From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
oleg@tv-sign.ru, roland@redhat.com, paulmck@us.ibm.com,
george@mvista.com, dipankar@in.ibm.com, mingo@elte.hu,
suzannew@cs.pdx.edu
Subject: [patch 09/11] fix de_thread() vs send_group_sigqueue() race
Date: Fri, 23 Dec 2005 14:27:54 -0800 [thread overview]
Message-ID: <20051223222754.GJ18252@kroah.com> (raw)
In-Reply-To: <20051223222652.GA18252@kroah.com>
[-- Attachment #1: fix-de_thread-vs-send_group_sendqueue-race.patch --]
[-- Type: text/plain, Size: 2181 bytes --]
From: Oleg Nesterov <oleg@tv-sign.ru>
When non-leader thread does exec, de_thread calls release_task(leader) before
calling exit_itimers(). If local timer interrupt happens in between, it can
oops in send_group_sigqueue() while taking ->sighand->siglock == NULL.
However, we can't change send_group_sigqueue() to check p->signal != NULL,
because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID
case. So it is possible that this task_struct was already freed and we can't
trust p->signal.
This patch changes de_thread() so that leader released after exit_itimers()
call.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/exec.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- linux-2.6.14.1.orig/fs/exec.c
+++ linux-2.6.14.1/fs/exec.c
@@ -593,6 +593,7 @@ static inline int de_thread(struct task_
struct signal_struct *sig = tsk->signal;
struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
spinlock_t *lock = &oldsighand->siglock;
+ struct task_struct *leader = NULL;
int count;
/*
@@ -668,7 +669,7 @@ static inline int de_thread(struct task_
* and to assume its PID:
*/
if (!thread_group_leader(current)) {
- struct task_struct *leader = current->group_leader, *parent;
+ struct task_struct *parent;
struct dentry *proc_dentry1, *proc_dentry2;
unsigned long exit_state, ptrace;
@@ -677,6 +678,7 @@ static inline int de_thread(struct task_
* It should already be zombie at this point, most
* of the time.
*/
+ leader = current->group_leader;
while (leader->exit_state != EXIT_ZOMBIE)
yield();
@@ -736,7 +738,6 @@ static inline int de_thread(struct task_
proc_pid_flush(proc_dentry2);
BUG_ON(exit_state != EXIT_ZOMBIE);
- release_task(leader);
}
/*
@@ -746,8 +747,11 @@ static inline int de_thread(struct task_
sig->flags = 0;
no_thread_group:
- BUG_ON(atomic_read(&sig->count) != 1);
exit_itimers(sig);
+ if (leader)
+ release_task(leader);
+
+ BUG_ON(atomic_read(&sig->count) != 1);
if (atomic_read(&oldsighand->count) == 1) {
/*
--
next prev parent reply other threads:[~2005-12-23 22:30 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20051109182205.294803000@press.kroah.org>
2005-11-09 18:36 ` [patch 00/11] - stable review Greg KH
2005-11-09 18:36 ` [patch 01/11] prism54 : Fix frame length Greg KH
2005-11-09 18:36 ` [patch 02/11] fix XFS_QUOTA for modular XFS Greg KH
2005-11-09 18:36 ` [patch 03/11] Oops on suspend after on-the-fly switch to anticipatory i/o scheduler - PowerBook5, 4 Greg KH
2005-11-09 18:36 ` [patch 04/11] USB: always export interface information for modalias Greg KH
2005-11-09 18:36 ` [patch 05/11] tcp: BIC max increment too large Greg KH
2005-11-09 18:36 ` [patch 06/11] airo.c/airo_cs.c: correct prototypes Greg KH
2005-11-09 18:37 ` [patch 07/11] NET: Fix zero-size datagram reception Greg KH
2005-11-09 18:37 ` [patch 08/11] - fix signal->live leak in copy_process() Greg KH
2005-11-09 18:37 ` [patch 09/11] fix de_thread() vs send_group_sigqueue() race Greg KH
2005-11-09 18:37 ` [patch 10/11] ipvs: fix connection leak if expire_nodest_conn=1 Greg KH
2005-11-09 18:37 ` [patch 11/11] fix alpha breakage Greg KH
2005-11-09 20:10 ` [stable] [patch 00/11] - stable review Greg KH
2005-11-09 21:01 ` Chris Wright
2005-11-09 21:06 ` Zwane Mwaikambo
2005-12-23 22:26 ` Greg KH
2005-12-23 22:27 ` [patch 01/11] prism54 : Fix frame length Greg KH
2005-12-23 22:27 ` [patch 02/11] fix XFS_QUOTA for modular XFS Greg KH
2005-12-23 22:27 ` [patch 03/11] Oops on suspend after on-the-fly switch to anticipatory i/o scheduler - PowerBook5, 4 Greg KH
2005-12-23 22:27 ` [patch 04/11] USB: always export interface information for modalias Greg KH
2005-12-23 22:27 ` [patch 05/11] tcp: BIC max increment too large Greg KH
2005-12-23 22:27 ` [patch 06/11] airo.c/airo_cs.c: correct prototypes Greg KH
2005-12-23 22:27 ` [patch 07/11] NET: Fix zero-size datagram reception Greg KH
2005-12-23 22:27 ` [patch 08/11] - fix signal->live leak in copy_process() Greg KH
2005-12-23 22:27 ` Greg KH [this message]
2005-12-23 22:28 ` [patch 10/11] ipvs: fix connection leak if expire_nodest_conn=1 Greg KH
2005-12-23 22:28 ` [patch 11/11] fix alpha breakage Greg KH
2005-12-23 22:46 ` [stable] [patch 00/11] - stable review Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051223222754.GJ18252@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=dipankar@in.ibm.com \
--cc=george@mvista.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=oleg@tv-sign.ru \
--cc=paulmck@us.ibm.com \
--cc=rdunlap@xenotime.net \
--cc=roland@redhat.com \
--cc=stable@kernel.org \
--cc=suzannew@cs.pdx.edu \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.