pidfs: ensure consistent ENOENT/ESRCH reporting

In a prior patch series we tried to cleanly differentiate between:

(1) The task has already been reaped.
(2) The caller requested a pidfd for a thread-group leader but the pid
    actually references a struct pid that isn't used as a thread-group
    leader.

as this was causing issues for non-threaded workloads.

But there's cases where the current simple logic is wrong. Specifically,
if the pid was a leader pid and the check races with __unhash_process().
Stabilize this by using the pidfd waitqueue lock.

Link: https://lore.kernel.org/20250411-work-pidfs-enoent-v2-2-60b2d3bb545f@kernel.org
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/kernel/fork.c b/kernel/fork.c
index 4a2080b968c8eb098416d82ad1cd20dcca124e3f..f7403e1fb0d40f5a5d1904cbbd18ead8fe4fe059 100644 (file)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2108,28 +2108,26 @@ static int __pidfd_prepare(struct pid *pid, unsigned int flags, struct file **re
  */
 int pidfd_prepare(struct pid *pid, unsigned int flags, struct file **ret)
 {
-       int err = 0;
-
-       if (!(flags & PIDFD_THREAD)) {
+       /*
+        * While holding the pidfd waitqueue lock removing the task
+        * linkage for the thread-group leader pid (PIDTYPE_TGID) isn't
+        * possible. Thus, if there's still task linkage for PIDTYPE_PID
+        * not having thread-group leader linkage for the pid means it
+        * wasn't a thread-group leader in the first place.
+        */
+       scoped_guard(spinlock_irq, &pid->wait_pidfd.lock) {
+               /* Task has already been reaped. */
+               if (!pid_has_task(pid, PIDTYPE_PID))
+                       return -ESRCH;
                /*
-                * If this is struct pid isn't used as a thread-group
-                * leader pid but the caller requested to create a
-                * thread-group leader pidfd then report ENOENT to the
-                * caller as a hint.
+                * If this struct pid isn't used as a thread-group
+                * leader but the caller requested to create a
+                * thread-group leader pidfd then report ENOENT.
                 */
-               if (!pid_has_task(pid, PIDTYPE_TGID))
-                       err = -ENOENT;
+               if (!(flags & PIDFD_THREAD) && !pid_has_task(pid, PIDTYPE_TGID))
+                       return -ENOENT;
        }
 
-       /*
-        * If this wasn't a thread-group leader struct pid or the task
-        * got reaped in the meantime report -ESRCH to userspace.
-        */
-       if (!pid_has_task(pid, PIDTYPE_PID))
-               err = -ESRCH;
-       if (err)
-               return err;
-
        return __pidfd_prepare(pid, flags, ret);
 }