From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 21 Jan 2019 10:23:37 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.20.4~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=742fedfb71209152c7dd9d2fda70f9977fa08d29;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	btrfs-wait-on-ordered-extents-on-abort-cleanup.patch
	crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch
	crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch
	scsi-sd-fix-cache_type_store.patch
	yama-check-for-pid-death-before-checking-ancestry.patch
---

diff --git a/queue-4.4/btrfs-wait-on-ordered-extents-on-abort-cleanup.patch b/queue-4.4/btrfs-wait-on-ordered-extents-on-abort-cleanup.patch
new file mode 100644
index 00000000000..68c68dd58c5
--- /dev/null
+++ b/queue-4.4/btrfs-wait-on-ordered-extents-on-abort-cleanup.patch
@@ -0,0 +1,86 @@
+From 74d5d229b1bf60f93bff244b2dfc0eb21ec32a07 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Wed, 21 Nov 2018 14:05:45 -0500
+Subject: btrfs: wait on ordered extents on abort cleanup
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 74d5d229b1bf60f93bff244b2dfc0eb21ec32a07 upstream.
+
+If we flip read-only before we initiate writeback on all dirty pages for
+ordered extents we've created then we'll have ordered extents left over
+on umount, which results in all sorts of bad things happening.  Fix this
+by making sure we wait on ordered extents if we have to do the aborted
+transaction cleanup stuff.
+
+generic/475 can produce this warning:
+
+ [ 8531.177332] WARNING: CPU: 2 PID: 11997 at fs/btrfs/disk-io.c:3856 btrfs_free_fs_root+0x95/0xa0 [btrfs]
+ [ 8531.183282] CPU: 2 PID: 11997 Comm: umount Tainted: G        W 5.0.0-rc1-default+ #394
+ [ 8531.185164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),BIOS rel-1.11.2-0-gf9626cc-prebuilt.qemu-project.org 04/01/2014
+ [ 8531.187851] RIP: 0010:btrfs_free_fs_root+0x95/0xa0 [btrfs]
+ [ 8531.193082] RSP: 0018:ffffb1ab86163d98 EFLAGS: 00010286
+ [ 8531.194198] RAX: ffff9f3449494d18 RBX: ffff9f34a2695000 RCX:0000000000000000
+ [ 8531.195629] RDX: 0000000000000002 RSI: 0000000000000001 RDI:0000000000000000
+ [ 8531.197315] RBP: ffff9f344e930000 R08: 0000000000000001 R09:0000000000000000
+ [ 8531.199095] R10: 0000000000000000 R11: ffff9f34494d4ff8 R12:ffffb1ab86163dc0
+ [ 8531.200870] R13: ffff9f344e9300b0 R14: ffffb1ab86163db8 R15:0000000000000000
+ [ 8531.202707] FS:  00007fc68e949fc0(0000) GS:ffff9f34bd800000(0000)knlGS:0000000000000000
+ [ 8531.204851] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 8531.205942] CR2: 00007ffde8114dd8 CR3: 000000002dfbd000 CR4:00000000000006e0
+ [ 8531.207516] Call Trace:
+ [ 8531.208175]  btrfs_free_fs_roots+0xdb/0x170 [btrfs]
+ [ 8531.210209]  ? wait_for_completion+0x5b/0x190
+ [ 8531.211303]  close_ctree+0x157/0x350 [btrfs]
+ [ 8531.212412]  generic_shutdown_super+0x64/0x100
+ [ 8531.213485]  kill_anon_super+0x14/0x30
+ [ 8531.214430]  btrfs_kill_super+0x12/0xa0 [btrfs]
+ [ 8531.215539]  deactivate_locked_super+0x29/0x60
+ [ 8531.216633]  cleanup_mnt+0x3b/0x70
+ [ 8531.217497]  task_work_run+0x98/0xc0
+ [ 8531.218397]  exit_to_usermode_loop+0x83/0x90
+ [ 8531.219324]  do_syscall_64+0x15b/0x180
+ [ 8531.220192]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [ 8531.221286] RIP: 0033:0x7fc68e5e4d07
+ [ 8531.225621] RSP: 002b:00007ffde8116608 EFLAGS: 00000246 ORIG_RAX:00000000000000a6
+ [ 8531.227512] RAX: 0000000000000000 RBX: 00005580c2175970 RCX:00007fc68e5e4d07
