/[linux-patches]/genpatches-2.6/tags/2.6.14-5/1004_2_thread-sendqueue-race.patch
Gentoo

Contents of /genpatches-2.6/tags/2.6.14-5/1004_2_thread-sendqueue-race.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 226 - (show annotations) (download)
Fri Dec 2 12:14:55 2005 UTC (12 years, 9 months ago) by dsd
File size: 2558 byte(s)
2.6.14-5 release
1 From oleg@tv-sign.ru Mon Nov 7 08:58:50 2005
2 Date: Mon, 07 Nov 2005 21:12:43 +0300
3 From: Oleg Nesterov <oleg@tv-sign.ru>
4 To: paulmck@us.ibm.com, Roland McGrath <roland@redhat.com>,
5 George Anzinger <george@mvista.com>, akpm@osdl.org,
6 linux-kernel@vger.kernel.org, dipankar@in.ibm.com, mingo@elte.hu,
7 suzannew@cs.pdx.edu, Chris Wright <chrisw@osdl.org>
8 Subject: [PATCH] fix de_thread() vs send_group_sigqueue() race
9
10 When non-leader thread does exec, de_thread calls release_task(leader) before
11 calling exit_itimers(). If local timer interrupt happens in between, it can
12 oops in send_group_sigqueue() while taking ->sighand->siglock == NULL.
13
14 However, we can't change send_group_sigqueue() to check p->signal != NULL,
15 because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID
16 case. So it is possible that this task_struct was already freed and we can't
17 trust p->signal.
18
19 This patch changes de_thread() so that leader released after exit_itimers()
20 call.
21
22 Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
23 Signed-off-by: Chris Wright <chrisw@osdl.org>
24 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
25 ---
26 fs/exec.c | 10 +++++++---
27 1 file changed, 7 insertions(+), 3 deletions(-)
28
29 --- linux-2.6.14.1.orig/fs/exec.c
30 +++ linux-2.6.14.1/fs/exec.c
31 @@ -593,6 +593,7 @@ static inline int de_thread(struct task_
32 struct signal_struct *sig = tsk->signal;
33 struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
34 spinlock_t *lock = &oldsighand->siglock;
35 + struct task_struct *leader = NULL;
36 int count;
37
38 /*
39 @@ -668,7 +669,7 @@ static inline int de_thread(struct task_
40 * and to assume its PID:
41 */
42 if (!thread_group_leader(current)) {
43 - struct task_struct *leader = current->group_leader, *parent;
44 + struct task_struct *parent;
45 struct dentry *proc_dentry1, *proc_dentry2;
46 unsigned long exit_state, ptrace;
47
48 @@ -677,6 +678,7 @@ static inline int de_thread(struct task_
49 * It should already be zombie at this point, most
50 * of the time.
51 */
52 + leader = current->group_leader;
53 while (leader->exit_state != EXIT_ZOMBIE)
54 yield();
55
56 @@ -736,7 +738,6 @@ static inline int de_thread(struct task_
57 proc_pid_flush(proc_dentry2);
58
59 BUG_ON(exit_state != EXIT_ZOMBIE);
60 - release_task(leader);
61 }
62
63 /*
64 @@ -746,8 +747,11 @@ static inline int de_thread(struct task_
65 sig->flags = 0;
66
67 no_thread_group:
68 - BUG_ON(atomic_read(&sig->count) != 1);
69 exit_itimers(sig);
70 + if (leader)
71 + release_task(leader);
72 +
73 + BUG_ON(atomic_read(&sig->count) != 1);
74
75 if (atomic_read(&oldsighand->count) == 1) {
76 /*

  ViewVC Help
Powered by ViewVC 1.1.20