From: Oleg Nesterov <oleg@redhat.com>
Date: Sun, 10 Aug 2025 17:36:04 +0000 (+0200)
Subject: pid: make __task_pid_nr_ns(ns => NULL) safe for zombie callers
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=abdfd4948e45c51b19162cf8b3f5003f8f53c9b9;p=thirdparty%2Fkernel%2Fstable.git

pid: make __task_pid_nr_ns(ns => NULL) safe for zombie callers

task_pid_vnr(another_task) will crash if the caller was already reaped.
The pid_alive(current) check can't really help, the parent/debugger can
call release_task() right after this check.

This also means that even task_ppid_nr_ns(current, NULL) is not safe,
pid_alive() only ensures that it is safe to dereference ->real_parent.

Change __task_pid_nr_ns() to ensure ns != NULL.

Originally-by: 高翔 <gaoxiang17@xiaomi.com>
Link: https://lore.kernel.org/all/20250802022123.3536934-1-gxxa03070307@gmail.com/
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Link: https://lore.kernel.org/20250810173604.GA19991@redhat.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
---

diff --git a/kernel/pid.c b/kernel/pid.c
index 14e908f2f0cbf..f62a7df2f04cf 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -514,7 +514,8 @@ pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
 	rcu_read_lock();
 	if (!ns)
 		ns = task_active_pid_ns(current);
-	nr = pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
+	if (ns)
+		nr = pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
 	rcu_read_unlock();
 
 	return nr;