From: Oleg Nesterov <oleg@tv-sign.ru>
To: tglx@linutronix.de
Cc: Ingo Molnar <mingo@elte.hu>, Roland McGrath <roland@redhat.com>,
George Anzinger <george@mvista.com>,
linux-kernel@vger.kernel.org,
Steven Rostedt <rostedt@goodmis.org>,
"Paul E. McKenney" <paulmck@us.ibm.com>,
Andrew Morton <akpm@osdl.org>
Subject: [PATCH] fix send_sigqueue() vs thread exit race
Date: Sat, 20 Aug 2005 20:58:32 +0400 [thread overview]
Message-ID: <43076138.C37ED380@tv-sign.ru> (raw)
In-Reply-To: 1124495303.23647.579.camel@tglx.tec.linutronix.de
[PATCH] fix send_sigqueue() vs thread exit race
posix_timer_event() first checks that the thread (SIGEV_THREAD_ID
case) does not have PF_EXITING flag, then it calls send_sigqueue()
which locks task list. But if the thread exits in between the kernel
will oops (->sighand == NULL after __exit_sighand).
This patch moves the PF_EXITING check into the send_sigqueue(), it
must be done atomically under tasklist_lock. When send_sigqueue()
detects exiting thread it returns -1. In that case posix_timer_event
will send the signal to thread group.
Also, this patch fixes task_struct use-after-free in posix_timer_event.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
--- 2.6.13-rc6/kernel/signal.c~ 2005-08-18 23:10:28.000000000 +0400
+++ 2.6.13-rc6/kernel/signal.c 2005-08-20 23:05:21.000000000 +0400
@@ -1366,16 +1366,16 @@ send_sigqueue(int sig, struct sigqueue *
unsigned long flags;
int ret = 0;
- /*
- * We need the tasklist lock even for the specific
- * thread case (when we don't need to follow the group
- * lists) in order to avoid races with "p->sighand"
- * going away or changing from under us.
- */
BUG_ON(!(q->flags & SIGQUEUE_PREALLOC));
- read_lock(&tasklist_lock);
+ read_lock(&tasklist_lock);
+
+ if (unlikely(p->flags & PF_EXITING)) {
+ ret = -1;
+ goto out_err;
+ }
+
spin_lock_irqsave(&p->sighand->siglock, flags);
-
+
if (unlikely(!list_empty(&q->list))) {
/*
* If an SI_TIMER entry is already queue just increment
@@ -1385,7 +1385,7 @@ send_sigqueue(int sig, struct sigqueue *
BUG();
q->info.si_overrun++;
goto out;
- }
+ }
/* Short-circuit ignored signals. */
if (sig_ignored(p, sig)) {
ret = 1;
@@ -1400,8 +1400,10 @@ send_sigqueue(int sig, struct sigqueue *
out:
spin_unlock_irqrestore(&p->sighand->siglock, flags);
+out_err:
read_unlock(&tasklist_lock);
- return(ret);
+
+ return ret;
}
int
--- 2.6.13-rc6/kernel/posix-timers.c~ 2005-08-18 21:37:08.000000000 +0400
+++ 2.6.13-rc6/kernel/posix-timers.c 2005-08-20 23:21:23.000000000 +0400
@@ -427,21 +427,23 @@ int posix_timer_event(struct k_itimer *t
timr->sigq->info.si_code = SI_TIMER;
timr->sigq->info.si_tid = timr->it_id;
timr->sigq->info.si_value = timr->it_sigev_value;
+
if (timr->it_sigev_notify & SIGEV_THREAD_ID) {
- if (unlikely(timr->it_process->flags & PF_EXITING)) {
- timr->it_sigev_notify = SIGEV_SIGNAL;
- put_task_struct(timr->it_process);
- timr->it_process = timr->it_process->group_leader;
- goto group;
- }
- return send_sigqueue(timr->it_sigev_signo, timr->sigq,
- timr->it_process);
- }
- else {
- group:
- return send_group_sigqueue(timr->it_sigev_signo, timr->sigq,
- timr->it_process);
+ struct task_struct *leader;
+ int ret = send_sigqueue(timr->it_sigev_signo, timr->sigq,
+ timr->it_process);
+
+ if (likely(ret >= 0))
+ return ret;
+
+ timr->it_sigev_notify = SIGEV_SIGNAL;
+ leader = timr->it_process->group_leader;
+ put_task_struct(timr->it_process);
+ timr->it_process = leader;
}
+
+ return send_group_sigqueue(timr->it_sigev_signo, timr->sigq,
