pidfd: refuse access to tasks that have started exiting harder

The recent ptrace fix closed a hole where someone could rely on task->mm
becoming NULL during do_exit() to bypass dumpability checks. This api
here leans on on the very same check and so inherits the fix.

But there is no good reason to let it succeed at all once the target has
entered do_exit(). PF_EXITING is set by exit_signals() at the very top
of do_exit(), before exit_mm() and exit_files() run. Once we observe it,
the task is committed to dying and exit_files() will release the fdtable
shortly.

Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260518-obgleich-petersilie-2d77ccccf9b9@brauner
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>

diff --git a/kernel/pid.c b/kernel/pid.c
index fd5c2d4aa34925312c8ee2bf0bb4e9aa84f330c7..f55189a3d07d48bb2ede903e28b07057e190e902 100644 (file)
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -885,10 +885,12 @@ static struct file *__pidfd_fget(struct task_struct *task, int fd)
        if (ret)
                return ERR_PTR(ret);
 
-       if (ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
-               file = fget_task(task, fd);
-       else
+       if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS))
                file = ERR_PTR(-EPERM);
+       else if (task->flags & PF_EXITING)
+               file = ERR_PTR(-ESRCH);
+       else
+               file = fget_task(task, fd);
 
        up_read(&task->signal->exec_update_lock);