diff options
author | Roland McGrath <roland@redhat.com> | 2005-10-20 01:21:23 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-10-20 02:02:01 -0400 |
commit | e03d13e985d48ac4885382c9e3b1510c78bd047f (patch) | |
tree | 04a124c1759f4b16e21fd04031ee9677fab58021 /kernel | |
parent | 3359b54c8c07338f3a863d1109b42eebccdcf379 (diff) |
[PATCH] Fix cpu timers exit deadlock and races
Oleg Nesterov reported an SMP deadlock. If there is a running timer
tracking a different process's CPU time clock when the process owning
the timer exits, we deadlock on tasklist_lock in posix_cpu_timer_del via
exit_itimers.
That code was using tasklist_lock to check for a race with __exit_signal
being called on the timer-target task and clearing its ->signal.
However, there is actually no such race. __exit_signal will have called
posix_cpu_timers_exit and posix_cpu_timers_exit_group before it does
that. Those will clear those k_itimer's association with the dying
task, so posix_cpu_timer_del will return early and never reach the code
in question.
In addition, posix_cpu_timer_del called from exit_itimers during execve
or directly from timer_delete in the process owning the timer can race
with an exiting timer-target task to cause a double put on timer-target
task struct. Make sure we always access cpu_timers lists with sighand
lock held.
Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/posix-cpu-timers.c | 28 |
1 files changed, 11 insertions, 17 deletions
diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c index 7a51a5597c33..b3f3edc475de 100644 --- a/kernel/posix-cpu-timers.c +++ b/kernel/posix-cpu-timers.c | |||
@@ -387,25 +387,19 @@ int posix_cpu_timer_del(struct k_itimer *timer) | |||
387 | if (unlikely(p == NULL)) | 387 | if (unlikely(p == NULL)) |
388 | return 0; | 388 | return 0; |
389 | 389 | ||
390 | spin_lock(&p->sighand->siglock); | ||
390 | if (!list_empty(&timer->it.cpu.entry)) { | 391 | if (!list_empty(&timer->it.cpu.entry)) { |
391 | read_lock(&tasklist_lock); | 392 | /* |
392 | if (unlikely(p->signal == NULL)) { | 393 | * Take us off the task's timer list. We don't need to |
393 | /* | 394 | * take tasklist_lock and check for the task being reaped. |
394 | * We raced with the reaping of the task. | 395 | * If it was reaped, it already called posix_cpu_timers_exit |
395 | * The deletion should have cleared us off the list. | 396 | * and posix_cpu_timers_exit_group to clear all the timers |
396 | */ | 397 | * that pointed to it. |
397 | BUG_ON(!list_empty(&timer->it.cpu.entry)); | 398 | */ |
398 | } else { | 399 | list_del(&timer->it.cpu.entry); |
399 | /* | 400 | put_task_struct(p); |
400 | * Take us off the task's timer list. | ||
401 | */ | ||
402 | spin_lock(&p->sighand->siglock); | ||
403 | list_del(&timer->it.cpu.entry); | ||
404 | spin_unlock(&p->sighand->siglock); | ||
405 | } | ||
406 | read_unlock(&tasklist_lock); | ||
407 | } | 401 | } |
408 | put_task_struct(p); | 402 | spin_unlock(&p->sighand->siglock); |
409 | 403 | ||
410 | return 0; | 404 | return 0; |
411 | } | 405 | } |