diff options
author | Linus Torvalds <torvalds@g5.osdl.org> | 2006-11-04 16:03:00 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-11-04 16:03:00 -0500 |
commit | 10b1fbdb0a0ca91847a534ad26d0bc250c25b74f (patch) | |
tree | 67a3e6d7069e9281b0f5819f4acf91d7150a5d74 | |
parent | 45c18b0bb579b5c1b89f8c99f1b6ffa4c586ba08 (diff) |
Make sure "user->sigpending" count is in sync
The previous commit (45c18b0bb579b5c1b89f8c99f1b6ffa4c586ba08, aka "Fix
unlikely (but possible) race condition on task->user access") fixed a
potential oops due to __sigqueue_alloc() getting its "user" pointer out
of sync with switch_user(), and accessing a user pointer that had been
de-allocated on another CPU.
It still left another (much less serious) problem, where a concurrent
__sigqueue_alloc and swich_user could cause sigqueue_alloc to do signal
pending reference counting for a _different_ user than the one it then
actually ended up using. No oops, but we'd end up with the wrong signal
accounting.
Another case of Oleg's eagle-eyes picking up the problem.
This is trivially fixed by just making sure we load whichever "user"
structure we decide to use (it doesn't matter _which_ one we pick, we
just need to pick one) just once.
Acked-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Andrew Morton <akpm@osdl.org>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | kernel/signal.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/kernel/signal.c b/kernel/signal.c index 7ed8d5304bec..df18c167a2a7 100644 --- a/kernel/signal.c +++ b/kernel/signal.c | |||
@@ -267,18 +267,25 @@ static struct sigqueue *__sigqueue_alloc(struct task_struct *t, gfp_t flags, | |||
267 | int override_rlimit) | 267 | int override_rlimit) |
268 | { | 268 | { |
269 | struct sigqueue *q = NULL; | 269 | struct sigqueue *q = NULL; |
270 | struct user_struct *user; | ||
270 | 271 | ||
271 | atomic_inc(&t->user->sigpending); | 272 | /* |
273 | * In order to avoid problems with "switch_user()", we want to make | ||
274 | * sure that the compiler doesn't re-load "t->user" | ||
275 | */ | ||
276 | user = t->user; | ||
277 | barrier(); | ||
278 | atomic_inc(&user->sigpending); | ||
272 | if (override_rlimit || | 279 | if (override_rlimit || |
273 | atomic_read(&t->user->sigpending) <= | 280 | atomic_read(&user->sigpending) <= |
274 | t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) | 281 | t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) |
275 | q = kmem_cache_alloc(sigqueue_cachep, flags); | 282 | q = kmem_cache_alloc(sigqueue_cachep, flags); |
276 | if (unlikely(q == NULL)) { | 283 | if (unlikely(q == NULL)) { |
277 | atomic_dec(&t->user->sigpending); | 284 | atomic_dec(&user->sigpending); |
278 | } else { | 285 | } else { |
279 | INIT_LIST_HEAD(&q->list); | 286 | INIT_LIST_HEAD(&q->list); |
280 | q->flags = 0; | 287 | q->flags = 0; |
281 | q->user = get_uid(t->user); | 288 | q->user = get_uid(user); |
282 | } | 289 | } |
283 | return(q); | 290 | return(q); |
284 | } | 291 | } |