aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@g5.osdl.org>2006-11-04 16:03:00 -0500
committerLinus Torvalds <torvalds@g5.osdl.org>2006-11-04 16:03:00 -0500
commit10b1fbdb0a0ca91847a534ad26d0bc250c25b74f (patch)
tree67a3e6d7069e9281b0f5819f4acf91d7150a5d74
parent45c18b0bb579b5c1b89f8c99f1b6ffa4c586ba08 (diff)
Make sure "user->sigpending" count is in sync
The previous commit (45c18b0bb579b5c1b89f8c99f1b6ffa4c586ba08, aka "Fix unlikely (but possible) race condition on task->user access") fixed a potential oops due to __sigqueue_alloc() getting its "user" pointer out of sync with switch_user(), and accessing a user pointer that had been de-allocated on another CPU. It still left another (much less serious) problem, where a concurrent __sigqueue_alloc and swich_user could cause sigqueue_alloc to do signal pending reference counting for a _different_ user than the one it then actually ended up using. No oops, but we'd end up with the wrong signal accounting. Another case of Oleg's eagle-eyes picking up the problem. This is trivially fixed by just making sure we load whichever "user" structure we decide to use (it doesn't matter _which_ one we pick, we just need to pick one) just once. Acked-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: Andrew Morton <akpm@osdl.org> Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--kernel/signal.c15
1 files changed, 11 insertions, 4 deletions
diff --git a/kernel/signal.c b/kernel/signal.c
index 7ed8d5304bec..df18c167a2a7 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -267,18 +267,25 @@ static struct sigqueue *__sigqueue_alloc(struct task_struct *t, gfp_t flags,
267 int override_rlimit) 267 int override_rlimit)
268{ 268{
269 struct sigqueue *q = NULL; 269 struct sigqueue *q = NULL;
270 struct user_struct *user;
270 271
271 atomic_inc(&t->user->sigpending); 272 /*
273 * In order to avoid problems with "switch_user()", we want to make
274 * sure that the compiler doesn't re-load "t->user"
275 */
276 user = t->user;
277 barrier();
278 atomic_inc(&user->sigpending);
272 if (override_rlimit || 279 if (override_rlimit ||
273 atomic_read(&t->user->sigpending) <= 280 atomic_read(&user->sigpending) <=
274 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) 281 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
275 q = kmem_cache_alloc(sigqueue_cachep, flags); 282 q = kmem_cache_alloc(sigqueue_cachep, flags);
276 if (unlikely(q == NULL)) { 283 if (unlikely(q == NULL)) {
277 atomic_dec(&t->user->sigpending); 284 atomic_dec(&user->sigpending);
278 } else { 285 } else {
279 INIT_LIST_HEAD(&q->list); 286 INIT_LIST_HEAD(&q->list);
280 q->flags = 0; 287 q->flags = 0;
281 q->user = get_uid(t->user); 288 q->user = get_uid(user);
282 } 289 }
283 return(q); 290 return(q);
284} 291}