aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOleg Nesterov <oleg@tv-sign.ru>2007-08-22 17:01:37 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-08-22 22:52:46 -0400
commitd02479bdeb1c9b037892061cdcf4e730183391fa (patch)
tree1268f3dcf973f8fc3d86c84d9b09ff9048647491
parent179394af7a2baa1d0a3cb1670075310d72247d38 (diff)
posix-timers: fix creation race
sys_timer_create() sets ->it_process and unlocks ->siglock, then checks tmr->it_sigev_notify to define if get_task_struct() is needed. We already passed ->it_id to the caller, another thread can delete this timer and free its memory in between. As a minimal fix, move this code under ->siglock, sys_timer_delete() takes it too before calling release_posix_timer(). A proper serialization would be to take ->it_lock, we add a partly initialized timer on posix_timers_id, not good. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--kernel/posix-timers.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
index 6923ad8a5983..7a15afb73ed0 100644
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -547,9 +547,9 @@ sys_timer_create(const clockid_t which_clock,
547 new_timer->it_process = process; 547 new_timer->it_process = process;
548 list_add(&new_timer->list, 548 list_add(&new_timer->list,
549 &process->signal->posix_timers); 549 &process->signal->posix_timers);
550 spin_unlock_irqrestore(&process->sighand->siglock, flags);
551 if (new_timer->it_sigev_notify == (SIGEV_SIGNAL|SIGEV_THREAD_ID)) 550 if (new_timer->it_sigev_notify == (SIGEV_SIGNAL|SIGEV_THREAD_ID))
552 get_task_struct(process); 551 get_task_struct(process);
552 spin_unlock_irqrestore(&process->sighand->siglock, flags);
553 } else { 553 } else {
554 spin_unlock_irqrestore(&process->sighand->siglock, flags); 554 spin_unlock_irqrestore(&process->sighand->siglock, flags);
555 process = NULL; 555 process = NULL;