to->si_int = from->si_int;
|
2018-01-16 08:03:33 +08:00
|
|
|
break;
|
|
|
|
case SIL_POLL:
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_band = from->si_band;
|
|
|
|
to->si_fd = from->si_fd;
|
2018-01-16 08:03:33 +08:00
|
|
|
break;
|
|
|
|
case SIL_FAULT:
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_addr = ptr_to_compat(from->si_addr);
|
2021-05-01 06:29:36 +08:00
|
|
|
break;
|
|
|
|
case SIL_FAULT_TRAPNO:
|
|
|
|
to->si_addr = ptr_to_compat(from->si_addr);
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_trapno = from->si_trapno;
|
2018-04-25 09:59:47 +08:00
|
|
|
break;
|
|
|
|
case SIL_FAULT_MCEERR:
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_addr = ptr_to_compat(from->si_addr);
|
|
|
|
to->si_addr_lsb = from->si_addr_lsb;
|
2018-04-25 09:59:47 +08:00
|
|
|
break;
|
|
|
|
case SIL_FAULT_BNDERR:
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_addr = ptr_to_compat(from->si_addr);
|
|
|
|
to->si_lower = ptr_to_compat(from->si_lower);
|
|
|
|
to->si_upper = ptr_to_compat(from->si_upper);
|
2018-04-25 09:59:47 +08:00
|
|
|
break;
|
|
|
|
case SIL_FAULT_PKUERR:
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_addr = ptr_to_compat(from->si_addr);
|
|
|
|
to->si_pkey = from->si_pkey;
|
2018-01-16 08:03:33 +08:00
|
|
|
break;
|
2021-05-01 06:58:56 +08:00
|
|
|
case SIL_FAULT_PERF_EVENT:
|
2021-04-08 18:36:00 +08:00
|
|
|
to->si_addr = ptr_to_compat(from->si_addr);
|
2021-05-03 06:28:31 +08:00
|
|
|
to->si_perf_data = from->si_perf_data;
|
|
|
|
to->si_perf_type = from->si_perf_type;
|
signal: Deliver SIGTRAP on perf event asynchronously if blocked
With SIGTRAP on perf events, we have encountered termination of
processes due to user space attempting to block delivery of SIGTRAP.
Consider this case:
<set up SIGTRAP on a perf event>
...
sigset_t s;
sigemptyset(&s);
sigaddset(&s, SIGTRAP | <and others>);
sigprocmask(SIG_BLOCK, &s, ...);
...
<perf event triggers>
When the perf event triggers, while SIGTRAP is blocked, force_sig_perf()
will force the signal, but revert back to the default handler, thus
terminating the task.
This makes sense for error conditions, but not so much for explicitly
requested monitoring. However, the expectation is still that signals
generated by perf events are synchronous, which will no longer be the
case if the signal is blocked and delivered later.
To give user space the ability to clearly distinguish synchronous from
asynchronous signals, introduce siginfo_t::si_perf_flags and
TRAP_PERF_FLAG_ASYNC (opted for flags in case more binary information is
required in future).
The resolution to the problem is then to (a) no longer force the signal
(avoiding the terminations), but (b) tell user space via si_perf_flags
if the signal was synchronous or not, so that such signals can be
handled differently (e.g. let user space decide to ignore or consider
the data imprecise).
The alternative of making the kernel ignore SIGTRAP on perf events if
the signal is blocked may work for some usecases, but likely causes
issues in others that then have to revert back to interception of
sigprocmask() (which we want to avoid). [ A concrete example: when using
breakpoint perf events to track data-flow, in a region of code where
signals are blocked, data-flow can no longer be tracked accurately.
When a relevant asynchronous signal is received after unblocking the
signal, the data-flow tracking logic needs to know its state is
imprecise. ]
Fixes: 97ba62b27867 ("perf: Add support for SIGTRAP on perf events")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Link: https://lore.kernel.org/r/20220404111204.935357-1-elver@google.com
2022-04-04 19:12:04 +08:00
|
|
|
to->si_perf_flags = from->si_perf_flags;
|
2021-04-08 18:36:00 +08:00
|
|
|
break;
|
2018-01-16 08:03:33 +08:00
|
|
|
case SIL_CHLD:
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_pid = from->si_pid;
|
|
|
|
to->si_uid = from->si_uid;
|
|
|
|
to->si_status = from->si_status;
|
|
|
|
to->si_utime = from->si_utime;
|
|
|
|
to->si_stime = from->si_stime;
|
2018-01-16 08:03:33 +08:00
|
|
|
break;
|
|
|
|
case SIL_RT:
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_pid = from->si_pid;
|
|
|
|
to->si_uid = from->si_uid;
|
|
|
|
to->si_int = from->si_int;
|
2018-01-16 08:03:33 +08:00
|
|
|
break;
|
|
|
|
case SIL_SYS:
|
2020-05-05 18:12:53 +08:00
|
|
|
to->si_call_addr = ptr_to_compat(from->si_call_addr);
|
|
|
|
to->si_syscall = from->si_syscall;
|
|
|
|
to->si_arch = from->si_arch;
|
2018-01-16 08:03:33 +08:00
|
|
|
break;
|
|
|
|
}
|
2020-05-05 18:12:53 +08:00
|
|
|
}
|
2018-01-16 08:03:33 +08:00
|
|
|
|
2020-05-05 18:12:53 +08:00
|
|
|
int __copy_siginfo_to_user32(struct compat_siginfo __user *to,
|
|
|
|
const struct kernel_siginfo *from)
|
|
|
|
{
|
|
|
|
struct compat_siginfo new;
|
|
|
|
|
|
|
|
copy_siginfo_to_external32(&new, from);
|
2018-01-16 08:03:33 +08:00
|
|
|
if (copy_to_user(to, &new, sizeof(struct compat_siginfo)))
|
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
static int post_copy_siginfo_from_user32(kernel_siginfo_t *to,
|
|
|
|
const struct compat_siginfo *from)
|
2017-08-01 06:15:31 +08:00
|
|
|
{
|
|
|
|
clear_siginfo(to);
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_signo = from->si_signo;
|
|
|
|
to->si_errno = from->si_errno;
|
|
|
|
to->si_code = from->si_code;
|
|
|
|
switch(siginfo_layout(from->si_signo, from->si_code)) {
|
2017-08-01 06:15:31 +08:00
|
|
|
case SIL_KILL:
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_pid = from->si_pid;
|
|
|
|
to->si_uid = from->si_uid;
|
2017-08-01 06:15:31 +08:00
|
|
|
break;
|
|
|
|
case SIL_TIMER:
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_tid = from->si_tid;
|
|
|
|
to->si_overrun = from->si_overrun;
|
|
|
|
to->si_int = from->si_int;
|
2017-08-01 06:15:31 +08:00
|
|
|
break;
|
|
|
|
case SIL_POLL:
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_band = from->si_band;
|
|
|
|
to->si_fd = from->si_fd;
|
2017-08-01 06:15:31 +08:00
|
|
|
break;
|
|
|
|
case SIL_FAULT:
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_addr = compat_ptr(from->si_addr);
|
2021-05-01 06:29:36 +08:00
|
|
|
break;
|
|
|
|
case SIL_FAULT_TRAPNO:
|
|
|
|
to->si_addr = compat_ptr(from->si_addr);
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_trapno = from->si_trapno;
|
2018-04-25 09:59:47 +08:00
|
|
|
break;
|
|
|
|
case SIL_FAULT_MCEERR:
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_addr = compat_ptr(from->si_addr);
|
|
|
|
to->si_addr_lsb = from->si_addr_lsb;
|
2018-04-25 09:59:47 +08:00
|
|
|
break;
|
|
|
|
case SIL_FAULT_BNDERR:
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_addr = compat_ptr(from->si_addr);
|
|
|
|
to->si_lower = compat_ptr(from->si_lower);
|
|
|
|
to->si_upper = compat_ptr(from->si_upper);
|
2018-04-25 09:59:47 +08:00
|
|
|
break;
|
|
|
|
case SIL_FAULT_PKUERR:
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_addr = compat_ptr(from->si_addr);
|
|
|
|
to->si_pkey = from->si_pkey;
|
2017-08-01 06:15:31 +08:00
|
|
|
break;
|
2021-05-01 06:58:56 +08:00
|
|
|
case SIL_FAULT_PERF_EVENT:
|
2021-04-08 18:36:00 +08:00
|
|
|
to->si_addr = compat_ptr(from->si_addr);
|
2021-05-03 06:28:31 +08:00
|
|
|
to->si_perf_data = from->si_perf_data;
|
|
|
|
to->si_perf_type = from->si_perf_type;
|
signal: Deliver SIGTRAP on perf event asynchronously if blocked
With SIGTRAP on perf events, we have encountered termination of
processes due to user space attempting to block delivery of SIGTRAP.
Consider this case:
<set up SIGTRAP on a perf event>
...
sigset_t s;
sigemptyset(&s);
sigaddset(&s, SIGTRAP | <and others>);
sigprocmask(SIG_BLOCK, &s, ...);
...
<perf event triggers>
When the perf event triggers, while SIGTRAP is blocked, force_sig_perf()
will force the signal, but revert back to the default handler, thus
terminating the task.
This makes sense for error conditions, but not so much for explicitly
requested monitoring. However, the expectation is still that signals
generated by perf events are synchronous, which will no longer be the
case if the signal is blocked and delivered later.
To give user space the ability to clearly distinguish synchronous from
asynchronous signals, introduce siginfo_t::si_perf_flags and
TRAP_PERF_FLAG_ASYNC (opted for flags in case more binary information is
required in future).
The resolution to the problem is then to (a) no longer force the signal
(avoiding the terminations), but (b) tell user space via si_perf_flags
if the signal was synchronous or not, so that such signals can be
handled differently (e.g. let user space decide to ignore or consider
the data imprecise).
The alternative of making the kernel ignore SIGTRAP on perf events if
the signal is blocked may work for some usecases, but likely causes
issues in others that then have to revert back to interception of
sigprocmask() (which we want to avoid). [ A concrete example: when using
breakpoint perf events to track data-flow, in a region of code where
signals are blocked, data-flow can no longer be tracked accurately.
When a relevant asynchronous signal is received after unblocking the
signal, the data-flow tracking logic needs to know its state is
imprecise. ]
Fixes: 97ba62b27867 ("perf: Add support for SIGTRAP on perf events")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Link: https://lore.kernel.org/r/20220404111204.935357-1-elver@google.com
2022-04-04 19:12:04 +08:00
|
|
|
to->si_perf_flags = from->si_perf_flags;
|
2021-04-08 18:36:00 +08:00
|
|
|
break;
|
2017-08-01 06:15:31 +08:00
|
|
|
case SIL_CHLD:
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_pid = from->si_pid;
|
|
|
|
to->si_uid = from->si_uid;
|
|
|
|
to->si_status = from->si_status;
|
2017-08-01 06:15:31 +08:00
|
|
|
#ifdef CONFIG_X86_X32_ABI
|
|
|
|
if (in_x32_syscall()) {
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_utime = from->_sifields._sigchld_x32._utime;
|
|
|
|
to->si_stime = from->_sifields._sigchld_x32._stime;
|
2017-08-01 06:15:31 +08:00
|
|
|
} else
|
|
|
|
#endif
|
|
|
|
{
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_utime = from->si_utime;
|
|
|
|
to->si_stime = from->si_stime;
|
2017-08-01 06:15:31 +08:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
case SIL_RT:
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_pid = from->si_pid;
|
|
|
|
to->si_uid = from->si_uid;
|
|
|
|
to->si_int = from->si_int;
|
2017-08-01 06:15:31 +08:00
|
|
|
break;
|
|
|
|
case SIL_SYS:
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
to->si_call_addr = compat_ptr(from->si_call_addr);
|
|
|
|
to->si_syscall = from->si_syscall;
|
|
|
|
to->si_arch = from->si_arch;
|
2017-08-01 06:15:31 +08:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
|
|
|
|
static int __copy_siginfo_from_user32(int signo, struct kernel_siginfo *to,
|
|
|
|
const struct compat_siginfo __user *ufrom)
|
|
|
|
{
|
|
|
|
struct compat_siginfo from;
|
|
|
|
|
|
|
|
if (copy_from_user(&from, ufrom, sizeof(struct compat_siginfo)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
from.si_signo = signo;
|
|
|
|
return post_copy_siginfo_from_user32(to, &from);
|
|
|
|
}
|
|
|
|
|
|
|
|
int copy_siginfo_from_user32(struct kernel_siginfo *to,
|
|
|
|
const struct compat_siginfo __user *ufrom)
|
|
|
|
{
|
|
|
|
struct compat_siginfo from;
|
|
|
|
|
|
|
|
if (copy_from_user(&from, ufrom, sizeof(struct compat_siginfo)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
return post_copy_siginfo_from_user32(to, &from);
|
|
|
|
}
|
2017-08-01 06:15:31 +08:00
|
|
|
#endif /* CONFIG_COMPAT */
|
|
|
|
|
2011-04-28 03:44:14 +08:00
|
|
|
/**
|
|
|
|
* do_sigtimedwait - wait for queued signals specified in @which
|
|
|
|
* @which: queued signals to wait for
|
|
|
|
* @info: if non-null, the signal's siginfo is returned here
|
|
|
|
* @ts: upper bound on process time suspension
|
|
|
|
*/
|
2018-09-25 17:27:20 +08:00
|
|
|
static int do_sigtimedwait(const sigset_t *which, kernel_siginfo_t *info,
|
2018-04-18 21:56:13 +08:00
|
|
|
const struct timespec64 *ts)
|
2011-04-28 03:44:14 +08:00
|
|
|
{
|
2016-12-25 18:38:40 +08:00
|
|
|
ktime_t *to = NULL, timeout = KTIME_MAX;
|
2011-04-28 03:44:14 +08:00
|
|
|
struct task_struct *tsk = current;
|
|
|
|
sigset_t mask = *which;
|
2021-11-16 03:47:13 +08:00
|
|
|
enum pid_type type;
|
2016-07-04 17:50:25 +08:00
|
|
|
int sig, ret = 0;
|
2011-04-28 03:44:14 +08:00
|
|
|
|
|
|
|
if (ts) {
|
2018-04-18 21:56:13 +08:00
|
|
|
if (!timespec64_valid(ts))
|
2011-04-28 03:44:14 +08:00
|
|
|
return -EINVAL;
|
2018-04-18 21:56:13 +08:00
|
|
|
timeout = timespec64_to_ktime(*ts);
|
2016-07-04 17:50:25 +08:00
|
|
|
to = &timeout;
|
2011-04-28 03:44:14 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Invert the set of allowed signals to get those we want to block.
