Re: more signal locking bugs?

[Manfred Spraul <manfred@colorfullife.com>]

Linus Torvalds wrote:

>On Sun, 16 Feb 2003, Manfred Spraul wrote:
>  
>
>>What about this minimal patch? The performance critical operation is 
>>signal delivery - we should fix the synchronization between signal 
>>delivery and exec first.
>>    
>>
>
>Ok, I committed this alternative change, which isn't quite as minimal, but 
>looks a lot cleaner to me.
>
>Also, looking at execve() and other paths, we do seem to have sufficient 
>protection from the tasklist_lock that signal delivery should be fine. So 
>despite a long and confused thread, I think in the end the only real bug 
>was the one Martin found which should be thus fixed..
>  
>
I'm not convinced that exec is correct.
app with two threads, cloned sighand and sig structures.
thread one does exec().
thread two does exit().

Now we can arrive at no_thread_group in de_thread() and 
tsk->sig{,hand}->count == 1.

>no_thread_group:
>
>	write_lock_irq(&tasklist_lock);
>	spin_lock(&oldsighand->siglock);
>	spin_lock(&newsighand->siglock);
>
>	if (current == oldsig->curr_target)
>		oldsig->curr_target = next_thread(current);
>
signal sender: in send_sig_info().
reads tsk->signal. blocks on tsk->sighand->siglock.

>	if (newsig)
>		current->signal = newsig;
>	current->sighand = newsighand;
>	init_sigpending(&current->pending);
>	recalc_sigpending();
>
>	spin_unlock(&newsighand->siglock);
>	spin_unlock(&oldsighand->siglock);
>	write_unlock_irq(&tasklist_lock);
>
>	if (newsig && atomic_dec_and_test(&oldsig->count))
>		kmem_cache_free(signal_cachep, oldsig);
>
>	if (atomic_dec_and_test(&oldsighand->count))
>		kmem_cache_free(sighand_cachep, oldsighand);
>  
>
And now the signal sender continues. BOOM.
sighand structure, sig structure already kfreed, etc.

--
    Manfred