From: Oleg Nesterov <oleg@tv-sign.ru>
To: tglx@linutronix.de
Cc: Ingo Molnar <mingo@elte.hu>, Roland McGrath <roland@redhat.com>,
George Anzinger <george@mvista.com>,
linux-kernel@vger.kernel.org,
Steven Rostedt <rostedt@goodmis.org>,
"Paul E. McKenney" <paulmck@us.ibm.com>,
Andrew Morton <akpm@osdl.org>
Subject: [PATCH] fix send_sigqueue() vs thread exit race
Date: Sat, 20 Aug 2005 20:58:32 +0400 [thread overview]
Message-ID: <43076138.C37ED380@tv-sign.ru> (raw)
In-Reply-To: 1124495303.23647.579.camel@tglx.tec.linutronix.de
[PATCH] fix send_sigqueue() vs thread exit race
posix_timer_event() first checks that the thread (SIGEV_THREAD_ID
case) does not have PF_EXITING flag, then it calls send_sigqueue()
which locks task list. But if the thread exits in between the kernel
will oops (->sighand == NULL after __exit_sighand).
This patch moves the PF_EXITING check into the send_sigqueue(), it
must be done atomically under tasklist_lock. When send_sigqueue()
detects exiting thread it returns -1. In that case posix_timer_event
will send the signal to thread group.
Also, this patch fixes task_struct use-after-free in posix_timer_event.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
--- 2.6.13-rc6/kernel/signal.c~ 2005-08-18 23:10:28.000000000 +0400
+++ 2.6.13-rc6/kernel/signal.c 2005-08-20 23:05:21.000000000 +0400
@@ -1366,16 +1366,16 @@ send_sigqueue(int sig, struct sigqueue *
unsigned long flags;
int ret = 0;
- /*
- * We need the tasklist lock even for the specific
- * thread case (when we don't need to follow the group
- * lists) in order to avoid races with "p->sighand"
- * going away or changing from under us.
- */
BUG_ON(!(q->flags & SIGQUEUE_PREALLOC));
- read_lock(&tasklist_lock);
+ read_lock(&tasklist_lock);
+
+ if (unlikely(p->flags & PF_EXITING)) {
+ ret = -1;
+ goto out_err;
+ }
+
spin_lock_irqsave(&p->sighand->siglock, flags);
-
+
if (unlikely(!list_empty(&q->list))) {
/*
* If an SI_TIMER entry is already queue just increment
@@ -1385,7 +1385,7 @@ send_sigqueue(int sig, struct sigqueue *
BUG();
q->info.si_overrun++;
goto out;
- }
+ }
/* Short-circuit ignored signals. */
if (sig_ignored(p, sig)) {
ret = 1;
@@ -1400,8 +1400,10 @@ send_sigqueue(int sig, struct sigqueue *
out:
spin_unlock_irqrestore(&p->sighand->siglock, flags);
+out_err:
read_unlock(&tasklist_lock);
- return(ret);
+
+ return ret;
}
int
--- 2.6.13-rc6/kernel/posix-timers.c~ 2005-08-18 21:37:08.000000000 +0400
+++ 2.6.13-rc6/kernel/posix-timers.c 2005-08-20 23:21:23.000000000 +0400
@@ -427,21 +427,23 @@ int posix_timer_event(struct k_itimer *t
timr->sigq->info.si_code = SI_TIMER;
timr->sigq->info.si_tid = timr->it_id;
timr->sigq->info.si_value = timr->it_sigev_value;
+
if (timr->it_sigev_notify & SIGEV_THREAD_ID) {
- if (unlikely(timr->it_process->flags & PF_EXITING)) {
- timr->it_sigev_notify = SIGEV_SIGNAL;
- put_task_struct(timr->it_process);
- timr->it_process = timr->it_process->group_leader;
- goto group;
- }
- return send_sigqueue(timr->it_sigev_signo, timr->sigq,
- timr->it_process);
- }
- else {
- group:
- return send_group_sigqueue(timr->it_sigev_signo, timr->sigq,
- timr->it_process);
+ struct task_struct *leader;
+ int ret = send_sigqueue(timr->it_sigev_signo, timr->sigq,
+ timr->it_process);
+
+ if (likely(ret >= 0))
+ return ret;
+
+ timr->it_sigev_notify = SIGEV_SIGNAL;
+ leader = timr->it_process->group_leader;
+ put_task_struct(timr->it_process);
+ timr->it_process = leader;
}
+
+ return send_group_sigqueue(timr->it_sigev_signo, timr->sigq,