|
|
|
|
*/
|
|
|
|
sigdelsetmask(&mask, sigmask(SIGKILL) | sigmask(SIGSTOP));
|
|
|
|
signotset(&mask);
|
|
|
|
|
|
|
|
spin_lock_irq(&tsk->sighand->siglock);
|
2021-11-16 03:47:13 +08:00
|
|
|
sig = dequeue_signal(tsk, &mask, info, &type);
|
2016-12-25 18:38:40 +08:00
|
|
|
if (!sig && timeout) {
|
2011-04-28 03:44:14 +08:00
|
|
|
/*
|
|
|
|
* None ready, temporarily unblock those we're interested
|
|
|
|
* while we are sleeping in so that we'll be awakened when
|
2011-04-28 03:56:14 +08:00
|
|
|
* they arrive. Unblocking is always fine, we can avoid
|
|
|
|
* set_current_blocked().
|
2011-04-28 03:44:14 +08:00
|
|
|
*/
|
|
|
|
tsk->real_blocked = tsk->blocked;
|
|
|
|
sigandsets(&tsk->blocked, &tsk->blocked, &mask);
|
|
|
|
recalc_sigpending();
|
|
|
|
spin_unlock_irq(&tsk->sighand->siglock);
|
|
|
|
|
freezer,sched: Rewrite core freezer logic
Rewrite the core freezer to behave better wrt thawing and be simpler
in general.
By replacing PF_FROZEN with TASK_FROZEN, a special block state, it is
ensured frozen tasks stay frozen until thawed and don't randomly wake
up early, as is currently possible.
As such, it does away with PF_FROZEN and PF_FREEZER_SKIP, freeing up
two PF_flags (yay!).
Specifically; the current scheme works a little like:
freezer_do_not_count();
schedule();
freezer_count();
And either the task is blocked, or it lands in try_to_freezer()
through freezer_count(). Now, when it is blocked, the freezer
considers it frozen and continues.
However, on thawing, once pm_freezing is cleared, freezer_count()
stops working, and any random/spurious wakeup will let a task run
before its time.
That is, thawing tries to thaw things in explicit order; kernel
threads and workqueues before doing bringing SMP back before userspace
etc.. However due to the above mentioned races it is entirely possible
for userspace tasks to thaw (by accident) before SMP is back.
This can be a fatal problem in asymmetric ISA architectures (eg ARMv9)
where the userspace task requires a special CPU to run.
As said; replace this with a special task state TASK_FROZEN and add
the following state transitions:
TASK_FREEZABLE -> TASK_FROZEN
__TASK_STOPPED -> TASK_FROZEN
__TASK_TRACED -> TASK_FROZEN
The new TASK_FREEZABLE can be set on any state part of TASK_NORMAL
(IOW. TASK_INTERRUPTIBLE and TASK_UNINTERRUPTIBLE) -- any such state
is already required to deal with spurious wakeups and the freezer
causes one such when thawing the task (since the original state is
lost).
The special __TASK_{STOPPED,TRACED} states *can* be restored since
their canonical state is in ->jobctl.
With this, frozen tasks need an explicit TASK_FROZEN wakeup and are
free of undue (early / spurious) wakeups.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/20220822114649.055452969@infradead.org
2022-08-22 19:18:22 +08:00
|
|
|
__set_current_state(TASK_INTERRUPTIBLE|TASK_FREEZABLE);
|
|
|
|
ret = schedule_hrtimeout_range(to, tsk->timer_slack_ns,
|
|
|
|
HRTIMER_MODE_REL);
|
2011-04-28 03:44:14 +08:00
|
|
|
spin_lock_irq(&tsk->sighand->siglock);
|
2011-04-28 03:56:14 +08:00
|
|
|
__set_task_blocked(tsk, &tsk->real_blocked);
|
2014-06-07 05:36:46 +08:00
|
|
|
sigemptyset(&tsk->real_blocked);
|
2021-11-16 03:47:13 +08:00
|
|
|
sig = dequeue_signal(tsk, &mask, info, &type);
|
2011-04-28 03:44:14 +08:00
|
|
|
}
|
|
|
|
spin_unlock_irq(&tsk->sighand->siglock);
|
|
|
|
|
|
|
|
if (sig)
|
|
|
|
return sig;
|
2016-07-04 17:50:25 +08:00
|
|
|
return ret ? -EINTR : -EAGAIN;
|
2011-04-28 03:44:14 +08:00
|
|
|
}
|
|
|
|
|
2011-04-05 06:00:26 +08:00
|
|
|
/**
|
|
|
|
* sys_rt_sigtimedwait - synchronously wait for queued signals specified
|
|
|
|
* in @uthese
|
|
|
|
* @uthese: queued signals to wait for
|
|
|
|
* @uinfo: if non-null, the signal's siginfo is returned here
|
|
|
|
* @uts: upper bound on process time suspension
|
|
|
|
* @sigsetsize: size of sigset_t type
|
|
|
|
*/
|
2009-01-14 21:14:10 +08:00
|
|
|
SYSCALL_DEFINE4(rt_sigtimedwait, const sigset_t __user *, uthese,
|
2018-04-18 21:56:13 +08:00
|
|
|
siginfo_t __user *, uinfo,
|
|
|
|
const struct __kernel_timespec __user *, uts,
|
2009-01-14 21:14:10 +08:00
|
|
|
size_t, sigsetsize)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
sigset_t these;
|
2018-04-18 21:56:13 +08:00
|
|
|
struct timespec64 ts;
|
2018-09-25 17:27:20 +08:00
|
|
|
kernel_siginfo_t info;
|
2011-04-28 03:44:14 +08:00
|
|
|
int ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* XXX: Don't preclude handling different sized sigset_t's. */
|
|
|
|
if (sigsetsize != sizeof(sigset_t))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (copy_from_user(&these, uthese, sizeof(these)))
|
|
|
|
return -EFAULT;
|
2011-04-05 05:59:31 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (uts) {
|
2018-04-18 21:56:13 +08:00
|
|
|
if (get_timespec64(&ts, uts))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
|
2011-04-28 03:44:14 +08:00
|
|
|
ret = do_sigtimedwait(&these, &info, uts ? &ts : NULL);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-04-28 03:44:14 +08:00
|
|
|
if (ret > 0 && uinfo) {
|
|
|
|
if (copy_siginfo_to_user(uinfo, &info))
|
|
|
|
ret = -EFAULT;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2018-04-18 22:15:37 +08:00
|
|
|
#ifdef CONFIG_COMPAT_32BIT_TIME
|
|
|
|
SYSCALL_DEFINE4(rt_sigtimedwait_time32, const sigset_t __user *, uthese,
|
|
|
|
siginfo_t __user *, uinfo,
|
|
|
|
const struct old_timespec32 __user *, uts,
|
|
|
|
size_t, sigsetsize)
|
|
|
|
{
|
|
|
|
sigset_t these;
|
|
|
|
struct timespec64 ts;
|
|
|
|
kernel_siginfo_t info;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (sigsetsize != sizeof(sigset_t))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (copy_from_user(&these, uthese, sizeof(these)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
if (uts) {
|
|
|
|
if (get_old_timespec32(&ts, uts))
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = do_sigtimedwait(&these, &info, uts ? &ts : NULL);
|
|
|
|
|
|
|
|
if (ret > 0 && uinfo) {
|
|
|
|
if (copy_siginfo_to_user(uinfo, &info))
|
|
|
|
ret = -EFAULT;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2017-05-31 16:46:17 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
2018-04-18 22:18:35 +08:00
|
|
|
COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait_time64, compat_sigset_t __user *, uthese,
|
|
|
|
struct compat_siginfo __user *, uinfo,
|
|
|
|
struct __kernel_timespec __user *, uts, compat_size_t, sigsetsize)
|
|
|
|
{
|
|
|
|
sigset_t s;
|
|
|
|
struct timespec64 t;
|
|
|
|
kernel_siginfo_t info;
|
|
|
|
long ret;
|
|
|
|
|
|
|
|
if (sigsetsize != sizeof(sigset_t))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (get_compat_sigset(&s, uthese))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
if (uts) {
|
|
|
|
if (get_timespec64(&t, uts))
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = do_sigtimedwait(&s, &info, uts ? &t : NULL);
|
|
|
|
|
|
|
|
if (ret > 0 && uinfo) {
|
|
|
|
if (copy_siginfo_to_user32(uinfo, &info))
|
|
|
|
ret = -EFAULT;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CONFIG_COMPAT_32BIT_TIME
|
2019-01-07 07:33:08 +08:00
|
|
|
COMPAT_SYSCALL_DEFINE4(rt_sigtimedwait_time32, compat_sigset_t __user *, uthese,
|
2017-05-31 16:46:17 +08:00
|
|
|
struct compat_siginfo __user *, uinfo,
|
y2038: globally rename compat_time to old_time32
Christoph Hellwig suggested a slightly different path for handling
backwards compatibility with the 32-bit time_t based system calls:
Rather than simply reusing the compat_sys_* entry points on 32-bit
architectures unchanged, we get rid of those entry points and the
compat_time types by renaming them to something that makes more sense
on 32-bit architectures (which don't have a compat mode otherwise),
and then share the entry points under the new name with the 64-bit
architectures that use them for implementing the compatibility.
The following types and interfaces are renamed here, and moved
from linux/compat_time.h to linux/time32.h:
old new
--- ---
compat_time_t old_time32_t
struct compat_timeval struct old_timeval32
struct compat_timespec struct old_timespec32
struct compat_itimerspec struct old_itimerspec32
ns_to_compat_timeval() ns_to_old_timeval32()
get_compat_itimerspec64() get_old_itimerspec32()
put_compat_itimerspec64() put_old_itimerspec32()
compat_get_timespec64() get_old_timespec32()
compat_put_timespec64() put_old_timespec32()
As we already have aliases in place, this patch addresses only the
instances that are relevant to the system call interface in particular,
not those that occur in device drivers and other modules. Those
will get handled separately, while providing the 64-bit version
of the respective interfaces.
I'm not renaming the timex, rusage and itimerval structures, as we are
still debating what the new interface will look like, and whether we
will need a replacement at all.
This also doesn't change the names of the syscall entry points, which can
be done more easily when we actually switch over the 32-bit architectures
to use them, at that point we need to change COMPAT_SYSCALL_DEFINEx to
SYSCALL_DEFINEx with a new name, e.g. with a _time32 suffix.
Suggested-by: Christoph Hellwig <hch@infradead.org>
Link: https://lore.kernel.org/lkml/20180705222110.GA5698@infradead.org/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2018-07-13 18:52:28 +08:00
|
|
|
struct old_timespec32 __user *, uts, compat_size_t, sigsetsize)
|
2017-05-31 16:46:17 +08:00
|
|
|
{
|
|
|
|
sigset_t s;
|
2018-04-18 21:56:13 +08:00
|
|
|
struct timespec64 t;
|
2018-09-25 17:27:20 +08:00
|
|
|
kernel_siginfo_t info;
|
2017-05-31 16:46:17 +08:00
|
|
|
long ret;
|
|
|
|
|
|
|
|
if (sigsetsize != sizeof(sigset_t))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2017-09-04 09:45:17 +08:00
|
|
|
if (get_compat_sigset(&s, uthese))
|
2017-05-31 16:46:17 +08:00
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
if (uts) {
|
2018-04-18 21:56:13 +08:00
|
|
|
if (get_old_timespec32(&t, uts))
|
2017-05-31 16:46:17 +08:00
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = do_sigtimedwait(&s, &info, uts ? &t : NULL);
|
|
|
|
|
|
|
|
if (ret > 0 && uinfo) {
|
|
|
|
if (copy_siginfo_to_user32(uinfo, &info))
|
|
|
|
ret = -EFAULT;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
#endif
|
2018-04-18 22:18:35 +08:00
|
|
|
#endif
|
2017-05-31 16:46:17 +08:00
|
|
|
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
static inline void prepare_kill_siginfo(int sig, struct kernel_siginfo *info)
|
|
|
|
{
|
|
|
|
clear_siginfo(info);
|
|
|
|
info->si_signo = sig;
|
|
|
|
info->si_errno = 0;
|
|
|
|
info->si_code = SI_USER;
|
|
|
|
info->si_pid = task_tgid_vnr(current);
|
|
|
|
info->si_uid = from_kuid_munged(current_user_ns(), current_uid());
|
|
|
|
}
|
|
|
|
|
2011-04-05 06:00:26 +08:00
|
|
|
/**
|
|
|
|
* sys_kill - send a signal to a process
|
|
|
|
* @pid: the PID of the process
|
|
|
|
* @sig: signal to be sent
|
|
|
|
*/
|
2009-01-14 21:14:10 +08:00
|
|
|
SYSCALL_DEFINE2(kill, pid_t, pid, int, sig)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
struct kernel_siginfo info;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
prepare_kill_siginfo(sig, &info);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
return kill_something_info(sig, &info, pid);
|
|
|
|
}
|
|
|
|
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
/*
|
|
|
|
* Verify that the signaler and signalee either are in the same pid namespace
|
|
|
|
* or that the signaler's pid namespace is an ancestor of the signalee's pid
|
|
|
|
* namespace.
