diff options
| author | Oleg Nesterov <oleg@tv-sign.ru> | 2005-09-06 18:17:42 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-09-07 19:57:33 -0400 |
| commit | e752dd6cc66a3e6a11396928998baf390cc00420 (patch) | |
| tree | b24b388d80acec6527e66b07f0d308d48319c476 /kernel/signal.c | |
| parent | a97c9bf33f4612e2aed6f000f6b1d268b6814f3c (diff) | |
[PATCH] fix send_sigqueue() vs thread exit race
posix_timer_event() first checks that the thread (SIGEV_THREAD_ID case)
does not have PF_EXITING flag, then it calls send_sigqueue() which locks
task list. But if the thread exits in between the kernel will oops
(->sighand == NULL after __exit_sighand).
This patch moves the PF_EXITING check into the send_sigqueue(), it must be
done atomically under tasklist_lock. When send_sigqueue() detects exiting
thread it returns -1. In that case posix_timer_event will send the signal
to thread group.
Also, this patch fixes task_struct use-after-free in posix_timer_event.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'kernel/signal.c')
| -rw-r--r-- | kernel/signal.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/kernel/signal.c b/kernel/signal.c index 56e33df2b67f..4980a073237f 100644 --- a/kernel/signal.c +++ b/kernel/signal.c | |||
| @@ -1366,16 +1366,16 @@ send_sigqueue(int sig, struct sigqueue *q, struct task_struct *p) | |||
| 1366 | unsigned long flags; | 1366 | unsigned long flags; |
| 1367 | int ret = 0; | 1367 | int ret = 0; |
| 1368 | 1368 | ||
| 1369 | /* | ||
| 1370 | * We need the tasklist lock even for the specific | ||
| 1371 | * thread case (when we don't need to follow the group | ||
| 1372 | * lists) in order to avoid races with "p->sighand" | ||
| 1373 | * going away or changing from under us. | ||
| 1374 | */ | ||
| 1375 | BUG_ON(!(q->flags & SIGQUEUE_PREALLOC)); | 1369 | BUG_ON(!(q->flags & SIGQUEUE_PREALLOC)); |
| 1376 | read_lock(&tasklist_lock); | 1370 | read_lock(&tasklist_lock); |
| 1371 | |||
| 1372 | if (unlikely(p->flags & PF_EXITING)) { | ||
| 1373 | ret = -1; | ||
| 1374 | goto out_err; | ||
| 1375 | } | ||
| 1376 | |||
| 1377 | spin_lock_irqsave(&p->sighand->siglock, flags); | 1377 | spin_lock_irqsave(&p->sighand->siglock, flags); |
| 1378 | 1378 | ||
| 1379 | if (unlikely(!list_empty(&q->list))) { | 1379 | if (unlikely(!list_empty(&q->list))) { |
| 1380 | /* | 1380 | /* |
| 1381 | * If an SI_TIMER entry is already queue just increment | 1381 | * If an SI_TIMER entry is already queue just increment |
| @@ -1385,7 +1385,7 @@ send_sigqueue(int sig, struct sigqueue *q, struct task_struct *p) | |||
| 1385 | BUG(); | 1385 | BUG(); |
| 1386 | q->info.si_overrun++; | 1386 | q->info.si_overrun++; |
| 1387 | goto out; | 1387 | goto out; |
| 1388 | } | 1388 | } |
| 1389 | /* Short-circuit ignored signals. */ | 1389 | /* Short-circuit ignored signals. */ |
| 1390 | if (sig_ignored(p, sig)) { | 1390 | if (sig_ignored(p, sig)) { |
| 1391 | ret = 1; | 1391 | ret = 1; |
| @@ -1400,8 +1400,10 @@ send_sigqueue(int sig, struct sigqueue *q, struct task_struct *p) | |||
| 1400 | 1400 | ||
| 1401 | out: | 1401 | out: |
| 1402 | spin_unlock_irqrestore(&p->sighand->siglock, flags); | 1402 | spin_unlock_irqrestore(&p->sighand->siglock, flags); |
| 1403 | out_err: | ||
| 1403 | read_unlock(&tasklist_lock); | 1404 | read_unlock(&tasklist_lock); |
| 1404 | return(ret); | 1405 | |
| 1406 | return ret; | ||
| 1405 | } | 1407 | } |
| 1406 | 1408 | ||
| 1407 | int | 1409 | int |