mirror of
https://github.com/adulau/aha.git
synced 2024-12-29 04:06:22 +00:00
[PATCH] fix de_thread() vs send_group_sigqueue() race
When non-leader thread does exec, de_thread calls release_task(leader) before calling exit_itimers(). If local timer interrupt happens in between, it can oops in send_group_sigqueue() while taking ->sighand->siglock == NULL. However, we can't change send_group_sigqueue() to check p->signal != NULL, because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID case. So it is possible that this task_struct was already freed and we can't trust p->signal. This patch changes de_thread() so that leader released after exit_itimers() call. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Acked-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
parent
a52e8381c4
commit
329f7dba5f
1 changed files with 7 additions and 3 deletions
10
fs/exec.c
10
fs/exec.c
|
@ -590,6 +590,7 @@ static inline int de_thread(struct task_struct *tsk)
|
||||||
struct signal_struct *sig = tsk->signal;
|
struct signal_struct *sig = tsk->signal;
|
||||||
struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
|
struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
|
||||||
spinlock_t *lock = &oldsighand->siglock;
|
spinlock_t *lock = &oldsighand->siglock;
|
||||||
|
struct task_struct *leader = NULL;
|
||||||
int count;
|
int count;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -665,7 +666,7 @@ static inline int de_thread(struct task_struct *tsk)
|
||||||
* and to assume its PID:
|
* and to assume its PID:
|
||||||
*/
|
*/
|
||||||
if (!thread_group_leader(current)) {
|
if (!thread_group_leader(current)) {
|
||||||
struct task_struct *leader = current->group_leader, *parent;
|
struct task_struct *parent;
|
||||||
struct dentry *proc_dentry1, *proc_dentry2;
|
struct dentry *proc_dentry1, *proc_dentry2;
|
||||||
unsigned long exit_state, ptrace;
|
unsigned long exit_state, ptrace;
|
||||||
|
|
||||||
|
@ -674,6 +675,7 @@ static inline int de_thread(struct task_struct *tsk)
|
||||||
* It should already be zombie at this point, most
|
* It should already be zombie at this point, most
|
||||||
* of the time.
|
* of the time.
|
||||||
*/
|
*/
|
||||||
|
leader = current->group_leader;
|
||||||
while (leader->exit_state != EXIT_ZOMBIE)
|
while (leader->exit_state != EXIT_ZOMBIE)
|
||||||
yield();
|
yield();
|
||||||
|
|
||||||
|
@ -733,7 +735,6 @@ static inline int de_thread(struct task_struct *tsk)
|
||||||
proc_pid_flush(proc_dentry2);
|
proc_pid_flush(proc_dentry2);
|
||||||
|
|
||||||
BUG_ON(exit_state != EXIT_ZOMBIE);
|
BUG_ON(exit_state != EXIT_ZOMBIE);
|
||||||
release_task(leader);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -743,8 +744,11 @@ static inline int de_thread(struct task_struct *tsk)
|
||||||
sig->flags = 0;
|
sig->flags = 0;
|
||||||
|
|
||||||
no_thread_group:
|
no_thread_group:
|
||||||
BUG_ON(atomic_read(&sig->count) != 1);
|
|
||||||
exit_itimers(sig);
|
exit_itimers(sig);
|
||||||
|
if (leader)
|
||||||
|
release_task(leader);
|
||||||
|
|
||||||
|
BUG_ON(atomic_read(&sig->count) != 1);
|
||||||
|
|
||||||
if (atomic_read(&oldsighand->count) == 1) {
|
if (atomic_read(&oldsighand->count) == 1) {
|
||||||
/*
|
/*
|
||||||
|
|
Loading…
Reference in a new issue