+ timr->it_process);
}
EXPORT_SYMBOL_GPL(posix_timer_event);
next prev parent reply other threads:[~2005-08-20 16:47 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-18 6:01 2.6.13-rc6-rt9 Ingo Molnar
2005-08-18 15:24 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-08-18 16:08 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-08-18 21:17 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-08-18 22:54 ` [2.6.13-rc6-rt9 patch] fix DECNET_ROUTER=y compile Adrian Bunk
2005-08-22 7:59 ` Ingo Molnar
2005-08-18 22:54 ` 2.6.13-rc6-rt9: compile errors Adrian Bunk
2005-08-22 8:44 ` Ingo Molnar
2005-08-19 0:05 ` 2.6.13-rc6-rt9 Chuck Harding
2005-08-19 6:39 ` 2.6.13-rc6-rt9 Steven Rostedt
2005-08-19 13:00 ` 2.6.13-rc6-rt9 Steven Rostedt
2005-08-19 15:36 ` 2.6.13-rc6-rt9 Steven Rostedt
2005-08-22 7:57 ` 2.6.13-rc6-rt9 Ingo Molnar
2005-08-22 7:58 ` 2.6.13-rc6-rt9 Ingo Molnar
2005-08-23 12:36 ` 2.6.13-rc6-rt9 Ingo Molnar
2005-08-23 12:50 ` 2.6.13-rc6-rt9 Steven Rostedt
2005-08-23 12:56 ` 2.6.13-rc6-rt9 Ingo Molnar
2005-08-19 16:56 ` 2.6.13-rc6-rt9 Peter Zijlstra
2005-08-19 18:30 ` 2.6.13-rc6-rt9 Peter Zijlstra
2005-08-19 18:43 ` 2.6.13-rc6-rt9 Paul E. McKenney
2005-08-20 19:27 ` 2.6.13-rc6-rt9 Peter Zijlstra
2005-08-20 21:24 ` 2.6.13-rc6-rt9 Jeff Dike
2005-09-29 7:54 ` 2.6.13-rc6-rt9 Peter Zijlstra
2005-09-30 1:00 ` 2.6.13-rc6-rt9 Paul E. McKenney
2005-09-30 1:07 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-09-30 1:46 ` 2.6.13-rc6-rt9 Paul E. McKenney
2005-09-30 6:17 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-08-19 21:50 ` 2.6.13-rc6-rt9 Darren Hart
2005-08-25 6:24 ` 2.6.13-rc6-rt9 Ingo Molnar
2005-08-19 22:13 ` 2.6.13-rc6-rt9 Darren Hart
2005-08-19 23:00 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-08-20 15:13 ` 2.6.13-rc6-rt9 Darren Hart
2005-08-19 23:48 ` [PATCH 2.6.13-rc6-rt9] PI aware dynamic priority adjustment Thomas Gleixner
2005-08-20 0:19 ` George Anzinger
2005-08-20 0:36 ` Thomas Gleixner
2005-08-20 1:36 ` George Anzinger
2005-09-26 21:03 ` Roland McGrath
2005-08-20 14:10 ` Oleg Nesterov
2005-08-20 16:04 ` Thomas Gleixner
2005-08-20 17:50 ` Oleg Nesterov
2005-08-22 21:37 ` George Anzinger
2005-08-20 16:58 ` Oleg Nesterov [this message]
2005-08-21 9:44 ` [PATCH] fix send_sigqueue() vs thread exit race Thomas Gleixner
2005-08-21 10:41 ` Oleg Nesterov
2005-08-21 12:38 ` Thomas Gleixner
2005-08-21 10:59 ` Oleg Nesterov
2005-08-21 21:24 ` Thomas Gleixner
2005-08-21 21:50 ` Thomas Gleixner
2005-08-22 6:39 ` Oleg Nesterov
2005-08-22 8:08 ` Thomas Gleixner
2005-08-22 8:52 ` Oleg Nesterov
2005-08-22 10:06 ` Thomas Gleixner
2005-08-22 16:45 ` Oleg Nesterov
2005-08-23 10:13 ` Thomas Gleixner
2005-08-23 16:17 ` Oleg Nesterov
2005-08-23 18:29 ` Thomas Gleixner
2005-09-24 13:42 ` [PATCH] fix exit_itimers() vs posix_timer_event() AB-BA deadlock Oleg Nesterov
2005-09-25 5:44 ` Andrew Morton
2005-09-25 14:07 ` [PATCH] fix exit_itimers() vs posix_timer_event() AB-BAdeadlock Oleg Nesterov
2005-10-23 16:50 ` Oleg Nesterov
2005-08-23 10:42 ` [PATCH] fix send_sigqueue() vs thread exit race Thomas Gleixner
2005-08-22 7:38 ` [PATCH 2.6.13-rc6-rt9] PI aware dynamic priority adjustment Ingo Molnar
2005-08-22 7:41 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43076138.C37ED380@tv-sign.ru \
--to=oleg@tv-sign.ru \
--cc=akpm@osdl.org \
--cc=george@mvista.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=paulmck@us.ibm.com \
--cc=roland@redhat.com \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.