diff options
author | Oleg Nesterov <oleg@tv-sign.ru> | 2007-08-22 17:01:37 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-08-22 22:52:46 -0400 |
commit | d02479bdeb1c9b037892061cdcf4e730183391fa (patch) | |
tree | 1268f3dcf973f8fc3d86c84d9b09ff9048647491 | |
parent | 179394af7a2baa1d0a3cb1670075310d72247d38 (diff) |
posix-timers: fix creation race
sys_timer_create() sets ->it_process and unlocks ->siglock, then checks
tmr->it_sigev_notify to define if get_task_struct() is needed.
We already passed ->it_id to the caller, another thread can delete this timer
and free its memory in between.
As a minimal fix, move this code under ->siglock, sys_timer_delete() takes it
too before calling release_posix_timer(). A proper serialization would be to
take ->it_lock, we add a partly initialized timer on posix_timers_id, not
good.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | kernel/posix-timers.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c index 6923ad8a5983..7a15afb73ed0 100644 --- a/kernel/posix-timers.c +++ b/kernel/posix-timers.c | |||
@@ -547,9 +547,9 @@ sys_timer_create(const clockid_t which_clock, | |||
547 | new_timer->it_process = process; | 547 | new_timer->it_process = process; |
548 | list_add(&new_timer->list, | 548 | list_add(&new_timer->list, |
549 | &process->signal->posix_timers); | 549 | &process->signal->posix_timers); |
550 | spin_unlock_irqrestore(&process->sighand->siglock, flags); | ||
551 | if (new_timer->it_sigev_notify == (SIGEV_SIGNAL|SIGEV_THREAD_ID)) | 550 | if (new_timer->it_sigev_notify == (SIGEV_SIGNAL|SIGEV_THREAD_ID)) |
552 | get_task_struct(process); | 551 | get_task_struct(process); |
552 | spin_unlock_irqrestore(&process->sighand->siglock, flags); | ||
553 | } else { | 553 | } else { |
554 | spin_unlock_irqrestore(&process->sighand->siglock, flags); | 554 | spin_unlock_irqrestore(&process->sighand->siglock, flags); |
555 | process = NULL; | 555 | process = NULL; |