From: Oleg Nesterov <oleg@tv-sign.ru>
To: Roland McGrath <roland@redhat.com>
Cc: linux-kernel@vger.kernel.org, Ingo Molnar <mingo@elte.hu>,
Michael Kerrisk <mtk-lkml@gmx.net>,
Linus Torvalds <torvalds@osdl.org>, Andrew Morton <akpm@osdl.org>
Subject: Re: [PATCH] fix de_thread() vs do_coredump() deadlock
Date: Mon, 10 Apr 2006 21:43:46 +0400 [thread overview]
Message-ID: <20060410174346.GA100@oleg> (raw)
In-Reply-To: <20060410013651.4D1791809D1@magilla.sf.frob.com>
On 04/09, Roland McGrath wrote:
>
> [PATCH] Fix race between exec and fatal signals
I'll try to study this patch carefully tomorrow, but now I have
the feeling it is not right (probably my misunderstanding after
the quick reading).
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -606,15 +606,16 @@ static int de_thread(struct task_struct
>
> ... [snip] ...
>
> - zap_other_threads(current);
> + zap_other_threads(current, SIGNAL_GROUP_EXEC);
>
> ... [snip] ...
>
> -void zap_other_threads(struct task_struct *p)
> +void zap_other_threads(struct task_struct *p, int flag)
> {
> struct task_struct *t;
>
> - p->signal->flags = SIGNAL_GROUP_EXIT;
> + if (unlikely(p->signal->flags & SIGNAL_GROUP_EXEC)) {
> + /*
> + * We are cancelling an exec that is in progress, to let
> + * the thread group die instead. We need to wake the
> + * exec'ing thread up from uninterruptible wait.
> + */
> + BUG_ON(flag != SIGNAL_GROUP_EXIT);
> + t = p->signal->group_exit_task;
> + p->signal->group_exit_task = NULL;
> + p->signal->notify_count = 0;
> + wake_up_process(t);
> + }
> +
> + p->signal->flags = flag;
> p->signal->group_stop_count = 0;
So, de_thread() sets SIGNAL_GROUP_EXEC and sends SIGKILL to other thereads.
Sub-thread receives the signal, and calls get_signal_to_deliver->do_group_exit.
do_group_exit() calls zap_other_threads(SIGNAL_GROUP_EXIT) because there is no
SIGNAL_GROUP_EXIT set. zap_other_threads() notices SIGNAL_GROUP_EXEC, wakes up
execer, and changes ->signal->flags to SIGNAL_GROUP_EXIT.
de_thread() re-locks sighand, sees !SIGNAL_GROUP_EXEC and goes to 'dying:'.
No?
Another problem. de_thread() sets '->group_exit_task = current' _only_ if
'atomic_read(&sig->count) > count', so wake_up_process(->group_exit_task)
in zap_other_threads() is unsafe.
Oleg.
next prev parent reply other threads:[~2006-04-10 13:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-13 16:50 [PATCH] fix de_thread() vs do_coredump() deadlock Oleg Nesterov
2006-04-10 1:36 ` Roland McGrath
2006-04-10 17:43 ` Oleg Nesterov [this message]
2006-04-11 7:27 ` Roland McGrath
2006-04-11 11:47 ` Oleg Nesterov
2006-04-11 9:10 ` Roland McGrath
2006-04-11 12:03 ` Oleg Nesterov
2006-04-10 21:40 ` Oleg Nesterov
2006-04-11 8:01 ` Roland McGrath
2006-04-11 13:13 ` Oleg Nesterov
2006-04-11 9:49 ` Roland McGrath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060410174346.GA100@oleg \
--to=oleg@tv-sign.ru \
--cc=akpm@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=mtk-lkml@gmx.net \
--cc=roland@redhat.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.