|
|
|
|
*/
|
|
|
|
static bool access_pidfd_pidns(struct pid *pid)
|
|
|
|
{
|
|
|
|
struct pid_namespace *active = task_active_pid_ns(current);
|
|
|
|
struct pid_namespace *p = ns_of_pid(pid);
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
if (!p)
|
|
|
|
return false;
|
|
|
|
if (p == active)
|
|
|
|
break;
|
|
|
|
p = p->parent;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2020-12-07 08:02:52 +08:00
|
|
|
static int copy_siginfo_from_user_any(kernel_siginfo_t *kinfo,
|
|
|
|
siginfo_t __user *info)
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
{
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
/*
|
|
|
|
* Avoid hooking up compat syscalls and instead handle necessary
|
|
|
|
* conversions here. Note, this is a stop-gap measure and should not be
|
|
|
|
* considered a generic solution.
|
|
|
|
*/
|
|
|
|
if (in_compat_syscall())
|
|
|
|
return copy_siginfo_from_user32(
|
|
|
|
kinfo, (struct compat_siginfo __user *)info);
|
|
|
|
#endif
|
|
|
|
return copy_siginfo_from_user(kinfo, info);
|
|
|
|
}
|
|
|
|
|
2019-04-18 04:50:25 +08:00
|
|
|
static struct pid *pidfd_to_pid(const struct file *file)
|
|
|
|
{
|
2019-07-28 06:22:29 +08:00
|
|
|
struct pid *pid;
|
|
|
|
|
|
|
|
pid = pidfd_pid(file);
|
|
|
|
if (!IS_ERR(pid))
|
|
|
|
return pid;
|
2019-04-18 04:50:25 +08:00
|
|
|
|
|
|
|
return tgid_pidfd_to_pid(file);
|
|
|
|
}
|
|
|
|
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
/**
|
2019-06-04 21:18:43 +08:00
|
|
|
* sys_pidfd_send_signal - Signal a process through a pidfd
|
|
|
|
* @pidfd: file descriptor of the process
|
|
|
|
* @sig: signal to send
|
|
|
|
* @info: signal info
|
|
|
|
* @flags: future flags
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
*
|
|
|
|
* The syscall currently only signals via PIDTYPE_PID which covers
|
|
|
|
* kill(<positive-pid>, <signal>. It does not signal threads or process
|
|
|
|
* groups.
|
|
|
|
* In order to extend the syscall to threads and process groups the @flags
|
|
|
|
* argument should be used. In essence, the @flags argument will determine
|
|
|
|
* what is signaled and not the file descriptor itself. Put in other words,
|
|
|
|
* grouping is a property of the flags argument not a property of the file
|
|
|
|
* descriptor.
|
|
|
|
*
|
|
|
|
* Return: 0 on success, negative errno on failure
|
|
|
|
*/
|
|
|
|
SYSCALL_DEFINE4(pidfd_send_signal, int, pidfd, int, sig,
|
|
|
|
siginfo_t __user *, info, unsigned int, flags)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
struct fd f;
|
|
|
|
struct pid *pid;
|
|
|
|
kernel_siginfo_t kinfo;
|
|
|
|
|
|
|
|
/* Enforce flags be set to 0 until we add an extension. */
|
|
|
|
if (flags)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2019-04-18 18:18:39 +08:00
|
|
|
f = fdget(pidfd);
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
if (!f.file)
|
|
|
|
return -EBADF;
|
|
|
|
|
|
|
|
/* Is this a pidfd? */
|
2019-04-18 04:50:25 +08:00
|
|
|
pid = pidfd_to_pid(f.file);
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
if (IS_ERR(pid)) {
|
|
|
|
ret = PTR_ERR(pid);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = -EINVAL;
|
|
|
|
if (!access_pidfd_pidns(pid))
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
if (info) {
|
|
|
|
ret = copy_siginfo_from_user_any(&kinfo, info);
|
|
|
|
if (unlikely(ret))
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
ret = -EINVAL;
|
|
|
|
if (unlikely(sig != kinfo.si_signo))
|
|
|
|
goto err;
|
|
|
|
|
2019-03-30 10:12:32 +08:00
|
|
|
/* Only allow sending arbitrary signals to yourself. */
|
|
|
|
ret = -EPERM;
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
if ((task_pid(current) != pid) &&
|
2019-03-30 10:12:32 +08:00
|
|
|
(kinfo.si_code >= 0 || kinfo.si_code == SI_TKILL))
|
|
|
|
goto err;
|
signal: add pidfd_send_signal() syscall
The kill() syscall operates on process identifiers (pid). After a process
has exited its pid can be reused by another process. If a caller sends a
signal to a reused pid it will end up signaling the wrong process. This
issue has often surfaced and there has been a push to address this problem [1].
This patch uses file descriptors (fd) from proc/<pid> as stable handles on
struct pid. Even if a pid is recycled the handle will not change. The fd
can be used to send signals to the process it refers to.
Thus, the new syscall pidfd_send_signal() is introduced to solve this
problem. Instead of pids it operates on process fds (pidfd).
/* prototype and argument /*
long pidfd_send_signal(int pidfd, int sig, siginfo_t *info, unsigned int flags);
/* syscall number 424 */
The syscall number was chosen to be 424 to align with Arnd's rework in his
y2038 to minimize merge conflicts (cf. [25]).
In addition to the pidfd and signal argument it takes an additional
siginfo_t and flags argument. If the siginfo_t argument is NULL then
pidfd_send_signal() is equivalent to kill(<positive-pid>, <signal>). If it
is not NULL pidfd_send_signal() is equivalent to rt_sigqueueinfo().
The flags argument is added to allow for future extensions of this syscall.
It currently needs to be passed as 0. Failing to do so will cause EINVAL.
/* pidfd_send_signal() replaces multiple pid-based syscalls */
The pidfd_send_signal() syscall currently takes on the job of
rt_sigqueueinfo(2) and parts of the functionality of kill(2), Namely, when a
positive pid is passed to kill(2). It will however be possible to also
replace tgkill(2) and rt_tgsigqueueinfo(2) if this syscall is extended.
/* sending signals to threads (tid) and process groups (pgid) */
Specifically, the pidfd_send_signal() syscall does currently not operate on
process groups or threads. This is left for future extensions.
In order to extend the syscall to allow sending signal to threads and
process groups appropriately named flags (e.g. PIDFD_TYPE_PGID, and
PIDFD_TYPE_TID) should be added. This implies that the flags argument will
determine what is signaled and not the file descriptor itself. Put in other
words, grouping in this api is a property of the flags argument not a
property of the file descriptor (cf. [13]). Clarification for this has been
requested by Eric (cf. [19]).
When appropriate extensions through the flags argument are added then
pidfd_send_signal() can additionally replace the part of kill(2) which
operates on process groups as well as the tgkill(2) and
rt_tgsigqueueinfo(2) syscalls.
How such an extension could be implemented has been very roughly sketched
in [14], [15], and [16]. However, this should not be taken as a commitment
to a particular implementation. There might be better ways to do it.
Right now this is intentionally left out to keep this patchset as simple as
possible (cf. [4]).
/* naming */
The syscall had various names throughout iterations of this patchset:
- procfd_signal()
- procfd_send_signal()
- taskfd_send_signal()
In the last round of reviews it was pointed out that given that if the
flags argument decides the scope of the signal instead of different types
of fds it might make sense to either settle for "procfd_" or "pidfd_" as
prefix. The community was willing to accept either (cf. [17] and [18]).
Given that one developer expressed strong preference for the "pidfd_"
prefix (cf. [13]) and with other developers less opinionated about the name
we should settle for "pidfd_" to avoid further bikeshedding.
The "_send_signal" suffix was chosen to reflect the fact that the syscall
takes on the job of multiple syscalls. It is therefore intentional that the
name is not reminiscent of neither kill(2) nor rt_sigqueueinfo(2). Not the
fomer because it might imply that pidfd_send_signal() is a replacement for
kill(2), and not the latter because it is a hassle to remember the correct
spelling - especially for non-native speakers - and because it is not
descriptive enough of what the syscall actually does. The name
"pidfd_send_signal" makes it very clear that its job is to send signals.
/* zombies */
Zombies can be signaled just as any other process. No special error will be
reported since a zombie state is an unreliable state (cf. [3]). However,
this can be added as an extension through the @flags argument if the need
ever arises.
/* cross-namespace signals */
The patch currently enforces that the signaler and signalee either are in
the same pid namespace or that the signaler's pid namespace is an ancestor
of the signalee's pid namespace. This is done for the sake of simplicity
and because it is unclear to what values certain members of struct
siginfo_t would need to be set to (cf. [5], [6]).
/* compat syscalls */
It became clear that we would like to avoid adding compat syscalls
(cf. [7]). The compat syscall handling is now done in kernel/signal.c
itself by adding __copy_siginfo_from_user_generic() which lets us avoid
compat syscalls (cf. [8]). It should be noted that the addition of
__copy_siginfo_from_user_any() is caused by a bug in the original
implementation of rt_sigqueueinfo(2) (cf. 12).
With upcoming rework for syscall handling things might improve
significantly (cf. [11]) and __copy_siginfo_from_user_any() will not gain
any additional callers.
/* testing */
This patch was tested on x64 and x86.
/* userspace usage */
An asciinema recording for the basic functionality can be found under [9].
With this patch a process can be killed via:
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
static inline int do_pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
unsigned int flags)
{
#ifdef __NR_pidfd_send_signal
return syscall(__NR_pidfd_send_signal, pidfd, sig, info, flags);
#else
return -ENOSYS;
#endif
}
int main(int argc, char *argv[])
{
int fd, ret, saved_errno, sig;
if (argc < 3)
exit(EXIT_FAILURE);
fd = open(argv[1], O_DIRECTORY | O_CLOEXEC);
if (fd < 0) {
printf("%s - Failed to open \"%s\"\n", strerror(errno), argv[1]);
exit(EXIT_FAILURE);
}
sig = atoi(argv[2]);
printf("Sending signal %d to process %s\n", sig, argv[1]);
ret = do_pidfd_send_signal(fd, sig, NULL, 0);
saved_errno = errno;
close(fd);
errno = saved_errno;
if (ret < 0) {
printf("%s - Failed to send signal %d to process %s\n",
strerror(errno), sig, argv[1]);
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/* Q&A
* Given that it seems the same questions get asked again by people who are
* late to the party it makes sense to add a Q&A section to the commit
* message so it's hopefully easier to avoid duplicate threads.
*
* For the sake of progress please consider these arguments settled unless
* there is a new point that desperately needs to be addressed. Please make
* sure to check the links to the threads in this commit message whether
* this has not already been covered.
*/
Q-01: (Florian Weimer [20], Andrew Morton [21])
What happens when the target process has exited?
A-01: Sending the signal will fail with ESRCH (cf. [22]).
Q-02: (Andrew Morton [21])
Is the task_struct pinned by the fd?
A-02: No. A reference to struct pid is kept. struct pid - as far as I
understand - was created exactly for the reason to not require to
pin struct task_struct (cf. [22]).
Q-03: (Andrew Morton [21])
Does the entire procfs directory remain visible? Just one entry
within it?
A-03: The same thing that happens right now when you hold a file descriptor
to /proc/<pid> open (cf. [22]).
Q-04: (Andrew Morton [21])
Does the pid remain reserved?
A-04: No. This patchset guarantees a stable handle not that pids are not
recycled (cf. [22]).
Q-05: (Andrew Morton [21])
Do attempts to signal that fd return errors?
A-05: See {Q,A}-01.
Q-06: (Andrew Morton [22])
Is there a cleaner way of obtaining the fd? Another syscall perhaps.
A-06: Userspace can already trivially retrieve file descriptors from procfs
so this is something that we will need to support anyway. Hence,
there's no immediate need to add another syscalls just to make
pidfd_send_signal() not dependent on the presence of procfs. However,
adding a syscalls to get such file descriptors is planned for a
future patchset (cf. [22]).
Q-07: (Andrew Morton [21] and others)
This fd-for-a-process sounds like a handy thing and people may well
think up other uses for it in the future, probably unrelated to
signals. Are the code and the interface designed to permit such
future applications?
A-07: Yes (cf. [22]).
Q-08: (Andrew Morton [21] and others)
Now I think about it, why a new syscall? This thing is looking
rather like an ioctl?
A-08: This has been extensively discussed. It was agreed that a syscall is
preferred for a variety or reasons. Here are just a few taken from
prior threads. Syscalls are safer than ioctl()s especially when
signaling to fds. Processes are a core kernel concept so a syscall
seems more appropriate. The layout of the syscall with its four
arguments would require the addition of a custom struct for the
ioctl() thereby causing at least the same amount or even more
complexity for userspace than a simple syscall. The new syscall will
replace multiple other pid-based syscalls (see description above).
The file-descriptors-for-processes concept introduced with this
syscall will be extended with other syscalls in the future. See also
[22], [23] and various other threads already linked in here.
Q-09: (Florian Weimer [24])
What happens if you use the new interface with an O_PATH descriptor?
A-09:
pidfds opened as O_PATH fds cannot be used to send signals to a
process (cf. [2]). Signaling processes through pidfds is the
equivalent of writing to a file. Thus, this is not an operation that
operates "purely at the file descriptor level" as required by the
open(2) manpage. See also [4].
/* References */
[1]: https://lore.kernel.org/lkml/20181029221037.87724-1-dancol@google.com/
[2]: https://lore.kernel.org/lkml/874lbtjvtd.fsf@oldenburg2.str.redhat.com/
[3]: https://lore.kernel.org/lkml/20181204132604.aspfupwjgjx6fhva@brauner.io/
[4]: https://lore.kernel.org/lkml/20181203180224.fkvw4kajtbvru2ku@brauner.io/
[5]: https://lore.kernel.org/lkml/20181121213946.GA10795@mail.hallyn.com/
[6]: https://lore.kernel.org/lkml/20181120103111.etlqp7zop34v6nv4@brauner.io/
[7]: https://lore.kernel.org/lkml/36323361-90BD-41AF-AB5B-EE0D7BA02C21@amacapital.net/
[8]: https://lore.kernel.org/lkml/87tvjxp8pc.fsf@xmission.com/
[9]: https://asciinema.org/a/IQjuCHew6bnq1cr78yuMv16cy
[11]: https://lore.kernel.org/lkml/F53D6D38-3521-4C20-9034-5AF447DF62FF@amacapital.net/
[12]: https://lore.kernel.org/lkml/87zhtjn8ck.fsf@xmission.com/
[13]: https://lore.kernel.org/lkml/871s6u9z6u.fsf@xmission.com/
[14]: https://lore.kernel.org/lkml/20181206231742.xxi4ghn24z4h2qki@brauner.io/
[15]: https://lore.kernel.org/lkml/20181207003124.GA11160@mail.hallyn.com/
[16]: https://lore.kernel.org/lkml/20181207015423.4miorx43l3qhppfz@brauner.io/
[17]: https://lore.kernel.org/lkml/CAGXu5jL8PciZAXvOvCeCU3wKUEB_dU-O3q0tDw4uB_ojMvDEew@mail.gmail.com/
[18]: https://lore.kernel.org/lkml/20181206222746.GB9224@mail.hallyn.com/
[19]: https://lore.kernel.org/lkml/20181208054059.19813-1-christian@brauner.io/
[20]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[21]: https://lore.kernel.org/lkml/20181228152012.dbf0508c2508138efc5f2bbe@linux-foundation.org/
[22]: https://lore.kernel.org/lkml/20181228233725.722tdfgijxcssg76@brauner.io/
[23]: https://lwn.net/Articles/773459/
[24]: https://lore.kernel.org/lkml/8736rebl9s.fsf@oldenburg.str.redhat.com/
[25]: https://lore.kernel.org/lkml/CAK8P3a0ej9NcJM8wXNPbcGUyOUZYX+VLoDFdbenW3s3114oQZw@mail.gmail.com/
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirsky <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Tycho Andersen <tycho@tycho.ws>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Serge Hallyn <serge@hallyn.com>
Acked-by: Aleksa Sarai <cyphar@cyphar.com>
2018-11-19 07:51:56 +08:00
|
|
|
} else {
|
|
|
|
prepare_kill_siginfo(sig, &kinfo);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = kill_pid_info(sig, &kinfo, pid);
|
|
|
|
|
|
|
|
err:
|
|
|
|
fdput(f);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2009-04-05 05:01:01 +08:00
|
|
|
static int
|
2018-09-25 17:27:20 +08:00
|
|
|
do_send_specific(pid_t tgid, pid_t pid, int sig, struct kernel_siginfo *info)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct task_struct *p;
|
2009-04-05 05:01:01 +08:00
|
|
|
int error = -ESRCH;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-04-30 15:52:51 +08:00
|
|
|
rcu_read_lock();
|
2007-10-19 14:40:16 +08:00
|
|
|
p = find_task_by_vpid(pid);
|
2007-10-19 14:40:14 +08:00
|
|
|
if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
|
2009-04-05 05:01:01 +08:00
|
|
|
error = check_kill_permission(sig, info, p);
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* The null signal is a permissions and process existence
|
|
|
|
* probe. No signal is actually delivered.
|
|
|
|
*/
|
2009-09-24 06:57:00 +08:00
|
|
|
if (!error && sig) {
|
2018-07-21 23:45:15 +08:00
|
|
|
error = do_send_sig_info(sig, info, p, PIDTYPE_PID);
|
2009-09-24 06:57:00 +08:00
|
|
|
/*
|
|
|
|
* If lock_task_sighand() failed we pretend the task
|
|
|
|
* dies after receiving the signal. The window is tiny,
|
|
|
|
* and the signal is private anyway.
|
|
|
|
*/
|
|
|
|
if (unlikely(error == -ESRCH))
|
|
|
|
error = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
2008-04-30 15:52:51 +08:00
|
|
|
rcu_read_unlock();
|
2005-10-31 07:02:18 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2009-04-05 05:01:01 +08:00
|
|
|
static int do_tkill(pid_t tgid, pid_t pid, int sig)
|
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
struct kernel_siginfo info;
|
2009-04-05 05:01:01 +08:00
|
|
|
|
2018-01-23 04:58:57 +08:00
|
|
|
clear_siginfo(&info);
|
2009-04-05 05:01:01 +08:00
|
|
|
info.si_signo = sig;
|
|
|
|
info.si_errno = 0;
|
|
|
|
info.si_code = SI_TKILL;
|
|
|
|
info.si_pid = task_tgid_vnr(current);
|
2012-02-08 23:00:08 +08:00
|
|
|
info.si_uid = from_kuid_munged(current_user_ns(), current_uid());
|
2009-04-05 05:01:01 +08:00
|
|
|
|
|
|
|
return do_send_specific(tgid, pid, sig, &info);
|
|
|
|
}
|
|
|
|
|
2005-10-31 07:02:18 +08:00
|
|
|
/**
|
|
|
|
* sys_tgkill - send signal to one specific thread
|
|
|
|
* @tgid: the thread group ID of the thread
|
|
|
|
* @pid: the PID of the thread
|
|
|
|
* @sig: signal to be sent
|
|
|
|
*
|
2007-02-10 17:45:59 +08:00
|
|
|
* This syscall also checks the @tgid and returns -ESRCH even if the PID
|
2005-10-31 07:02:18 +08:00
|
|
|
* exists but it's not belonging to the target process anymore. This
|
|
|
|
* method solves the problem of threads exiting and PIDs getting reused.
|
|
|
|
*/
|
2009-01-14 21:14:11 +08:00
|
|
|
SYSCALL_DEFINE3(tgkill, pid_t, tgid, pid_t, pid, int, sig)
|
2005-10-31 07:02:18 +08:00
|
|
|
{
|
|
|
|
/* This is only valid for single tasks */
|
|
|
|
if (pid <= 0 || tgid <= 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return do_tkill(tgid, pid, sig);
|
|
|
|
}
|
|
|
|
|
2011-04-05 06:00:26 +08:00
|
|
|
/**
|
|
|
|
* sys_tkill - send signal to one specific task
|
|
|
|
* @pid: the PID of the task
|
|
|
|
* @sig: signal to be sent
|
|
|
|
*
|
2005-04-17 06:20:36 +08:00
|
|
|
* Send a signal to only one task, even if it's a CLONE_THREAD task.
|
|
|
|
*/
|
2009-01-14 21:14:11 +08:00
|
|
|
SYSCALL_DEFINE2(tkill, pid_t, pid, int, sig)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
/* This is only valid for single tasks */
|
|
|
|
if (pid <= 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2005-10-31 07:02:18 +08:00
|
|
|
return do_tkill(0, pid, sig);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
static int do_rt_sigqueueinfo(pid_t pid, int sig, kernel_siginfo_t *info)
|
2012-12-26 04:19:12 +08:00
|
|
|
{
|
|
|
|
/* Not even root can pretend to send signals from the kernel.
|
|
|
|
* Nor can they impersonate a kill()/tgkill(), which adds source info.
|
|
|
|
*/
|
2013-02-28 09:03:12 +08:00
|
|
|
if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
|
2015-04-17 03:47:35 +08:00
|
|
|
(task_pid_vnr(current) != pid))
|
2012-12-26 04:19:12 +08:00
|
|
|
return -EPERM;
|
2015-04-17 03:47:35 +08:00
|
|
|
|
2012-12-26 04:19:12 +08:00
|
|
|
/* POSIX.1b doesn't mention process groups. */
|
|
|
|
return kill_proc_info(sig, info, pid);
|
|
|
|
}
|
|
|
|
|
2011-04-05 06:00:26 +08:00
|
|
|
/**
|
|
|
|
* sys_rt_sigqueueinfo - send signal information to a signal
|
|
|
|
* @pid: the PID of the thread
|
|
|
|
* @sig: signal to be sent
|
|
|
|
* @uinfo: signal info to be sent
|
|
|
|
*/
|
2009-01-14 21:14:11 +08:00
|
|
|
SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t, pid, int, sig,
|
|
|
|
siginfo_t __user *, uinfo)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
kernel_siginfo_t info;
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
int ret = __copy_siginfo_from_user(sig, &info, uinfo);
|
2018-04-19 06:30:19 +08:00
|
|
|
if (unlikely(ret))
|
|
|
|
return ret;
|
2012-12-26 04:19:12 +08:00
|
|
|
return do_rt_sigqueueinfo(pid, sig, &info);
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-12-26 04:19:12 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
COMPAT_SYSCALL_DEFINE3(rt_sigqueueinfo,
|
|
|
|
compat_pid_t, pid,
|
|
|
|
int, sig,
|
|
|
|
struct compat_siginfo __user *, uinfo)
|
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
kernel_siginfo_t info;
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
int ret = __copy_siginfo_from_user32(sig, &info, uinfo);
|
2012-12-26 04:19:12 +08:00
|
|
|
if (unlikely(ret))
|
|
|
|
return ret;
|
|
|
|
return do_rt_sigqueueinfo(pid, sig, &info);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2012-12-26 04:19:12 +08:00
|
|
|
#endif
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
static int do_rt_tgsigqueueinfo(pid_t tgid, pid_t pid, int sig, kernel_siginfo_t *info)
|
2009-04-05 05:01:06 +08:00
|
|
|
{
|
|
|
|
/* This is only valid for single tasks */
|
|
|
|
if (pid <= 0 || tgid <= 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
/* Not even root can pretend to send signals from the kernel.
|
2011-03-19 06:05:21 +08:00
|
|
|
* Nor can they impersonate a kill()/tgkill(), which adds source info.
|
|
|
|
*/
|
2015-04-17 03:47:35 +08:00
|
|
|
if ((info->si_code >= 0 || info->si_code == SI_TKILL) &&
|
|
|
|
(task_pid_vnr(current) != pid))
|
2009-04-05 05:01:06 +08:00
|
|
|
return -EPERM;
|
2015-04-17 03:47:35 +08:00
|
|
|
|
2009-04-05 05:01:06 +08:00
|
|
|
return do_send_specific(tgid, pid, sig, info);
|
|
|
|
}
|
|
|
|
|
|
|
|
SYSCALL_DEFINE4(rt_tgsigqueueinfo, pid_t, tgid, pid_t, pid, int, sig,
|
|
|
|
siginfo_t __user *, uinfo)
|
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
kernel_siginfo_t info;
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
int ret = __copy_siginfo_from_user(sig, &info, uinfo);
|
2018-04-19 06:30:19 +08:00
|
|
|
if (unlikely(ret))
|
|
|
|
return ret;
|
2009-04-05 05:01:06 +08:00
|
|
|
return do_rt_tgsigqueueinfo(tgid, pid, sig, &info);
|
|
|
|
}
|
|
|
|
|
2012-12-25 12:12:04 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
COMPAT_SYSCALL_DEFINE4(rt_tgsigqueueinfo,
|
|
|
|
compat_pid_t, tgid,
|
|
|
|
compat_pid_t, pid,
|
|
|
|
int, sig,
|
|
|
|
struct compat_siginfo __user *, uinfo)
|
|
|
|
{
|
2018-09-25 17:27:20 +08:00
|
|
|
kernel_siginfo_t info;
|
signal: In sigqueueinfo prefer sig not si_signo
Andrei Vagin <avagin@gmail.com> reported:
> Accoding to the man page, the user should not set si_signo, it has to be set
> by kernel.
>
> $ man 2 rt_sigqueueinfo
>
> The uinfo argument specifies the data to accompany the signal. This
> argument is a pointer to a structure of type siginfo_t, described in
> sigaction(2) (and defined by including <sigaction.h>). The caller
> should set the following fields in this structure:
>
> si_code
> This must be one of the SI_* codes in the Linux kernel source
> file include/asm-generic/siginfo.h, with the restriction that
> the code must be negative (i.e., cannot be SI_USER, which is
> used by the kernel to indicate a signal sent by kill(2)) and
> cannot (since Linux 2.6.39) be SI_TKILL (which is used by the
> kernel to indicate a signal sent using tgkill(2)).
>
> si_pid This should be set to a process ID, typically the process ID of
> the sender.
>
> si_uid This should be set to a user ID, typically the real user ID of
> the sender.
>
> si_value
> This field contains the user data to accompany the signal. For
> more information, see the description of the last (union sigval)
> argument of sigqueue(3).
>
> Internally, the kernel sets the si_signo field to the value specified
> in sig, so that the receiver of the signal can also obtain the signal
> number via that field.
>
> On Tue, Sep 25, 2018 at 07:19:02PM +0200, Eric W. Biederman wrote:
>>
>> If there is some application that calls sigqueueinfo directly that has
>> a problem with this added sanity check we can revisit this when we see
>> what kind of crazy that application is doing.
>
>
> I already know two "applications" ;)
>
> https://github.com/torvalds/linux/blob/master/tools/testing/selftests/ptrace/peeksiginfo.c
> https://github.com/checkpoint-restore/criu/blob/master/test/zdtm/static/sigpending.c
>
> Disclaimer: I'm the author of both of them.
