From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
torvalds@linux-foundation.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
oleg@tv-sign.ru, sukadev@us.ibm.com, adobriyan@sw.ru,
tglx@linutronix.de, jeremy.katz@windriver.com,
yue.tao@windriver.com, mingo@elte.hu, roland@redhat.com
Subject: [06/50] sigqueue_free: fix the race with collect_signal()
Date: Mon, 24 Sep 2007 09:20:04 -0700 [thread overview]
Message-ID: <20070924162004.GG13510@kroah.com> (raw)
In-Reply-To: <20070924161733.GA13510@kroah.com>
[-- Attachment #1: sigqueue_free-fix-the-race-with-collect_signal.patch --]
[-- Type: text/plain, Size: 2642 bytes --]
From: Oleg Nesterov <oleg@tv-sign.ru>
commit 60187d2708caa870f0825d753df1612ea688eb9e in mainline.
Spotted by taoyue <yue.tao@windriver.com> and Jeremy Katz <jeremy.katz@windriver.com>.
collect_signal: sigqueue_free:
list_del_init(&first->list);
if (!list_empty(&q->list)) {
// not taken
}
q->flags &= ~SIGQUEUE_PREALLOC;
__sigqueue_free(first); __sigqueue_free(q);
Now, __sigqueue_free() is called twice on the same "struct sigqueue" with the
obviously bad implications.
In particular, this double free breaks the array_cache->avail logic, so the
same sigqueue could be "allocated" twice, and the bug can manifest itself via
the "impossible" BUG_ON(!SIGQUEUE_PREALLOC) in sigqueue_free/send_sigqueue.
Hopefully this can explain these mysterious bug-reports, see
http://marc.info/?t=118766926500003
http://marc.info/?t=118466273000005
Alexey Dobriyan reports this patch makes the difference for the testcase, but
nobody has an access to the application which opened the problems originally.
Also, this patch removes tasklist lock/unlock, ->siglock is enough.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: taoyue <yue.tao@windriver.com>
Cc: Jeremy Katz <jeremy.katz@windriver.com>
Cc: Sukadev Bhattiprolu <sukadev@us.ibm.com>
Cc: Alexey Dobriyan <adobriyan@sw.ru>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
kernel/signal.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -1259,20 +1259,19 @@ struct sigqueue *sigqueue_alloc(void)
void sigqueue_free(struct sigqueue *q)
{
unsigned long flags;
+ spinlock_t *lock = ¤t->sighand->siglock;
+
BUG_ON(!(q->flags & SIGQUEUE_PREALLOC));
/*
* If the signal is still pending remove it from the
- * pending queue.
+ * pending queue. We must hold ->siglock while testing
+ * q->list to serialize with collect_signal().
*/
- if (unlikely(!list_empty(&q->list))) {
- spinlock_t *lock = ¤t->sighand->siglock;
- read_lock(&tasklist_lock);
- spin_lock_irqsave(lock, flags);
- if (!list_empty(&q->list))
- list_del_init(&q->list);
- spin_unlock_irqrestore(lock, flags);
- read_unlock(&tasklist_lock);
- }
+ spin_lock_irqsave(lock, flags);
+ if (!list_empty(&q->list))
+ list_del_init(&q->list);
+ spin_unlock_irqrestore(lock, flags);
+
q->flags &= ~SIGQUEUE_PREALLOC;
__sigqueue_free(q);
}
--
next prev parent reply other threads:[~2007-09-24 16:27 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070924161246.983665021@mini.kroah.org>
2007-09-24 16:17 ` [00/50] 2.6.22-stable review Greg KH
2007-09-24 16:19 ` [01/50] V4L: ivtv: fix VIDIOC_S_FBUF: new OSD values were never set Greg KH
2007-09-24 16:19 ` [02/50] DVB: get_dvb_firmware: update script for new location of sp8870 firmware Greg KH
2007-09-24 16:19 ` [03/50] DVB: get_dvb_firmware: update script for new location of tda10046 firmware Greg KH
2007-09-24 16:19 ` [04/50] DVB: b2c2-flexcop: fix Airstar HD5000 tuning regression Greg KH
2007-09-24 16:20 ` [05/50] setpgid(child) fails if the child was forked by sub-thread Greg KH
2007-09-24 16:20 ` Greg KH [this message]
2007-09-24 16:20 ` [07/50] kconfig: oldconfig shall not set symbols if it does not need to Greg KH
2007-09-24 16:20 ` [08/50] MTD: Makefile fix for mtdsuper Greg KH
2007-09-24 16:20 ` [09/50] USB: fix linked list insertion bugfix for usb core Greg KH