+ [ 8531.229098] RDX: 0000000000000001 RSI: 0000000000000000 RDI:00005580c2175b80
+ [ 8531.230730] RBP: 0000000000000000 R08: 00005580c2175ba0 R09:00007ffde8114e80
+ [ 8531.232269] R10: 0000000000000000 R11: 0000000000000246 R12:00005580c2175b80
+ [ 8531.233839] R13: 00007fc68eac61c4 R14: 00005580c2175a68 R15:0000000000000000
+
+Leaving a tree in the rb-tree:
+
+3853 void btrfs_free_fs_root(struct btrfs_root *root)
+3854 {
+3855         iput(root->ino_cache_inode);
+3856         WARN_ON(!RB_EMPTY_ROOT(&root->inode_tree));
+
+CC: stable@vger.kernel.org
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+[ add stacktrace ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/disk-io.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -4111,6 +4111,14 @@ static void btrfs_destroy_all_ordered_ex
+ 		spin_lock(&fs_info->ordered_root_lock);
+ 	}
+ 	spin_unlock(&fs_info->ordered_root_lock);
++
++	/*
++	 * We need this here because if we've been flipped read-only we won't
++	 * get sync() from the umount, so we need to make sure any ordered
++	 * extents that haven't had their dirty pages IO start writeout yet
++	 * actually get run and error out properly.
++	 */
++	btrfs_wait_ordered_roots(fs_info, -1, 0, (u64)-1);
+ }
+ 
+ static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
diff --git a/queue-4.4/crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch b/queue-4.4/crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch
new file mode 100644
index 00000000000..8864b10a1f8
--- /dev/null
+++ b/queue-4.4/crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch
@@ -0,0 +1,116 @@
+From 8f9c469348487844328e162db57112f7d347c49f Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 16 Dec 2018 23:23:22 -0800
+Subject: crypto: authenc - fix parsing key with misaligned rta_len
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 8f9c469348487844328e162db57112f7d347c49f upstream.
+
+Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
+'enckeylen', followed by an authentication key and an encryption key.
+crypto_authenc_extractkeys() parses the key to find the inner keys.
+
+However, it fails to consider the case where the rtattr's payload is
+longer than 4 bytes but not 4-byte aligned, and where the key ends
+before the next 4-byte aligned boundary.  In this case, 'keylen -=
+RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX.  This
+causes a buffer overread and crash during crypto_ahash_setkey().
+
+Fix it by restricting the rtattr payload to the expected size.
+
+Reproducer using AF_ALG:
+
+	#include <linux/if_alg.h>
+	#include <linux/rtnetlink.h>
+	#include <sys/socket.h>
+
+	int main()
+	{
+		int fd;
+		struct sockaddr_alg addr = {
+			.salg_type = "aead",
+			.salg_name = "authenc(hmac(sha256),cbc(aes))",
+		};
+		struct {
+			struct rtattr attr;
+			__be32 enckeylen;
+			char keys[1];
+		} __attribute__((packed)) key = {
+			.attr.rta_len = sizeof(key),
+			.attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */,
+		};
+
+		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+		bind(fd, (void *)&addr, sizeof(addr));
+		setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key));
+	}
+
+It caused:
+
+	BUG: unable to handle kernel paging request at ffff88007ffdc000
+	PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0
+	Oops: 0000 [#1] SMP
+	CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37a7f27 #13
+	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
+	RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155
+	[...]