Looking at the kernel code the historical behavior has alwasy been to prefer
the signal number passed in by the kernel.
So sigh. Implmenet __copy_siginfo_from_user and __copy_siginfo_from_user32 to
take that signal number and prefer it. The user of ptrace will still
use copy_siginfo_from_user and copy_siginfo_from_user32 as they do not and
never have had a signal number there.
Luckily this change has never made it farther than linux-next.
Fixes: e75dc036c445 ("signal: Fail sigqueueinfo if si_signo != sig")
Reported-by: Andrei Vagin <avagin@gmail.com>
Tested-by: Andrei Vagin <avagin@gmail.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2018-10-05 15:02:48 +08:00
|
|
|
int ret = __copy_siginfo_from_user32(sig, &info, uinfo);
|
2018-04-19 06:30:19 +08:00
|
|
|
if (unlikely(ret))
|
|
|
|
return ret;
|
2012-12-25 12:12:04 +08:00
|
|
|
return do_rt_tgsigqueueinfo(tgid, pid, sig, &info);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2014-06-07 05:36:53 +08:00
|
|
|
/*
|
2014-06-07 05:37:00 +08:00
|
|
|
* For kthreads only, must not be used if cloned with CLONE_SIGHAND
|
2014-06-07 05:36:53 +08:00
|
|
|
*/
|
2014-06-07 05:37:00 +08:00
|
|
|
void kernel_sigaction(int sig, __sighandler_t action)
|
2014-06-07 05:36:53 +08:00
|
|
|
{
|
2014-06-07 05:36:57 +08:00
|
|
|
spin_lock_irq(¤t->sighand->siglock);
|
2014-06-07 05:37:00 +08:00
|
|
|
current->sighand->action[sig - 1].sa.sa_handler = action;
|
|
|
|
if (action == SIG_IGN) {
|
|
|
|
sigset_t mask;
|
2014-06-07 05:36:53 +08:00
|
|
|
|
2014-06-07 05:37:00 +08:00
|
|
|
sigemptyset(&mask);
|
|
|
|
sigaddset(&mask, sig);
|
2014-06-07 05:36:58 +08:00
|
|
|
|
2014-06-07 05:37:00 +08:00
|
|
|
flush_sigqueue_mask(&mask, ¤t->signal->shared_pending);
|
|
|
|
flush_sigqueue_mask(&mask, ¤t->pending);
|
|
|
|
recalc_sigpending();
|
|
|
|
}
|
2014-06-07 05:36:53 +08:00
|
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
|
|
|
}
|
2014-06-07 05:37:00 +08:00
|
|
|
EXPORT_SYMBOL(kernel_sigaction);
|
2014-06-07 05:36:53 +08:00
|
|
|
|
2016-09-05 21:33:08 +08:00
|
|
|
void __weak sigaction_compat_abi(struct k_sigaction *act,
|
|
|
|
struct k_sigaction *oact)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
2006-03-29 08:11:24 +08:00
|
|
|
int do_sigaction(int sig, struct k_sigaction *act, struct k_sigaction *oact)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2014-06-07 05:36:51 +08:00
|
|
|
struct task_struct *p = current, *t;
|
2005-04-17 06:20:36 +08:00
|
|
|
struct k_sigaction *k;
|
2006-01-08 17:02:48 +08:00
|
|
|
sigset_t mask;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2005-05-01 23:59:14 +08:00
|
|
|
if (!valid_signal(sig) || sig < 1 || (act && sig_kernel_only(sig)))
|
2005-04-17 06:20:36 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
2014-06-07 05:36:51 +08:00
|
|
|
k = &p->sighand->action[sig-1];
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2014-06-07 05:36:51 +08:00
|
|
|
spin_lock_irq(&p->sighand->siglock);
|
2021-10-29 22:14:19 +08:00
|
|
|
if (k->sa.sa_flags & SA_IMMUTABLE) {
|
|
|
|
spin_unlock_irq(&p->sighand->siglock);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
if (oact)
|
|
|
|
*oact = *k;
|
|
|
|
|
2020-11-17 11:17:25 +08:00
|
|
|
/*
|
|
|
|
* Make sure that we never accidentally claim to support SA_UNSUPPORTED,
|
|
|
|
* e.g. by having an architecture use the bit in their uapi.
|
|
|
|
*/
|
|
|
|
BUILD_BUG_ON(UAPI_SA_FLAGS & SA_UNSUPPORTED);
|
|
|
|
|
signal: clear non-uapi flag bits when passing/returning sa_flags
Previously we were not clearing non-uapi flag bits in
sigaction.sa_flags when storing the userspace-provided sa_flags or
when returning them via oldact. Start doing so.
This allows userspace to detect missing support for flag bits and
allows the kernel to use non-uapi bits internally, as we are already
doing in arch/x86 for two flag bits. Now that this change is in
place, we no longer need the code in arch/x86 that was hiding these
bits from userspace, so remove it.
This is technically a userspace-visible behavior change for sigaction, as
the unknown bits returned via oldact.sa_flags are no longer set. However,
we are free to define the behavior for unknown bits exactly because
their behavior is currently undefined, so for now we can define the
meaning of each of them to be "clear the bit in oldact.sa_flags unless
the bit becomes known in the future". Furthermore, this behavior is
consistent with OpenBSD [1], illumos [2] and XNU [3] (FreeBSD [4] and
NetBSD [5] fail the syscall if unknown bits are set). So there is some
precedent for this behavior in other kernels, and in particular in XNU,
which is probably the most popular kernel among those that I looked at,
which means that this change is less likely to be a compatibility issue.
Link: [1] https://github.com/openbsd/src/blob/f634a6a4b5bf832e9c1de77f7894ae2625e74484/sys/kern/kern_sig.c#L278
Link: [2] https://github.com/illumos/illumos-gate/blob/76f19f5fdc974fe5be5c82a556e43a4df93f1de1/usr/src/uts/common/syscall/sigaction.c#L86
Link: [3] https://github.com/apple/darwin-xnu/blob/a449c6a3b8014d9406c2ddbdc81795da24aa7443/bsd/kern/kern_sig.c#L480
Link: [4] https://github.com/freebsd/freebsd/blob/eded70c37057857c6e23fae51f86b8f8f43cd2d0/sys/kern/kern_sig.c#L699
Link: [5] https://github.com/NetBSD/src/blob/3365779becdcedfca206091a645a0e8e22b2946e/sys/kern/sys_sig.c#L473
Signed-off-by: Peter Collingbourne <pcc@google.com>
Reviewed-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Link: https://linux-review.googlesource.com/id/I35aab6f5be932505d90f3b3450c083b4db1eca86
Link: https://lkml.kernel.org/r/878dbcb5f47bc9b11881c81f745c0bef5c23f97f.1605235762.git.pcc@google.com
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
2020-11-13 10:53:34 +08:00
|
|
|
/*
|
|
|
|
* Clear unknown flag bits in order to allow userspace to detect missing
|
|
|
|
* support for flag bits and to allow the kernel to use non-uapi bits
|
|
|
|
* internally.
|
|
|
|
*/
|
|
|
|
if (act)
|
|
|
|
act->sa.sa_flags &= UAPI_SA_FLAGS;
|
|
|
|
if (oact)
|
|
|
|
oact->sa.sa_flags &= UAPI_SA_FLAGS;
|
|
|
|
|
2016-09-05 21:33:08 +08:00
|
|
|
sigaction_compat_abi(act, oact);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (act) {
|
2006-02-10 03:41:50 +08:00
|
|
|
sigdelsetmask(&act->sa.sa_mask,
|
|
|
|
sigmask(SIGKILL) | sigmask(SIGSTOP));
|
2006-03-29 08:11:24 +08:00
|
|
|
*k = *act;
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* POSIX 3.3.1.3:
|
|
|
|
* "Setting a signal action to SIG_IGN for a signal that is
|
|
|
|
* pending shall cause the pending signal to be discarded,
|
|
|
|
* whether or not it is blocked."
|
|
|
|
*
|
|
|
|
* "Setting a signal action to SIG_DFL for a signal that is
|
|
|
|
* pending and whose default action is to ignore the signal
|
|
|
|
* (for example, SIGCHLD), shall cause the pending signal to
|
|
|
|
* be discarded, whether or not it is blocked"
|
|
|
|
*/
|
2014-06-07 05:36:51 +08:00
|
|
|
if (sig_handler_ignored(sig_handler(p, sig), sig)) {
|
2006-01-08 17:02:48 +08:00
|
|
|
sigemptyset(&mask);
|
|
|
|
sigaddset(&mask, sig);
|
2014-06-07 05:36:51 +08:00
|
|
|
flush_sigqueue_mask(&mask, &p->signal->shared_pending);
|
|
|
|
for_each_thread(p, t)
|
2014-06-07 05:36:50 +08:00
|
|
|
flush_sigqueue_mask(&mask, &t->pending);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-06-07 05:36:51 +08:00
|
|
|
spin_unlock_irq(&p->sighand->siglock);
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2021-10-22 06:55:05 +08:00
|
|
|
#ifdef CONFIG_DYNAMIC_SIGFRAME
|
|
|
|
static inline void sigaltstack_lock(void)
|
|
|
|
__acquires(¤t->sighand->siglock)
|
|
|
|
{
|
|
|
|
spin_lock_irq(¤t->sighand->siglock);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void sigaltstack_unlock(void)
|
|
|
|
__releases(¤t->sighand->siglock)
|
|
|
|
{
|
|
|
|
spin_unlock_irq(¤t->sighand->siglock);
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static inline void sigaltstack_lock(void) { }
|
|
|
|
static inline void sigaltstack_unlock(void) { }
|
|
|
|
#endif
|
|
|
|
|
2014-06-07 05:36:50 +08:00
|
|
|
static int
|
2018-09-05 22:34:42 +08:00
|
|
|
do_sigaltstack (const stack_t *ss, stack_t *oss, unsigned long sp,
|
|
|
|
size_t min_ss_size)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2017-05-27 12:29:34 +08:00
|
|
|
struct task_struct *t = current;
|
2021-10-22 06:55:05 +08:00
|
|
|
int ret = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2017-05-27 12:29:34 +08:00
|
|
|
if (oss) {
|
|
|
|
memset(oss, 0, sizeof(stack_t));
|
|
|
|
oss->ss_sp = (void __user *) t->sas_ss_sp;
|
|
|
|
oss->ss_size = t->sas_ss_size;
|
|
|
|
oss->ss_flags = sas_ss_flags(sp) |
|
|
|
|
(current->sas_ss_flags & SS_FLAG_BITS);
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2017-05-27 12:29:34 +08:00
|
|
|
if (ss) {
|
|
|
|
void __user *ss_sp = ss->ss_sp;
|
|
|
|
size_t ss_size = ss->ss_size;
|
|
|
|
unsigned ss_flags = ss->ss_flags;
|
2016-04-15 04:20:03 +08:00
|
|
|
int ss_mode;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2017-05-27 12:29:34 +08:00
|
|
|
if (unlikely(on_sig_stack(sp)))
|
|
|
|
return -EPERM;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2016-04-15 04:20:03 +08:00
|
|
|
ss_mode = ss_flags & ~SS_FLAG_BITS;
|
2017-05-27 12:29:34 +08:00
|
|
|
if (unlikely(ss_mode != SS_DISABLE && ss_mode != SS_ONSTACK &&
|
|
|
|
ss_mode != 0))
|
|
|
|
return -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2021-12-11 06:55:03 +08:00
|
|
|
/*
|
|
|
|
* Return before taking any locks if no actual
|
|
|
|
* sigaltstack changes were requested.
|
|
|
|
*/
|
|
|
|
if (t->sas_ss_sp == (unsigned long)ss_sp &&
|
|
|
|
t->sas_ss_size == ss_size &&
|
|
|
|
t->sas_ss_flags == ss_flags)
|
|
|
|
return 0;
|
|
|
|
|
2021-10-22 06:55:05 +08:00
|
|
|
sigaltstack_lock();
|
2016-04-15 04:20:03 +08:00
|
|
|
if (ss_mode == SS_DISABLE) {
|
2005-04-17 06:20:36 +08:00
|
|
|
ss_size = 0;
|
|
|
|
ss_sp = NULL;
|
|
|
|
} else {
|
2018-09-05 22:34:42 +08:00
|
|
|
if (unlikely(ss_size < min_ss_size))
|
2021-10-22 06:55:05 +08:00
|
|
|
ret = -ENOMEM;
|
|
|
|
if (!sigaltstack_size_valid(ss_size))
|
|
|
|
ret = -ENOMEM;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2021-10-22 06:55:05 +08:00
|
|
|
if (!ret) {
|
|
|
|
t->sas_ss_sp = (unsigned long) ss_sp;
|
|
|
|
t->sas_ss_size = ss_size;
|
|
|
|
t->sas_ss_flags = ss_flags;
|
|
|
|
}
|
|
|
|
sigaltstack_unlock();
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2021-10-22 06:55:05 +08:00
|
|
|
return ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2017-05-27 12:29:34 +08:00
|
|
|
|
2012-12-15 03:09:47 +08:00
|
|
|
SYSCALL_DEFINE2(sigaltstack,const stack_t __user *,uss, stack_t __user *,uoss)
|
|
|
|
{
|
2017-05-27 12:29:34 +08:00
|
|
|
stack_t new, old;
|
|
|
|
int err;
|
|
|
|
if (uss && copy_from_user(&new, uss, sizeof(stack_t)))
|
|
|
|
return -EFAULT;
|
|
|
|
err = do_sigaltstack(uss ? &new : NULL, uoss ? &old : NULL,
|
2018-09-05 22:34:42 +08:00
|
|
|
current_user_stack_pointer(),
|
|
|
|
MINSIGSTKSZ);
|
2017-05-27 12:29:34 +08:00
|
|
|
if (!err && uoss && copy_to_user(uoss, &old, sizeof(stack_t)))
|
|
|
|
err = -EFAULT;
|
|
|
|
return err;
|
2012-12-15 03:09:47 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-11-19 04:29:16 +08:00
|
|
|
int restore_altstack(const stack_t __user *uss)
|
|
|
|
{
|
2017-05-27 12:29:34 +08:00
|
|
|
stack_t new;
|
|
|
|
if (copy_from_user(&new, uss, sizeof(stack_t)))
|
|
|
|
return -EFAULT;
|
2018-09-05 22:34:42 +08:00
|
|
|
(void)do_sigaltstack(&new, NULL, current_user_stack_pointer(),
|
|
|
|
MINSIGSTKSZ);
|
2012-11-19 04:29:16 +08:00
|
|
|
/* squash all but EFAULT for now */
|
2017-05-27 12:29:34 +08:00
|
|
|
return 0;
|
2012-11-19 04:29:16 +08:00
|
|
|
}
|
|
|
|
|
2012-11-21 03:24:26 +08:00
|
|
|
int __save_altstack(stack_t __user *uss, unsigned long sp)
|
|
|
|
{
|
|
|
|
struct task_struct *t = current;
|
2016-04-15 04:20:04 +08:00
|
|
|
int err = __put_user((void __user *)t->sas_ss_sp, &uss->ss_sp) |
|
|
|
|
__put_user(t->sas_ss_flags, &uss->ss_flags) |
|
2012-11-21 03:24:26 +08:00
|
|
|
__put_user(t->sas_ss_size, &uss->ss_size);
|
2021-07-01 09:56:43 +08:00
|
|
|
return err;
|
2012-11-21 03:24:26 +08:00
|
|
|
}
|
|
|
|
|
2012-12-15 03:47:53 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
2018-03-18 00:11:51 +08:00
|
|
|
static int do_compat_sigaltstack(const compat_stack_t __user *uss_ptr,
|
|
|
|
compat_stack_t __user *uoss_ptr)
|
2012-12-15 03:47:53 +08:00
|
|
|
{
|
|
|
|
stack_t uss, uoss;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (uss_ptr) {
|
|
|
|
compat_stack_t uss32;
|
|
|
|
if (copy_from_user(&uss32, uss_ptr, sizeof(compat_stack_t)))
|
|
|
|
return -EFAULT;
|
|
|
|
uss.ss_sp = compat_ptr(uss32.ss_sp);
|
|
|
|
uss.ss_flags = uss32.ss_flags;
|
|
|
|
uss.ss_size = uss32.ss_size;
|
|
|
|
}
|
2017-05-27 12:29:34 +08:00
|
|
|
ret = do_sigaltstack(uss_ptr ? &uss : NULL, &uoss,
|
2018-09-05 22:34:42 +08:00
|
|
|
compat_user_stack_pointer(),
|
|
|
|
COMPAT_MINSIGSTKSZ);
|
2012-12-15 03:47:53 +08:00
|
|
|
if (ret >= 0 && uoss_ptr) {
|
2017-05-27 12:29:34 +08:00
|
|
|
compat_stack_t old;
|
|
|
|
memset(&old, 0, sizeof(old));
|
|
|
|
old.ss_sp = ptr_to_compat(uoss.ss_sp);
|
|
|
|
old.ss_flags = uoss.ss_flags;
|
|
|
|
old.ss_size = uoss.ss_size;
|
|
|
|
if (copy_to_user(uoss_ptr, &old, sizeof(compat_stack_t)))
|
2012-12-15 03:47:53 +08:00
|
|
|
ret = -EFAULT;
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2018-03-18 00:11:51 +08:00
|
|
|
COMPAT_SYSCALL_DEFINE2(sigaltstack,
|
|
|
|
const compat_stack_t __user *, uss_ptr,
|
|
|
|
compat_stack_t __user *, uoss_ptr)
|
|
|
|
{
|
|
|
|
return do_compat_sigaltstack(uss_ptr, uoss_ptr);
|
|
|
|
}
|
|
|
|
|
2012-12-15 03:47:53 +08:00
|
|
|
int compat_restore_altstack(const compat_stack_t __user *uss)
|
|
|
|
{
|
2018-03-18 00:11:51 +08:00
|
|
|
int err = do_compat_sigaltstack(uss, NULL);
|
2012-12-15 03:47:53 +08:00
|
|
|
/* squash all but -EFAULT for now */
|
|
|
|
return err == -EFAULT ? err : 0;
|
|
|
|
}
|
2012-11-21 03:24:26 +08:00
|
|
|
|
|
|
|
int __compat_save_altstack(compat_stack_t __user *uss, unsigned long sp)
|
|
|
|
{
|
2017-02-28 06:27:25 +08:00
|
|
|
int err;
|
2012-11-21 03:24:26 +08:00
|
|
|
struct task_struct *t = current;
|
2017-02-28 06:27:25 +08:00
|
|
|
err = __put_user(ptr_to_compat((void __user *)t->sas_ss_sp),
|
|
|
|
&uss->ss_sp) |
|
|
|
|
__put_user(t->sas_ss_flags, &uss->ss_flags) |
|
2012-11-21 03:24:26 +08:00
|
|
|
__put_user(t->sas_ss_size, &uss->ss_size);
|
2021-07-01 09:56:43 +08:00
|
|
|
return err;
|
2012-11-21 03:24:26 +08:00
|
|
|
}
|
2012-12-15 03:47:53 +08:00
|
|
|
#endif
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
#ifdef __ARCH_WANT_SYS_SIGPENDING
|
|
|
|
|
2011-04-05 06:00:26 +08:00
|
|
|
/**
|
|
|
|
* sys_sigpending - examine pending signals
|
2018-03-11 18:34:37 +08:00
|
|
|
* @uset: where mask of pending signal is returned
|
2011-04-05 06:00:26 +08:00
|
|
|
*/
|
2018-03-11 18:34:37 +08:00
|
|
|
SYSCALL_DEFINE1(sigpending, old_sigset_t __user *, uset)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2018-03-11 18:34:37 +08:00
|
|
|
sigset_t set;
|
|
|
|
|
|
|
|
if (sizeof(old_sigset_t) > sizeof(*uset))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2018-08-22 13:00:02 +08:00
|
|
|
do_sigpending(&set);
|
|
|
|
|
|
|
|
if (copy_to_user(uset, &set, sizeof(old_sigset_t)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2017-05-31 16:42:07 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
COMPAT_SYSCALL_DEFINE1(sigpending, compat_old_sigset_t __user *, set32)
|
|
|
|
{
|
|
|
|
sigset_t set;
|
2018-08-22 13:00:02 +08:00
|
|
|
|
|
|
|
do_sigpending(&set);
|
|
|
|
|
|
|
|
return put_user(set.sig[0], set32);
|
2017-05-31 16:42:07 +08:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef __ARCH_WANT_SYS_SIGPROCMASK
|
2011-04-05 06:00:26 +08:00
|
|
|
/**
|
|
|
|
* sys_sigprocmask - examine and change blocked signals
|
|
|
|
* @how: whether to add, remove, or set signals
|
2011-04-28 17:36:20 +08:00
|
|
|
* @nset: signals to add or remove (if non-null)
|
2011-04-05 06:00:26 +08:00
|
|
|
* @oset: previous value of signal mask if non-null
|
|
|
|
*
|
2011-04-05 05:59:31 +08:00
|
|
|
* Some platforms have their own version with special arguments;
|
|
|
|
* others support only sys_rt_sigprocmask.
|
|
|
|
*/
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-04-28 17:36:20 +08:00
|
|
|
SYSCALL_DEFINE3(sigprocmask, int, how, old_sigset_t __user *, nset,
|
2009-01-14 21:14:06 +08:00
|
|
|
old_sigset_t __user *, oset)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
old_sigset_t old_set, new_set;
|
2011-05-09 19:48:56 +08:00
|
|
|
sigset_t new_blocked;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-04-28 17:36:20 +08:00
|
|
|
old_set = current->blocked.sig[0];
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-04-28 17:36:20 +08:00
|
|
|
if (nset) {
|
|
|
|
if (copy_from_user(&new_set, nset, sizeof(*nset)))
|
|
|
|
return -EFAULT;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-05-09 19:48:56 +08:00
|
|
|
new_blocked = current->blocked;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
switch (how) {
|
|
|
|
case SIG_BLOCK:
|
2011-05-09 19:48:56 +08:00
|
|
|
sigaddsetmask(&new_blocked, new_set);
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
|
|
|
case SIG_UNBLOCK:
|
2011-05-09 19:48:56 +08:00
|
|
|
sigdelsetmask(&new_blocked, new_set);
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
|
|
|
case SIG_SETMASK:
|
2011-05-09 19:48:56 +08:00
|
|
|
new_blocked.sig[0] = new_set;
|
2005-04-17 06:20:36 +08:00
|
|
|
break;
|
2011-05-09 19:48:56 +08:00
|
|
|
default:
|
|
|
|
return -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2013-01-06 02:13:29 +08:00
|
|
|
set_current_blocked(&new_blocked);
|
2011-04-28 17:36:20 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
if (oset) {
|
2005-04-17 06:20:36 +08:00
|
|
|
if (copy_to_user(oset, &old_set, sizeof(*oset)))
|
2011-04-28 17:36:20 +08:00
|
|
|
return -EFAULT;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2011-04-28 17:36:20 +08:00
|
|
|
|
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
#endif /* __ARCH_WANT_SYS_SIGPROCMASK */
|
|
|
|
|
2012-11-26 12:12:10 +08:00
|
|
|
#ifndef CONFIG_ODD_RT_SIGACTION
|
2011-04-05 06:00:26 +08:00
|
|
|
/**
|
|
|
|
* sys_rt_sigaction - alter an action taken by a process
|
|
|
|
* @sig: signal to be sent
|
2011-04-09 01:53:46 +08:00
|
|
|
* @act: new sigaction
|
|
|
|
* @oact: used to save the previous sigaction
|
2011-04-05 06:00:26 +08:00
|
|
|
* @sigsetsize: size of sigset_t type
|
|
|
|
*/
|
2009-01-14 21:14:34 +08:00
|
|
|
SYSCALL_DEFINE4(rt_sigaction, int, sig,
|
|
|
|
const struct sigaction __user *, act,
|
|
|
|
struct sigaction __user *, oact,
|
|
|
|
size_t, sigsetsize)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct k_sigaction new_sa, old_sa;
|
2018-08-22 13:00:07 +08:00
|
|
|
int ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* XXX: Don't preclude handling different sized sigset_t's. */
|
|
|
|
if (sigsetsize != sizeof(sigset_t))
|
2018-08-22 13:00:07 +08:00
|
|
|
return -EINVAL;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-08-22 13:00:07 +08:00
|
|
|
if (act && copy_from_user(&new_sa.sa, act, sizeof(new_sa.sa)))
|
|
|
|
return -EFAULT;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
ret = do_sigaction(sig, act ? &new_sa : NULL, oact ? &old_sa : NULL);
|
2018-08-22 13:00:07 +08:00
|
|
|
if (ret)
|
|
|
|
return ret;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2018-08-22 13:00:07 +08:00
|
|
|
if (oact && copy_to_user(oact, &old_sa.sa, sizeof(old_sa.sa)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2012-12-26 07:38:15 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
COMPAT_SYSCALL_DEFINE4(rt_sigaction, int, sig,
|
|
|
|
const struct compat_sigaction __user *, act,
|
|
|
|
struct compat_sigaction __user *, oact,
|
|
|
|
compat_size_t, sigsetsize)
|
|
|
|
{
|
|
|
|
struct k_sigaction new_ka, old_ka;
|
|
|
|
#ifdef __ARCH_HAS_SA_RESTORER
|
|
|
|
compat_uptr_t restorer;
|
|
|
|
#endif
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
/* XXX: Don't preclude handling different sized sigset_t's. */
|
|
|
|
if (sigsetsize != sizeof(compat_sigset_t))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (act) {
|
|
|
|
compat_uptr_t handler;
|
|
|
|
ret = get_user(handler, &act->sa_handler);
|
|
|
|
new_ka.sa.sa_handler = compat_ptr(handler);
|
|
|
|
#ifdef __ARCH_HAS_SA_RESTORER
|
|
|
|
ret |= get_user(restorer, &act->sa_restorer);
|
|
|
|
new_ka.sa.sa_restorer = compat_ptr(restorer);
|
|
|
|
#endif
|
2017-09-04 09:45:17 +08:00
|
|
|
ret |= get_compat_sigset(&new_ka.sa.sa_mask, &act->sa_mask);
|
2013-09-12 05:23:18 +08:00
|
|
|
ret |= get_user(new_ka.sa.sa_flags, &act->sa_flags);
|
2012-12-26 07:38:15 +08:00
|
|
|
if (ret)
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
|
|
|
|
if (!ret && oact) {
|
|
|
|
ret = put_user(ptr_to_compat(old_ka.sa.sa_handler),
|
|
|
|
&oact->sa_handler);
|
2017-08-22 07:16:11 +08:00
|
|
|
ret |= put_compat_sigset(&oact->sa_mask, &old_ka.sa.sa_mask,
|
|
|
|
sizeof(oact->sa_mask));
|
2013-09-12 05:23:18 +08:00
|
|
|
ret |= put_user(old_ka.sa.sa_flags, &oact->sa_flags);
|
2012-12-26 07:38:15 +08:00
|
|
|
#ifdef __ARCH_HAS_SA_RESTORER
|
|
|
|
ret |= put_user(ptr_to_compat(old_ka.sa.sa_restorer),
|
|
|
|
&oact->sa_restorer);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
#endif
|
2012-11-26 12:12:10 +08:00
|
|
|
#endif /* !CONFIG_ODD_RT_SIGACTION */
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-12-26 08:09:45 +08:00
|
|
|
#ifdef CONFIG_OLD_SIGACTION
|
|
|
|
SYSCALL_DEFINE3(sigaction, int, sig,
|
|
|
|
const struct old_sigaction __user *, act,
|
|
|
|
struct old_sigaction __user *, oact)
|
|
|
|
{
|
|
|
|
struct k_sigaction new_ka, old_ka;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (act) {
|
|
|
|
old_sigset_t mask;
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-04 10:57:57 +08:00
|
|
|
if (!access_ok(act, sizeof(*act)) ||
|
2012-12-26 08:09:45 +08:00
|
|
|
__get_user(new_ka.sa.sa_handler, &act->sa_handler) ||
|
|
|
|
__get_user(new_ka.sa.sa_restorer, &act->sa_restorer) ||
|
|
|
|
__get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
|
|
|
|
__get_user(mask, &act->sa_mask))
|
|
|
|
return -EFAULT;
|
|
|
|
#ifdef __ARCH_HAS_KA_RESTORER
|
|
|
|
new_ka.ka_restorer = NULL;
|
|
|
|
#endif
|
|
|
|
siginitset(&new_ka.sa.sa_mask, mask);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
|
|
|
|
|
|
|
|
if (!ret && oact) {
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-04 10:57:57 +08:00
|
|
|
if (!access_ok(oact, sizeof(*oact)) ||
|
2012-12-26 08:09:45 +08:00
|
|
|
__put_user(old_ka.sa.sa_handler, &oact->sa_handler) ||
|
|
|
|
__put_user(old_ka.sa.sa_restorer, &oact->sa_restorer) ||
|
|
|
|
__put_user(old_ka.sa.sa_flags, &oact->sa_flags) ||
|
|
|
|
__put_user(old_ka.sa.sa_mask.sig[0], &oact->sa_mask))
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
#ifdef CONFIG_COMPAT_OLD_SIGACTION
|
|
|
|
COMPAT_SYSCALL_DEFINE3(sigaction, int, sig,
|
|
|
|
const struct compat_old_sigaction __user *, act,
|
|
|
|
struct compat_old_sigaction __user *, oact)
|
|
|
|
{
|
|
|
|
struct k_sigaction new_ka, old_ka;
|
|
|
|
int ret;
|
|
|
|
compat_old_sigset_t mask;
|
|
|
|
compat_uptr_t handler, restorer;
|
|
|
|
|
|
|
|
if (act) {
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-04 10:57:57 +08:00
|
|
|
if (!access_ok(act, sizeof(*act)) ||
|
2012-12-26 08:09:45 +08:00
|
|
|
__get_user(handler, &act->sa_handler) ||
|
|
|
|
__get_user(restorer, &act->sa_restorer) ||
|
|
|
|
__get_user(new_ka.sa.sa_flags, &act->sa_flags) ||
|
|
|
|
__get_user(mask, &act->sa_mask))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
#ifdef __ARCH_HAS_KA_RESTORER
|
|
|
|
new_ka.ka_restorer = NULL;
|
|
|
|
#endif
|
|
|
|
new_ka.sa.sa_handler = compat_ptr(handler);
|
|
|
|
new_ka.sa.sa_restorer = compat_ptr(restorer);
|
|
|
|
siginitset(&new_ka.sa.sa_mask, mask);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = do_sigaction(sig, act ? &new_ka : NULL, oact ? &old_ka : NULL);
|
|
|
|
|
|
|
|
if (!ret && oact) {
|
Remove 'type' argument from access_ok() function
Nobody has actually used the type (VERIFY_READ vs VERIFY_WRITE) argument
of the user address range verification function since we got rid of the
old racy i386-only code to walk page tables by hand.