2007-09-24 16:20 ` [10/50] ACPI: Validate XSDT, use RSDT if XSDT fails Greg KH
2007-09-24 16:20 ` [11/50] POWERPC: Flush registers to proper task context Greg KH
2007-09-24 16:20 ` [12/50] 3w-9xxx: Fix dma mask setting Greg KH
2007-09-24 16:20 ` [13/50] MTD: Initialise s_flags in get_sb_mtd_aux() Greg KH
2007-09-24 16:20 ` [14/50] JFFS2: fix write deadlock regression Greg KH
2007-09-24 16:20 ` [15/50] V4L: cx88: Avoid a NULL pointer dereference during mpeg_open() Greg KH
2007-09-24 16:20 ` [16/50] hwmon: End of I/O region off-by-one Greg KH
2007-09-24 16:20 ` [17/50] Fix debug regression in video/pwc Greg KH
2007-09-24 16:20 ` [18/50] splice: fix direct splice error handling Greg KH
2007-09-24 16:21 ` [19/50] rpc: fix garbage in printk in svc_tcp_accept() Greg KH
2007-09-24 16:21 ` [20/50] disable sys_timerfd() Greg KH
2007-09-24 16:21 ` [21/50] afs: mntput called before dput Greg KH
2007-09-24 16:21 ` [22/50] Fix DAC960 driver on machines which dont support 64-bit DMA Greg KH
2007-09-24 16:21 ` [23/50] Fix "Fix DAC960 driver on machines which dont support 64-bit DMA" Greg KH
2007-09-24 16:21 ` [24/50] firewire: fw-ohci: ignore failure of pci_set_power_state (fix suspend regression) Greg KH
2007-09-24 16:21 ` [25/50] futex_compat: fix list traversal bugs Greg KH
2007-09-24 16:21 ` [26/50] Leases can be hidden by flocks Greg KH
2007-09-24 16:21 ` [27/50] ext34: ensure do_split leaves enough free space in both blocks Greg KH
2007-09-24 16:21 ` [28/50] nfs: fix oops re sysctls and V4 support Greg KH
2007-09-24 16:21 ` [29/50] dir_index: error out instead of BUG on corrupt dx dirs Greg KH
2007-09-24 16:21 ` [30/50] ieee1394: ohci1394: fix initialization if built non-modular Greg KH
2007-09-24 16:21 ` [31/50] Correctly close old nfsd/lockd sockets Greg KH
2007-09-24 16:21 ` [32/50] Fix race with shared tag queue maps Greg KH
2007-09-24 16:21 ` [33/50] crypto: blkcipher_get_spot() handling of buffer at end of page Greg KH
2007-09-24 16:21 ` [34/50] fix realtek phy id in forcedeth Greg KH
2007-09-24 16:21 ` [35/50] Fix decnet device address listing Greg KH
2007-09-24 16:22 ` [36/50] Fix device address listing for ipv4 Greg KH
2007-09-24 16:22 ` [37/50] Fix inet_diag OOPS Greg KH
2007-09-24 22:03 ` Dan Merillat
2007-09-25 4:03 ` Patrick McHardy
2007-09-24 16:22 ` [38/50] Fix IPV6 append OOPS Greg KH
2007-09-24 16:22 ` [39/50] Fix IPSEC AH4 options handling Greg KH
2007-09-24 16:22 ` [40/50] Fix ipv6 double-sock-release with MSG_CONFIRM Greg KH
2007-09-24 16:22 ` [41/50] : Fix IPV6 DAD handling Greg KH
2007-09-24 16:22 ` [42/50] Fix ipv6 source address handling Greg KH
2007-09-24 22:05 ` roel
2007-09-24 16:22 ` [43/50] Fix oops in vlan and bridging code Greg KH
2007-09-24 16:22 ` [44/50] Fix tc_ematch kbuild Greg KH
2007-09-24 16:22 ` [45/50] Handle snd_una in tcp_cwnd_down() Greg KH
2007-09-24 16:22 ` [46/50] Fix TCP DSACK cwnd handling Greg KH
2007-09-24 16:22 ` [47/50] Fix datagram recvmsg NULL iov handling regression Greg KH
2007-09-24 16:22 ` [48/50] Fix pktgen src_mac handling Greg KH
2007-09-24 16:22 ` [49/50] Fix sparc64 v100 platform booting Greg KH
2007-09-24 16:22 ` [50/50] bcm43xx: Fix cancellation of work queue crashes Greg KH
2007-09-24 16:31 ` [00/50] 2.6.22-stable review Greg KH
2007-09-24 16:44 ` Chris Wedgwood
2007-09-24 16:46 ` Chris Wedgwood
2007-09-24 17:14 ` Greg KH
2007-09-24 17:13 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070924162004.GG13510@kroah.com \
--to=gregkh@suse.de \
--cc=adobriyan@sw.ru \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jeremy.katz@windriver.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=mkrufky@linuxtv.org \
--cc=oleg@tv-sign.ru \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=roland@redhat.com \
--cc=stable@kernel.org \
--cc=sukadev@us.ibm.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=yue.tao@windriver.com \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox