Re: Q: perf_event && task->ptrace_bps[]

From: Frederic Weisbecker
Date: Mon Jan 17 2011 - 18:59:04 EST

Next message: Sutharsan Ramamoorthy: "[PATCH] Westbridge software module, fixes errors reported by checkpatch.pl"
Previous message: Christophe Henri RICARD: "[PATCH 1/3] TPM: new stm i2c device driver"
In reply to: Oleg Nesterov: "Re: Q: perf_event && task->ptrace_bps[]"
Next in thread: Roland McGrath: "Re: Q: perf_event && task->ptrace_bps[]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 08, 2010 at 08:18:13PM +0100, Oleg Nesterov wrote:
> On 11/08, Frederic Weisbecker wrote:
> >
> > On Mon, Nov 08, 2010 at 03:56:47PM +0100, Oleg Nesterov wrote:
> > > Hello.
> > >
> > > I am trying to understand the usage of hw-breakpoints in arch_ptrace().
> > > ptrace_set_debugreg() and related code looks obviously racy. Nothing
> > > protects us against flush_ptrace_hw_breakpoint() called by the dying
> > > tracee. Afaics we can leak perf_event or use the already freed memory
> > > or both.
> > >
> > > Am I missed something?
> > >
> > > Looking into the git history, I don't even know which patch should be
> > > blamed (if I am right), there were too many changes. I noticed that
> > > 2ebd4ffb6d0cb877787b1e42be8485820158857e "perf events: Split out task
> > > search into helper" moved the PF_EXITING check from find_get_context().
> > > This check coould help if sys_ptrace() races with SIGKILL, but it was
> > > racy anyway.
> > >
> > > It is not clear to me what should be done. Looking more, I do not
> > > understand the scope of perf_event/ctx at all, sys_perf_event_open()
> > > looks wrong too, see the next email I am going to send.
> > >
> > > Oleg.
> >
> > But I don't understand how ptrace_set_debugreg() and flush_old_exec() can
> > happen at the same time.
>
> This can't happen. But I meant do_exit()->flush_ptrace_hw_breakpoint()
>
> > The parent can only do the ptrace request when
> > the child is stopped, right?
>
> Yes. But nothing can "pin" TASK_TRACED.
>
> We know that a) the tracee was stopped() when sys_ptrace() was called
> and b) its task_struct can't go away. That is all. The tracee can be
> killed at any moment, and sys_ptrace() can race with with
> flush_ptrace_hw_breakpoint().

Aah, so we check if the task is stopped when sys_ptrace() is called,
but right after we do this check, the tracee can be resumed at any time?
(with either SIGCONT or SIGKILL), even if we are servicing the ptrace
request at the same time?

Seems to be so as I look at the code.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Sutharsan Ramamoorthy: "[PATCH] Westbridge software module, fixes errors reported by checkpatch.pl"
Previous message: Christophe Henri RICARD: "[PATCH 1/3] TPM: new stm i2c device driver"
In reply to: Oleg Nesterov: "Re: Q: perf_event && task->ptrace_bps[]"
Next in thread: Roland McGrath: "Re: Q: perf_event && task->ptrace_bps[]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]