From: Oleg Nesterov <oleg@redhat.com>
Date: Thu, 27 Nov 2008 18:18:26 +0100
Subject: [misc] utrace: prevent ptrace_induce_signal() crash
Message-id: 20081127171826.GA18438@redhat.com
O-Subject: [RHEL5 PATCH v2 1/3] BZ#469754 utrace: ptrace_induce_signal: engine->data can be NULL
Bugzilla: 469754
RH-Acked-by: Anton Arapov <aarapov@redhat.com>
RH-Acked-by: Jerome Marchand <jmarchan@redhat.com>
RH-Acked-by: Roland McGrath <roland@redhat.com>

See https://bugzilla.redhat.com/show_bug.cgi?id=469754

ptrace_induce_signal() crashes because engine->data == NULL.
Change the code to use struct "ptrace_state *state" which
was initialized by ptrace_start(&state). This matches to what
other sys_ptrace() pathes do.

The fix is not complete because we can't trust *state anyway,
see the next 2 patches.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 46a8828..a874696 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -641,10 +641,9 @@ ptrace_exit(struct task_struct *tsk)
 static int
 ptrace_induce_signal(struct task_struct *target,
 		     struct utrace_attached_engine *engine,
+		     struct ptrace_state *state,
 		     long signr)
 {
-	struct ptrace_state *state = engine->data;
-
 	if (signr == 0)
 		return 0;
 
@@ -1011,7 +1010,7 @@ ptrace_common(long request, struct task_struct *child,
 		/*
 		 * Detach a process that was attached.
 		 */
-		ret = ptrace_induce_signal(child, engine, data);
+		ret = ptrace_induce_signal(child, engine, state, data);
 		if (!ret) {
 			ret = ptrace_detach(child, engine, state);
 			if (ret == -EALREADY) /* Already a zombie.  */
@@ -1047,7 +1046,7 @@ ptrace_common(long request, struct task_struct *child,
 			if (is_singlestep(request))
 				break;
 
-		ret = ptrace_induce_signal(child, engine, data);
+		ret = ptrace_induce_signal(child, engine, state, data);
 		if (ret)
 			break;