diff options
| author | Oleg Nesterov <oleg@tv-sign.ru> | 2005-09-06 18:17:42 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-09-07 19:57:33 -0400 |
| commit | e752dd6cc66a3e6a11396928998baf390cc00420 (patch) | |
| tree | b24b388d80acec6527e66b07f0d308d48319c476 /kernel/posix-timers.c | |
| parent | a97c9bf33f4612e2aed6f000f6b1d268b6814f3c (diff) | |
[PATCH] fix send_sigqueue() vs thread exit race
posix_timer_event() first checks that the thread (SIGEV_THREAD_ID case)
does not have PF_EXITING flag, then it calls send_sigqueue() which locks
task list. But if the thread exits in between the kernel will oops
(->sighand == NULL after __exit_sighand).
This patch moves the PF_EXITING check into the send_sigqueue(), it must be
done atomically under tasklist_lock. When send_sigqueue() detects exiting
thread it returns -1. In that case posix_timer_event will send the signal
to thread group.
Also, this patch fixes task_struct use-after-free in posix_timer_event.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'kernel/posix-timers.c')
| -rw-r--r-- | kernel/posix-timers.c | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c index 38798a2ff994..b7b532acd9fc 100644 --- a/kernel/posix-timers.c +++ b/kernel/posix-timers.c | |||
| @@ -427,21 +427,23 @@ int posix_timer_event(struct k_itimer *timr,int si_private) | |||
| 427 | timr->sigq->info.si_code = SI_TIMER; | 427 | timr->sigq->info.si_code = SI_TIMER; |
| 428 | timr->sigq->info.si_tid = timr->it_id; | 428 | timr->sigq->info.si_tid = timr->it_id; |
| 429 | timr->sigq->info.si_value = timr->it_sigev_value; | 429 | timr->sigq->info.si_value = timr->it_sigev_value; |
| 430 | |||
| 430 | if (timr->it_sigev_notify & SIGEV_THREAD_ID) { | 431 | if (timr->it_sigev_notify & SIGEV_THREAD_ID) { |
| 431 | if (unlikely(timr->it_process->flags & PF_EXITING)) { | 432 | struct task_struct *leader; |
| 432 | timr->it_sigev_notify = SIGEV_SIGNAL; | 433 | int ret = send_sigqueue(timr->it_sigev_signo, timr->sigq, |
| 433 | put_task_struct(timr->it_process); | 434 | timr->it_process); |
| 434 | timr->it_process = timr->it_process->group_leader; | 435 | |
| 435 | goto group; | 436 | if (likely(ret >= 0)) |
| 436 | } | 437 | return ret; |
| 437 | return send_sigqueue(timr->it_sigev_signo, timr->sigq, | 438 | |
| 438 | timr->it_process); | 439 | timr->it_sigev_notify = SIGEV_SIGNAL; |
| 439 | } | 440 | leader = timr->it_process->group_leader; |
| 440 | else { | 441 | put_task_struct(timr->it_process); |
| 441 | group: | 442 | timr->it_process = leader; |
| 442 | return send_group_sigqueue(timr->it_sigev_signo, timr->sigq, | ||
| 443 | timr->it_process); | ||
| 444 | } | 443 | } |
| 444 | |||
| 445 | return send_group_sigqueue(timr->it_sigev_signo, timr->sigq, | ||
| 446 | timr->it_process); | ||
| 445 | } | 447 | } |
| 446 | EXPORT_SYMBOL_GPL(posix_timer_event); | 448 | EXPORT_SYMBOL_GPL(posix_timer_event); |
| 447 | 449 | ||