+	Call Trace:
+	 sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321
+	 crypto_shash_finup+0x1a/0x30 crypto/shash.c:178
+	 shash_digest_unaligned+0x45/0x60 crypto/shash.c:186
+	 crypto_shash_digest+0x24/0x40 crypto/shash.c:202
+	 hmac_setkey+0x135/0x1e0 crypto/hmac.c:66
+	 crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66
+	 shash_async_setkey+0x10/0x20 crypto/shash.c:223
+	 crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202
+	 crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96
+	 crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62
+	 aead_setkey+0xc/0x10 crypto/algif_aead.c:526
+	 alg_setkey crypto/af_alg.c:223 [inline]
+	 alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256
+	 __sys_setsockopt+0x6d/0xd0 net/socket.c:1902
+	 __do_sys_setsockopt net/socket.c:1913 [inline]
+	 __se_sys_setsockopt net/socket.c:1910 [inline]
+	 __x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910
+	 do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290
+	 entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: e236d4a89a2f ("[CRYPTO] authenc: Move enckeylen into key itself")
+Cc: <stable@vger.kernel.org> # v2.6.25+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/authenc.c |   14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/crypto/authenc.c
++++ b/crypto/authenc.c
+@@ -58,14 +58,22 @@ int crypto_authenc_extractkeys(struct cr
+ 		return -EINVAL;
+ 	if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
+ 		return -EINVAL;
+-	if (RTA_PAYLOAD(rta) < sizeof(*param))
++
++	/*
++	 * RTA_OK() didn't align the rtattr's payload when validating that it
++	 * fits in the buffer.  Yet, the keys should start on the next 4-byte
++	 * aligned boundary.  To avoid confusion, require that the rtattr
++	 * payload be exactly the param struct, which has a 4-byte aligned size.
++	 */
++	if (RTA_PAYLOAD(rta) != sizeof(*param))
+ 		return -EINVAL;
++	BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);
+ 
+ 	param = RTA_DATA(rta);
+ 	keys->enckeylen = be32_to_cpu(param->enckeylen);
+ 
+-	key += RTA_ALIGN(rta->rta_len);
+-	keylen -= RTA_ALIGN(rta->rta_len);
++	key += rta->rta_len;
++	keylen -= rta->rta_len;
+ 
+ 	if (keylen < keys->enckeylen)
+ 		return -EINVAL;
diff --git a/queue-4.4/crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch b/queue-4.4/crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch
new file mode 100644
index 00000000000..951a78eab88
--- /dev/null
+++ b/queue-4.4/crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch
@@ -0,0 +1,67 @@
+From a7773363624b034ab198c738661253d20a8055c2 Mon Sep 17 00:00:00 2001
+From: Harsh Jain <harsh@chelsio.com>
+Date: Thu, 3 Jan 2019 14:21:05 +0530
+Subject: crypto: authencesn - Avoid twice completion call in decrypt path
+
+From: Harsh Jain <harsh@chelsio.com>
+
+commit a7773363624b034ab198c738661253d20a8055c2 upstream.
+
+Authencesn template in decrypt path unconditionally calls aead_request_complete
+after ahash_verify which leads to following kernel panic in after decryption.