It existed because the original 80386 would not honor the write protect
bit when in kernel mode, so you had to do COW by hand before doing any
user access. But we haven't supported that in a long time, and these
days the 'type' argument is a purely historical artifact.
A discussion about extending 'user_access_begin()' to do the range
checking resulted this patch, because there is no way we're going to
move the old VERIFY_xyz interface to that model. And it's best done at
the end of the merge window when I've done most of my merges, so let's
just get this done once and for all.
This patch was mostly done with a sed-script, with manual fix-ups for
the cases that weren't of the trivial 'access_ok(VERIFY_xyz' form.
There were a couple of notable cases:
- csky still had the old "verify_area()" name as an alias.
- the iter_iov code had magical hardcoded knowledge of the actual
values of VERIFY_{READ,WRITE} (not that they mattered, since nothing
really used it)
- microblaze used the type argument for a debug printout
but other than those oddities this should be a total no-op patch.
I tried to fix up all architectures, did fairly extensive grepping for
access_ok() uses, and the changes are trivial, but I may have missed
something. Any missed conversion should be trivially fixable, though.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-01-04 10:57:57 +08:00
|
|
|
if (!access_ok(oact, sizeof(*oact)) ||
|
2012-12-26 08:09:45 +08:00
|
|
|
__put_user(ptr_to_compat(old_ka.sa.sa_handler),
|
|
|
|
&oact->sa_handler) ||
|
|
|
|
__put_user(ptr_to_compat(old_ka.sa.sa_restorer),
|
|
|
|
&oact->sa_restorer) ||
|
|
|
|
__put_user(old_ka.sa.sa_flags, &oact->sa_flags) ||
|
|
|
|
__put_user(old_ka.sa.sa_mask.sig[0], &oact->sa_mask))
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
#endif
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2014-06-05 07:11:12 +08:00
|
|
|
#ifdef CONFIG_SGETMASK_SYSCALL
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* For backwards compatibility. Functionality superseded by sigprocmask.
|
|
|
|
*/
|
2009-01-14 21:14:11 +08:00
|
|
|
SYSCALL_DEFINE0(sgetmask)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
/* SMP safe */
|
|
|
|
return current->blocked.sig[0];
|
|
|
|
}
|
|
|
|
|
2009-01-14 21:14:11 +08:00
|
|
|
SYSCALL_DEFINE1(ssetmask, int, newmask)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-07-28 03:49:44 +08:00
|
|
|
int old = current->blocked.sig[0];
|
|
|
|
sigset_t newset;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-01-06 02:13:13 +08:00
|
|
|
siginitset(&newset, newmask);
|
2011-07-28 03:49:44 +08:00
|
|
|
set_current_blocked(&newset);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
return old;
|
|
|
|
}
|
2014-06-05 07:11:12 +08:00
|
|
|
#endif /* CONFIG_SGETMASK_SYSCALL */
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
#ifdef __ARCH_WANT_SYS_SIGNAL
|
|
|
|
/*
|
|
|
|
* For backwards compatibility. Functionality superseded by sigaction.
|
|
|
|
*/
|
2009-01-14 21:14:11 +08:00
|
|
|
SYSCALL_DEFINE2(signal, int, sig, __sighandler_t, handler)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
struct k_sigaction new_sa, old_sa;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
new_sa.sa.sa_handler = handler;
|
|
|
|
new_sa.sa.sa_flags = SA_ONESHOT | SA_NOMASK;
|
2006-02-10 03:41:41 +08:00
|
|
|
sigemptyset(&new_sa.sa.sa_mask);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
ret = do_sigaction(sig, &new_sa, &old_sa);
|
|
|
|
|
|
|
|
return ret ? ret : (unsigned long)old_sa.sa.sa_handler;
|
|
|
|
}
|
|
|
|
#endif /* __ARCH_WANT_SYS_SIGNAL */
|
|
|
|
|
|
|
|
#ifdef __ARCH_WANT_SYS_PAUSE
|
|
|
|
|
2009-01-14 21:14:11 +08:00
|
|
|
SYSCALL_DEFINE0(pause)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-05-26 01:22:27 +08:00
|
|
|
while (!signal_pending(current)) {
|
2015-02-18 05:45:41 +08:00
|
|
|
__set_current_state(TASK_INTERRUPTIBLE);
|
2011-05-26 01:22:27 +08:00
|
|
|
schedule();
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
return -ERESTARTNOHAND;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
2015-11-21 07:57:21 +08:00
|
|
|
static int sigsuspend(sigset_t *set)
|
2012-05-22 09:42:32 +08:00
|
|
|
{
|
|
|
|
current->saved_sigmask = current->blocked;
|
|
|
|
set_current_blocked(set);
|
|
|
|
|
2016-02-06 07:36:05 +08:00
|
|
|
while (!signal_pending(current)) {
|
|
|
|
__set_current_state(TASK_INTERRUPTIBLE);
|
|
|
|
schedule();
|
|
|
|
}
|
2012-05-22 09:42:32 +08:00
|
|
|
set_restore_sigmask();
|
|
|
|
return -ERESTARTNOHAND;
|
|
|
|
}
|
|
|
|
|
2011-04-05 06:00:26 +08:00
|
|
|
/**
|
|
|
|
* sys_rt_sigsuspend - replace the signal mask for a value with the
|
|
|
|
* @unewset value until a signal is received
|
|
|
|
* @unewset: new signal mask value
|
|
|
|
* @sigsetsize: size of sigset_t type
|
|
|
|
*/
|
2009-01-14 21:14:34 +08:00
|
|
|
SYSCALL_DEFINE2(rt_sigsuspend, sigset_t __user *, unewset, size_t, sigsetsize)
|
2006-01-19 09:43:57 +08:00
|
|
|
{
|
|
|
|
sigset_t newset;
|
|
|
|
|
|
|
|
/* XXX: Don't preclude handling different sized sigset_t's. */
|
|
|
|
if (sigsetsize != sizeof(sigset_t))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (copy_from_user(&newset, unewset, sizeof(newset)))
|
|
|
|
return -EFAULT;
|
2012-05-22 09:42:32 +08:00
|
|
|
return sigsuspend(&newset);
|
2006-01-19 09:43:57 +08:00
|
|
|
}
|
2012-12-25 10:43:56 +08:00
|
|
|
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
COMPAT_SYSCALL_DEFINE2(rt_sigsuspend, compat_sigset_t __user *, unewset, compat_size_t, sigsetsize)
|
|
|
|
{
|
|
|
|
sigset_t newset;
|
|
|
|
|
|
|
|
/* XXX: Don't preclude handling different sized sigset_t's. */
|
|
|
|
if (sigsetsize != sizeof(sigset_t))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2017-09-04 09:45:17 +08:00
|
|
|
if (get_compat_sigset(&newset, unewset))
|
2012-12-25 10:43:56 +08:00
|
|
|
return -EFAULT;
|
|
|
|
return sigsuspend(&newset);
|
|
|
|
}
|
|
|
|
#endif
|
2006-01-19 09:43:57 +08:00
|
|
|
|
2012-12-26 05:04:12 +08:00
|
|
|
#ifdef CONFIG_OLD_SIGSUSPEND
|
|
|
|
SYSCALL_DEFINE1(sigsuspend, old_sigset_t, mask)
|
|
|
|
{
|
|
|
|
sigset_t blocked;
|
|
|
|
siginitset(&blocked, mask);
|
|
|
|
return sigsuspend(&blocked);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
#ifdef CONFIG_OLD_SIGSUSPEND3
|
|
|
|
SYSCALL_DEFINE3(sigsuspend, int, unused1, int, unused2, old_sigset_t, mask)
|
|
|
|
{
|
|
|
|
sigset_t blocked;
|
|
|
|
siginitset(&blocked, mask);
|
|
|
|
return sigsuspend(&blocked);
|
|
|
|
}
|
|
|
|
#endif
|
2006-01-19 09:43:57 +08:00
|
|
|
|
2014-04-08 06:39:20 +08:00
|
|
|
__weak const char *arch_vma_name(struct vm_area_struct *vma)
|
2006-09-27 16:50:23 +08:00
|
|
|
{
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
static inline void siginfo_buildtime_checks(void)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2017-07-20 10:23:15 +08:00
|
|
|
BUILD_BUG_ON(sizeof(struct siginfo) != SI_MAX_SIZE);
|
2016-03-23 05:27:54 +08:00
|
|
|
|
2018-09-25 17:27:20 +08:00
|
|
|
/* Verify the offsets in the two siginfos match */
|
|
|
|
#define CHECK_OFFSET(field) \
|
|
|
|
BUILD_BUG_ON(offsetof(siginfo_t, field) != offsetof(kernel_siginfo_t, field))
|
|
|
|
|
|
|
|
/* kill */
|
|
|
|
CHECK_OFFSET(si_pid);
|
|
|
|
CHECK_OFFSET(si_uid);
|
|
|
|
|
|
|
|
/* timer */
|
|
|
|
CHECK_OFFSET(si_tid);
|
|
|
|
CHECK_OFFSET(si_overrun);
|
|
|
|
CHECK_OFFSET(si_value);
|
|
|
|
|
|
|
|
/* rt */
|
|
|
|
CHECK_OFFSET(si_pid);
|
|
|
|
CHECK_OFFSET(si_uid);
|
|
|
|
CHECK_OFFSET(si_value);
|
|
|
|
|
|
|
|
/* sigchld */
|
|
|
|
CHECK_OFFSET(si_pid);
|
|
|
|
CHECK_OFFSET(si_uid);
|
|
|
|
CHECK_OFFSET(si_status);
|
|
|
|
CHECK_OFFSET(si_utime);
|
|
|
|
CHECK_OFFSET(si_stime);
|
|
|
|
|
|
|
|
/* sigfault */
|
|
|
|
CHECK_OFFSET(si_addr);
|
siginfo: Move si_trapno inside the union inside _si_fault
It turns out that linux uses si_trapno very sparingly, and as such it
can be considered extra information for a very narrow selection of
signals, rather than information that is present with every fault
reported in siginfo.
As such move si_trapno inside the union inside of _si_fault. This
results in no change in placement, and makes it eaiser
to extend _si_fault in the future as this reduces the number of
special cases. In particular with si_trapno included in the union it
is no longer a concern that the union must be pointer aligned on most
architectures because the union follows immediately after si_addr
which is a pointer.
This change results in a difference in siginfo field placement on
sparc and alpha for the fields si_addr_lsb, si_lower, si_upper,
si_pkey, and si_perf. These architectures do not implement the
signals that would use si_addr_lsb, si_lower, si_upper, si_pkey, and
si_perf. Further these architecture have not yet implemented the
userspace that would use si_perf.
The point of this change is in fact to correct these placement issues
before sparc or alpha grow userspace that cares. This change was
discussed[1] and the agreement is that this change is currently safe.
[1]: https://lkml.kernel.org/r/CAK8P3a0+uKYwL1NhY6Hvtieghba2hKYGD6hcKx5n8=4Gtt+pHA@mail.gmail.com
Acked-by: Marco Elver <elver@google.com>
v1: https://lkml.kernel.org/r/m1tunns7yf.fsf_-_@fess.ebiederm.org
v2: https://lkml.kernel.org/r/20210505141101.11519-5-ebiederm@xmission.com
Link: https://lkml.kernel.org/r/20210517195748.8880-1-ebiederm@xmission.com
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2021-05-01 06:06:01 +08:00
|
|
|
CHECK_OFFSET(si_trapno);
|
2018-09-25 17:27:20 +08:00
|
|
|
CHECK_OFFSET(si_addr_lsb);
|
|
|
|
CHECK_OFFSET(si_lower);
|
|
|
|
CHECK_OFFSET(si_upper);
|
|
|
|
CHECK_OFFSET(si_pkey);
|
2021-05-03 06:28:31 +08:00
|
|
|
CHECK_OFFSET(si_perf_data);
|
|
|
|
CHECK_OFFSET(si_perf_type);
|
signal: Deliver SIGTRAP on perf event asynchronously if blocked
With SIGTRAP on perf events, we have encountered termination of
processes due to user space attempting to block delivery of SIGTRAP.
Consider this case:
<set up SIGTRAP on a perf event>
...
sigset_t s;
sigemptyset(&s);
sigaddset(&s, SIGTRAP | <and others>);
sigprocmask(SIG_BLOCK, &s, ...);
...
<perf event triggers>
When the perf event triggers, while SIGTRAP is blocked, force_sig_perf()
will force the signal, but revert back to the default handler, thus
terminating the task.
This makes sense for error conditions, but not so much for explicitly
requested monitoring. However, the expectation is still that signals
generated by perf events are synchronous, which will no longer be the
case if the signal is blocked and delivered later.
To give user space the ability to clearly distinguish synchronous from
asynchronous signals, introduce siginfo_t::si_perf_flags and
TRAP_PERF_FLAG_ASYNC (opted for flags in case more binary information is
required in future).
The resolution to the problem is then to (a) no longer force the signal
(avoiding the terminations), but (b) tell user space via si_perf_flags
if the signal was synchronous or not, so that such signals can be
handled differently (e.g. let user space decide to ignore or consider
the data imprecise).
The alternative of making the kernel ignore SIGTRAP on perf events if
the signal is blocked may work for some usecases, but likely causes
issues in others that then have to revert back to interception of
sigprocmask() (which we want to avoid). [ A concrete example: when using
breakpoint perf events to track data-flow, in a region of code where
signals are blocked, data-flow can no longer be tracked accurately.
When a relevant asynchronous signal is received after unblocking the
signal, the data-flow tracking logic needs to know its state is
imprecise. ]
Fixes: 97ba62b27867 ("perf: Add support for SIGTRAP on perf events")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Link: https://lore.kernel.org/r/20220404111204.935357-1-elver@google.com
2022-04-04 19:12:04 +08:00
|
|
|
CHECK_OFFSET(si_perf_flags);
|
2018-09-25 17:27:20 +08:00
|
|
|
|
|
|
|
/* sigpoll */
|
|
|
|
CHECK_OFFSET(si_band);
|
|
|
|
CHECK_OFFSET(si_fd);
|
|
|
|
|
|
|
|
/* sigsys */
|
|
|
|
CHECK_OFFSET(si_call_addr);
|
|
|
|
CHECK_OFFSET(si_syscall);
|
|
|
|
CHECK_OFFSET(si_arch);
|
|
|
|
#undef CHECK_OFFSET
|
signal/usb: Replace kill_pid_info_as_cred with kill_pid_usb_asyncio
The usb support for asyncio encoded one of it's values in the wrong
field. It should have used si_value but instead used si_addr which is
not present in the _rt union member of struct siginfo.
The practical result of this is that on a 64bit big endian kernel
when delivering a signal to a 32bit process the si_addr field
is set to NULL, instead of the expected pointer value.
This issue can not be fixed in copy_siginfo_to_user32 as the usb
usage of the the _sigfault (aka si_addr) member of the siginfo
union when SI_ASYNCIO is set is incompatible with the POSIX and
glibc usage of the _rt member of the siginfo union.
Therefore replace kill_pid_info_as_cred with kill_pid_usb_asyncio a
dedicated function for this one specific case. There are no other
users of kill_pid_info_as_cred so this specialization should have no
impact on the amount of code in the kernel. Have kill_pid_usb_asyncio
take instead of a siginfo_t which is difficult and error prone, 3
arguments, a signal number, an errno value, and an address enconded as
a sigval_t. The encoding of the address as a sigval_t allows the
code that reads the userspace request for a signal to handle this
compat issue along with all of the other compat issues.
Add BUILD_BUG_ONs in kernel/signal.c to ensure that we can now place
the pointer value at the in si_pid (instead of si_addr). That is the
code now verifies that si_pid and si_addr always occur at the same
location. Further the code veries that for native structures a value
placed in si_pid and spilling into si_uid will appear in userspace in
si_addr (on a byte by byte copy of siginfo or a field by field copy of
siginfo). The code also verifies that for a 64bit kernel and a 32bit
userspace the 32bit pointer will fit in si_pid.
I have used the usbsig.c program below written by Alan Stern and
slightly tweaked by me to run on a big endian machine to verify the
issue exists (on sparc64) and to confirm the patch below fixes the issue.
/* usbsig.c -- test USB async signal delivery */
#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <endian.h>
#include <linux/usb/ch9.h>
#include <linux/usbdevice_fs.h>
static struct usbdevfs_urb urb;
static struct usbdevfs_disconnectsignal ds;
static volatile sig_atomic_t done = 0;
void urb_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p urb: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &urb);
printf("%s\n", (info->si_addr == &urb) ? "Good" : "Bad");
}
void ds_handler(int sig, siginfo_t *info , void *ucontext)
{
printf("Got signal %d, signo %d errno %d code %d addr: %p ds: %p\n",
sig, info->si_signo, info->si_errno, info->si_code,
info->si_addr, &ds);
printf("%s\n", (info->si_addr == &ds) ? "Good" : "Bad");
done = 1;
}
int main(int argc, char **argv)
{
char *devfilename;
int fd;
int rc;
struct sigaction act;
struct usb_ctrlrequest *req;
void *ptr;
char buf[80];
if (argc != 2) {
fprintf(stderr, "Usage: usbsig device-file-name\n");
return 1;
}
devfilename = argv[1];
fd = open(devfilename, O_RDWR);
if (fd == -1) {
perror("Error opening device file");
return 1;
}
act.sa_sigaction = urb_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR1, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
act.sa_sigaction = ds_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = SA_SIGINFO;
rc = sigaction(SIGUSR2, &act, NULL);
if (rc == -1) {
perror("Error in sigaction");
return 1;
}
memset(&urb, 0, sizeof(urb));
urb.type = USBDEVFS_URB_TYPE_CONTROL;
urb.endpoint = USB_DIR_IN | 0;
urb.buffer = buf;
urb.buffer_length = sizeof(buf);
urb.signr = SIGUSR1;
req = (struct usb_ctrlrequest *) buf;
req->bRequestType = USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_DEVICE;
req->bRequest = USB_REQ_GET_DESCRIPTOR;
req->wValue = htole16(USB_DT_DEVICE << 8);
req->wIndex = htole16(0);
req->wLength = htole16(sizeof(buf) - sizeof(*req));
rc = ioctl(fd, USBDEVFS_SUBMITURB, &urb);
if (rc == -1) {
perror("Error in SUBMITURB ioctl");
return 1;
}
rc = ioctl(fd, USBDEVFS_REAPURB, &ptr);
if (rc == -1) {
perror("Error in REAPURB ioctl");
return 1;
}
memset(&ds, 0, sizeof(ds));
ds.signr = SIGUSR2;
ds.context = &ds;
rc = ioctl(fd, USBDEVFS_DISCSIGNAL, &ds);
if (rc == -1) {
perror("Error in DISCSIGNAL ioctl");
return 1;
}
printf("Waiting for usb disconnect\n");
while (!done) {
sleep(1);
}
close(fd);
return 0;
}
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Oliver Neukum <oneukum@suse.com>
Fixes: v2.3.39
Cc: stable@vger.kernel.org
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2019-02-08 09:44:12 +08:00
|
|
|
|
|
|
|
/* usb asyncio */
|
|
|
|
BUILD_BUG_ON(offsetof(struct siginfo, si_pid) !=
|
|
|
|
offsetof(struct siginfo, si_addr));
|
|
|
|
if (sizeof(int) == sizeof(void __user *)) {
|
|
|
|
BUILD_BUG_ON(sizeof_field(struct siginfo, si_pid) !=
|
|
|
|
sizeof(void __user *));
|
|
|
|
} else {
|
|
|
|
BUILD_BUG_ON((sizeof_field(struct siginfo, si_pid) +
|
|
|
|
sizeof_field(struct siginfo, si_uid)) !=
|
|
|
|
sizeof(void __user *));
|
|
|
|
BUILD_BUG_ON(offsetofend(struct siginfo, si_pid) !=
|
|
|
|
offsetof(struct siginfo, si_uid));
|
|
|
|
}
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
BUILD_BUG_ON(offsetof(struct compat_siginfo, si_pid) !=
|
|
|
|
offsetof(struct compat_siginfo, si_addr));
|
|
|
|
BUILD_BUG_ON(sizeof_field(struct compat_siginfo, si_pid) !=
|
|
|
|
sizeof(compat_uptr_t));
|
|
|
|
BUILD_BUG_ON(sizeof_field(struct compat_siginfo, si_pid) !=
|
|
|
|
sizeof_field(struct siginfo, si_pid));
|
|
|
|
#endif
|
2018-09-25 17:27:20 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void __init signals_init(void)
|
|
|
|
{
|
|
|
|
siginfo_buildtime_checks();
|
|
|
|
|
2021-09-03 05:55:35 +08:00
|
|
|
sigqueue_cachep = KMEM_CACHE(sigqueue, SLAB_PANIC | SLAB_ACCOUNT);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-05-21 10:04:21 +08:00
|
|
|
|
|
|
|
#ifdef CONFIG_KGDB_KDB
|
|
|
|
#include <linux/kdb.h>
|
|
|
|
/*
|
2017-08-18 04:45:38 +08:00
|
|
|
* kdb_send_sig - Allows kdb to send signals without exposing
|
2010-05-21 10:04:21 +08:00
|
|
|
* signal internals. This function checks if the required locks are
|
|
|
|
* available before calling the main signal code, to avoid kdb
|
|
|
|
* deadlocks.
|
|
|
|
*/
|
2017-08-18 04:45:38 +08:00
|
|
|
void kdb_send_sig(struct task_struct *t, int sig)
|
2010-05-21 10:04:21 +08:00
|
|
|
{
|
|
|
|
static struct task_struct *kdb_prev_t;
|
2017-08-18 04:45:38 +08:00
|
|
|
int new_t, ret;
|
2010-05-21 10:04:21 +08:00
|
|
|
if (!spin_trylock(&t->sighand->siglock)) {
|
|
|
|
kdb_printf("Can't do kill command now.\n"
|
|
|
|
"The sigmask lock is held somewhere else in "
|
|
|
|
"kernel, try again later\n");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
new_t = kdb_prev_t != t;
|
|
|
|
kdb_prev_t = t;
|
2021-06-11 16:28:12 +08:00
|
|
|
if (!task_is_running(t) && new_t) {
|
2017-08-18 04:45:38 +08:00
|
|
|
spin_unlock(&t->sighand->siglock);
|
2010-05-21 10:04:21 +08:00
|
|
|
kdb_printf("Process is not RUNNING, sending a signal from "
|
|
|
|
"kdb risks deadlock\n"
|
|
|
|
"on the run queue locks. "
|
|
|
|
"The signal has _not_ been sent.\n"
|
|
|
|
"Reissue the kill command if you want to risk "
|
|
|
|
"the deadlock.\n");
|
|
|
|
return;
|
|
|
|
}
|
2022-04-22 22:48:54 +08:00
|
|
|
ret = send_signal_locked(sig, SEND_SIG_PRIV, t, PIDTYPE_PID);
|
2017-08-18 04:45:38 +08:00
|
|
|
spin_unlock(&t->sighand->siglock);
|
|
|
|
if (ret)
|
2010-05-21 10:04:21 +08:00
|
|
|
kdb_printf("Fail to deliver Signal %d to process %d.\n",
|
|
|
|
sig, t->pid);
|
|
|
|
else
|
|
|
|
kdb_printf("Signal %d is sent to process %d.\n", sig, t->pid);
|
|
|
|
}
|
|
|
|
#endif /* CONFIG_KGDB_KDB */
|