From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754541Ab2BVRlq (ORCPT ); Wed, 22 Feb 2012 12:41:46 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44409 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754262Ab2BVRlj (ORCPT ); Wed, 22 Feb 2012 12:41:39 -0500 Date: Wed, 22 Feb 2012 18:34:42 +0100 From: Oleg Nesterov To: Andrew Morton , Davide Libenzi , Eric Dumazet , Greg KH , Jason Baron , Linus Torvalds , Roland McGrath Cc: Eugene Teo , Maxime Bizon , Denys Vlasenko , linux-kernel@vger.kernel.org Subject: [PATCH 3/4] signalfd: signalfd_cleanup() can race with remove_wait_queue() Message-ID: <20120222173442.GC7147@redhat.com> References: <20120222173326.GA7139@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120222173326.GA7139@redhat.com> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org signalfd_cleanup() checks waitqueue_active() lockless, this can race with ep_unregister_pollwait(). We can see list_empty() == T before remove_wait_queue() completes and list_empty_careful() can't help. Add spin_unlock_wait() to serialize. Reported-by: Maxime Bizon Cc: Signed-off-by: Oleg Nesterov --- fs/signalfd.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/fs/signalfd.c b/fs/signalfd.c index 838ba21..6e51887 100644 --- a/fs/signalfd.c +++ b/fs/signalfd.c @@ -34,6 +34,10 @@ void signalfd_cleanup(struct sighand_struct *sighand) { wait_queue_head_t *wqh = &sighand->signalfd_wqh; + /* make sure we can't race with remove_wait_queue() in progress */ + spin_unlock_wait(&wqh->lock); + smp_rmb(); + if (likely(!waitqueue_active(wqh))) return; -- 1.5.5.1