+
+[  338.539800] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
+[  338.548372] PGD 0 P4D 0
+[  338.551157] Oops: 0000 [#1] SMP PTI
+[  338.554919] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Tainted: G        W I       4.19.7+ #13
+[  338.564431] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0        07/29/10
+[  338.572212] RIP: 0010:esp_input_done2+0x350/0x410 [esp4]
+[  338.578030] Code: ff 0f b6 68 10 48 8b 83 c8 00 00 00 e9 8e fe ff ff 8b 04 25 04 00 00 00 83 e8 01 48 98 48 8b 3c c5 10 00 00 00 e9 f7 fd ff ff <8b> 04 25 04 00 00 00 83 e8 01 48 98 4c 8b 24 c5 10 00 00 00 e9 3b
+[  338.598547] RSP: 0018:ffff911c97803c00 EFLAGS: 00010246
+[  338.604268] RAX: 0000000000000002 RBX: ffff911c4469ee00 RCX: 0000000000000000
+[  338.612090] RDX: 0000000000000000 RSI: 0000000000000130 RDI: ffff911b87c20400
+[  338.619874] RBP: 0000000000000000 R08: ffff911b87c20498 R09: 000000000000000a
+[  338.627610] R10: 0000000000000001 R11: 0000000000000004 R12: 0000000000000000
+[  338.635402] R13: ffff911c89590000 R14: ffff911c91730000 R15: 0000000000000000
+[  338.643234] FS:  0000000000000000(0000) GS:ffff911c97800000(0000) knlGS:0000000000000000
+[  338.652047] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  338.658299] CR2: 0000000000000004 CR3: 00000001ec20a000 CR4: 00000000000006f0
+[  338.666382] Call Trace:
+[  338.669051]  <IRQ>
+[  338.671254]  esp_input_done+0x12/0x20 [esp4]
+[  338.675922]  chcr_handle_resp+0x3b5/0x790 [chcr]
+[  338.680949]  cpl_fw6_pld_handler+0x37/0x60 [chcr]
+[  338.686080]  chcr_uld_rx_handler+0x22/0x50 [chcr]
+[  338.691233]  uldrx_handler+0x8c/0xc0 [cxgb4]
+[  338.695923]  process_responses+0x2f0/0x5d0 [cxgb4]
+[  338.701177]  ? bitmap_find_next_zero_area_off+0x3a/0x90
+[  338.706882]  ? matrix_alloc_area.constprop.7+0x60/0x90
+[  338.712517]  ? apic_update_irq_cfg+0x82/0xf0
+[  338.717177]  napi_rx_handler+0x14/0xe0 [cxgb4]
+[  338.722015]  net_rx_action+0x2aa/0x3e0
+[  338.726136]  __do_softirq+0xcb/0x280
+[  338.730054]  irq_exit+0xde/0xf0
+[  338.733504]  do_IRQ+0x54/0xd0
+[  338.736745]  common_interrupt+0xf/0xf
+
+Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD...")
+Signed-off-by: Harsh Jain <harsh@chelsio.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/authencesn.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/authencesn.c
++++ b/crypto/authencesn.c
+@@ -276,7 +276,7 @@ static void authenc_esn_verify_ahash_don
+ 	struct aead_request *req = areq->data;
+ 
+ 	err = err ?: crypto_authenc_esn_decrypt_tail(req, 0);
+-	aead_request_complete(req, err);
++	authenc_esn_request_complete(req, err);
+ }
+ 
+ static int crypto_authenc_esn_decrypt(struct aead_request *req)
diff --git a/queue-4.4/scsi-sd-fix-cache_type_store.patch b/queue-4.4/scsi-sd-fix-cache_type_store.patch
new file mode 100644
index 00000000000..1cda7507841
--- /dev/null
+++ b/queue-4.4/scsi-sd-fix-cache_type_store.patch
@@ -0,0 +1,62 @@
+From 44759979a49bfd2d20d789add7fa81a21eb1a4ab Mon Sep 17 00:00:00 2001
+From: Ivan Mironov <mironov.ivan@gmail.com>
+Date: Sun, 23 Dec 2018 12:41:58 +0500
+Subject: scsi: sd: Fix cache_type_store()
+
+From: Ivan Mironov <mironov.ivan@gmail.com>
+
+commit 44759979a49bfd2d20d789add7fa81a21eb1a4ab upstream.
+
+Changing of caching mode via /sys/devices/.../scsi_disk/.../cache_type may
+fail if device responds to MODE SENSE command with DPOFUA flag set, and
+then checks this flag to be not set on MODE SELECT command.
+
+In this scenario, when trying to change cache_type, write always fails:
+
+	# echo "none" >cache_type
+	bash: echo: write error: Invalid argument
+
+And following appears in dmesg:
+
+	[13007.865745] sd 1:0:1:0: [sda] Sense Key : Illegal Request [current]
+	[13007.865753] sd 1:0:1:0: [sda] Add. Sense: Invalid field in parameter list
+
+From SBC-4 r15, 6.5.1 "Mode pages overview", description of DEVICE-SPECIFIC
+PARAMETER field in the mode parameter header:
+	...
+	The write protect (WP) bit for mode data sent with a MODE SELECT
+	command shall be ignored by the device server.
+	...
+	The DPOFUA bit is reserved for mode data sent with a MODE SELECT
+	command.
+	...
+
+The remaining bits in the DEVICE-SPECIFIC PARAMETER byte are also reserved
+and shall be set to zero.
+
+[mkp: shuffled commentary to commit description]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Mironov <mironov.ivan@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sd.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -207,6 +207,12 @@ cache_type_store(struct device *dev, str
+ 	sp = buffer_data[0] & 0x80 ? 1 : 0;
+ 	buffer_data[0] &= ~0x80;
+ 
++	/*
++	 * Ensure WP, DPOFUA, and RESERVED fields are cleared in
++	 * received mode parameter buffer before doing MODE SELECT.
++	 */
++	data.device_specific = 0;
++
+ 	if (scsi_mode_select(sdp, 1, sp, 8, buffer_data, len, SD_TIMEOUT,
+ 			     SD_MAX_RETRIES, &data, &sshdr)) {
+ 		if (scsi_sense_valid(&sshdr))
diff --git a/queue-4.4/series b/queue-4.4/series
index eb6a3bef403..c1e9f08bce3 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -43,3 +43,8 @@ ipv6-fix-kernel-infoleak-in-ipv6_local_error.patch
 net-bridge-fix-a-bug-on-using-a-neighbour-cache-entry-without-checking-its-state.patch
 packet-do-not-leak-dev-refcounts-on-error-exit.patch
 ip-on-queued-skb-use-skb_header_pointer-instead-of-pskb_may_pull.patch
+crypto-authencesn-avoid-twice-completion-call-in-decrypt-path.patch
+crypto-authenc-fix-parsing-key-with-misaligned-rta_len.patch
+btrfs-wait-on-ordered-extents-on-abort-cleanup.patch
+yama-check-for-pid-death-before-checking-ancestry.patch
+scsi-sd-fix-cache_type_store.patch
diff --git a/queue-4.4/yama-check-for-pid-death-before-checking-ancestry.patch b/queue-4.4/yama-check-for-pid-death-before-checking-ancestry.patch
new file mode 100644
index 00000000000..28afcfe4d3b
--- /dev/null
+++ b/queue-4.4/yama-check-for-pid-death-before-checking-ancestry.patch
@@ -0,0 +1,38 @@
+From 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 16 Jan 2019 10:31:09 -0800
+Subject: Yama: Check for pid death before checking ancestry
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 9474f4e7cd71a633fa1ef93b7daefd44bbdfd482 upstream.
+
+It's possible that a pid has died before we take the rcu lock, in which
+case we can't walk the ancestry list as it may be detached. Instead, check
+for death first before doing the walk.
+
+Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com
+Fixes: 2d514487faf1 ("security: Yama LSM")
+Cc: stable@vger.kernel.org
+Suggested-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: James Morris <james.morris@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/yama/yama_lsm.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/security/yama/yama_lsm.c
++++ b/security/yama/yama_lsm.c
+@@ -288,7 +288,9 @@ static int yama_ptrace_access_check(stru
+ 			break;
+ 		case YAMA_SCOPE_RELATIONAL:
+ 			rcu_read_lock();
+-			if (!task_is_descendant(current, child) &&
++			if (!pid_alive(child))
++				rc = -EPERM;
++			if (!rc && !task_is_descendant(current, child) &&
+ 			    !ptracer_exception_found(current, child) &&
+ 			    !ns_capable(__task_cred(child)->user_ns, CAP_SYS_PTRACE))
+ 				rc = -EPERM;