+ timr->it_process);
}
EXPORT_SYMBOL_GPL(posix_timer_event);
next prev parent reply other threads:[~2005-08-20 16:47 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-18 6:01 2.6.13-rc6-rt9 Ingo Molnar
2005-08-18 15:24 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-08-18 16:08 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-08-18 21:17 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-08-18 22:54 ` [2.6.13-rc6-rt9 patch] fix DECNET_ROUTER=y compile Adrian Bunk
2005-08-22 7:59 ` Ingo Molnar
2005-08-18 22:54 ` 2.6.13-rc6-rt9: compile errors Adrian Bunk
2005-08-22 8:44 ` Ingo Molnar
2005-08-19 0:05 ` 2.6.13-rc6-rt9 Chuck Harding
2005-08-19 6:39 ` 2.6.13-rc6-rt9 Steven Rostedt
2005-08-19 13:00 ` 2.6.13-rc6-rt9 Steven Rostedt
2005-08-19 15:36 ` 2.6.13-rc6-rt9 Steven Rostedt
2005-08-22 7:57 ` 2.6.13-rc6-rt9 Ingo Molnar
2005-08-22 7:58 ` 2.6.13-rc6-rt9 Ingo Molnar
2005-08-23 12:36 ` 2.6.13-rc6-rt9 Ingo Molnar
2005-08-23 12:50 ` 2.6.13-rc6-rt9 Steven Rostedt
2005-08-23 12:56 ` 2.6.13-rc6-rt9 Ingo Molnar
2005-08-19 16:56 ` 2.6.13-rc6-rt9 Peter Zijlstra
2005-08-19 18:30 ` 2.6.13-rc6-rt9 Peter Zijlstra
2005-08-19 18:43 ` 2.6.13-rc6-rt9 Paul E. McKenney
2005-08-20 19:27 ` 2.6.13-rc6-rt9 Peter Zijlstra
2005-08-20 21:24 ` 2.6.13-rc6-rt9 Jeff Dike
2005-09-29 7:54 ` 2.6.13-rc6-rt9 Peter Zijlstra
2005-09-30 1:00 ` 2.6.13-rc6-rt9 Paul E. McKenney
2005-09-30 1:07 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-09-30 1:46 ` 2.6.13-rc6-rt9 Paul E. McKenney
2005-09-30 6:17 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-08-19 21:50 ` 2.6.13-rc6-rt9 Darren Hart
2005-08-25 6:24 ` 2.6.13-rc6-rt9 Ingo Molnar
2005-08-19 22:13 ` 2.6.13-rc6-rt9 Darren Hart
2005-08-19 23:00 ` 2.6.13-rc6-rt9 Thomas Gleixner
2005-08-20 15:13 ` 2.6.13-rc6-rt9 Darren Hart
2005-08-19 23:48 ` [PATCH 2.6.13-rc6-rt9] PI aware dynamic priority adjustment Thomas Gleixner
2005-08-20 0:19 ` George Anzinger
2005-08-20 0:36 ` Thomas Gleixner
2005-08-20 1:36 ` George Anzinger
2005-09-26 21:03 ` Roland McGrath
2005-08-20 14:10 ` Oleg Nesterov
2005-08-20 16:04 ` Thomas Gleixner
2005-08-20 17:50 ` Oleg Nesterov
2005-08-22 21:37 ` George Anzinger
2005-08-20 16:58 ` Oleg Nesterov [this message]
2005-08-21 9:44 ` [PATCH] fix send_sigqueue() vs thread exit race Thomas Gleixner
2005-08-21 10:41 ` Oleg Nesterov
2005-08-21 12:38 ` Thomas Gleixner
2005-08-21 10:59 ` Oleg Nesterov
2005-08-21 21:24 ` Thomas Gleixner
2005-08-21 21:50 ` Thomas Gleixner
2005-08-22 6:39 ` Oleg Nesterov
2005-08-22 8:08 ` Thomas Gleixner
2005-08-22 8:52 ` Oleg Nesterov
2005-08-22 10:06 ` Thomas Gleixner
2005-08-22 16:45 ` Oleg Nesterov
2005-08-23 10:13 ` Thomas Gleixner
2005-08-23 16:17 ` Oleg Nesterov
2005-08-23 18:29 ` Thomas Gleixner
2005-09-24 13:42 ` [PATCH] fix exit_itimers() vs posix_timer_event() AB-BA deadlock Oleg Nesterov
2005-09-25 5:44 ` Andrew Morton
2005-09-25 14:07 ` [PATCH] fix exit_itimers() vs posix_timer_event() AB-BAdeadlock Oleg Nesterov
2005-10-23 16:50 ` Oleg Nesterov
2005-08-23 10:42 ` [PATCH] fix send_sigqueue() vs thread exit race Thomas Gleixner
2005-08-22 7:38 ` [PATCH 2.6.13-rc6-rt9] PI aware dynamic priority adjustment Ingo Molnar
2005-08-22 7:41 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43076138.C37ED380@tv-sign.ru \
--to=oleg@tv-sign.ru \
--cc=akpm@osdl.org \
--cc=george@mvista.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=paulmck@us.ibm.com \
--cc=roland@redhat.com \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox