Skip to content

Commit

Permalink
[PATCH] fix de_thread() vs send_group_sigqueue() race
Browse files Browse the repository at this point in the history 
When non-leader thread does exec, de_thread calls release_task(leader) before
calling exit_itimers(). If local timer interrupt happens in between, it can
oops in send_group_sigqueue() while taking ->sighand->siglock == NULL.

However, we can't change send_group_sigqueue() to check p->signal != NULL,
because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID
case. So it is possible that this task_struct was already freed and we can't
trust p->signal.

This patch changes de_thread() so that leader released after exit_itimers()
call.

Signed-off-by: Oleg Nesterov <[email protected]>
Acked-by: Chris Wright <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
Oleg Nesterov authored and Linus Torvalds committed Nov 8, 2005
1 parent a52e838 commit 329f7db
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions fs/exec.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -590,6 +590,7 @@ static inline int de_thread(struct task_struct *tsk)
struct signal_struct *sig = tsk->signal;
struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
spinlock_t *lock = &oldsighand->siglock;
struct task_struct *leader = NULL;
int count;

/*
Expand Down Expand Up @@ -665,7 +666,7 @@ static inline int de_thread(struct task_struct *tsk)
* and to assume its PID:
*/
if (!thread_group_leader(current)) {
struct task_struct *leader = current->group_leader, *parent;
struct task_struct *parent;
struct dentry *proc_dentry1, *proc_dentry2;
unsigned long exit_state, ptrace;

Expand All @@ -674,6 +675,7 @@ static inline int de_thread(struct task_struct *tsk)
* It should already be zombie at this point, most
* of the time.
*/
leader = current->group_leader;
while (leader->exit_state != EXIT_ZOMBIE)
yield();

Expand Down Expand Up @@ -733,7 +735,6 @@ static inline int de_thread(struct task_struct *tsk)
proc_pid_flush(proc_dentry2);

BUG_ON(exit_state != EXIT_ZOMBIE);
release_task(leader);
}

/*
Expand All @@ -743,8 +744,11 @@ static inline int de_thread(struct task_struct *tsk)
sig->flags = 0;

no_thread_group:
BUG_ON(atomic_read(&sig->count) != 1);
exit_itimers(sig);
if (leader)
release_task(leader);

BUG_ON(atomic_read(&sig->count) != 1);

if (atomic_read(&oldsighand->count) == 1) {
/*
Expand Down

0 comments on commit 329f7db

Please sign in to comment.