Re: [PATCH] fix de_thread() vs send_group_sigqueue() race

* Oleg Nesterov ([email protected]) wrote:
> When non-leader thread does exec, de_thread calls release_task(leader) before
> calling exit_itimers(). If local timer interrupt happens in between, it can
> oops in send_group_sigqueue() while taking ->sighand->siglock == NULL.
> 
> However, we can't change send_group_sigqueue() to check p->signal != NULL,
> because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID
> case. So it is possible that this task_struct was already freed and we can't
> trust p->signal.
> 
> This patch changes de_thread() so that leader released after exit_itimers()
> call.

Nice catch.  As soon as Linus picks it up we'll put it in -stable as
well.

> Signed-off-by: Oleg Nesterov <[email protected]>

Acked-by: Chris Wright <[email protected]>

> --- 2.6.14/fs/exec.c~	2005-09-21 21:08:33.000000000 +0400
> +++ 2.6.14/fs/exec.c	2005-11-07 23:54:42.000000000 +0300
> @@ -593,6 +593,7 @@ static inline int de_thread(struct task_
>  	struct signal_struct *sig = tsk->signal;
>  	struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
>  	spinlock_t *lock = &oldsighand->siglock;
> +	struct task_struct *leader = NULL;
>  	int count;
>  
>  	/*
> @@ -668,7 +669,7 @@ static inline int de_thread(struct task_
>  	 * and to assume its PID:
>  	 */
>  	if (!thread_group_leader(current)) {
> -		struct task_struct *leader = current->group_leader, *parent;
> +		struct task_struct *parent;
>  		struct dentry *proc_dentry1, *proc_dentry2;
>  		unsigned long exit_state, ptrace;
>  
> @@ -677,6 +678,7 @@ static inline int de_thread(struct task_
>  		 * It should already be zombie at this point, most
>  		 * of the time.
>  		 */
> +		leader = current->group_leader;
>  		while (leader->exit_state != EXIT_ZOMBIE)
>  			yield();
>  
> @@ -736,7 +738,6 @@ static inline int de_thread(struct task_
>  		proc_pid_flush(proc_dentry2);
>  
>  		BUG_ON(exit_state != EXIT_ZOMBIE);
> -		release_task(leader);
>          }
>  
>  	/*
> @@ -746,8 +747,11 @@ static inline int de_thread(struct task_
>  	sig->flags = 0;
>  
>  no_thread_group:
> -	BUG_ON(atomic_read(&sig->count) != 1);
>  	exit_itimers(sig);
> +	if (leader)
> +		release_task(leader);
> +
> +	BUG_ON(atomic_read(&sig->count) != 1);
>  
>  	if (atomic_read(&oldsighand->count) == 1) {
>  		/*
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [PATCH] fix de_thread() vs send_group_sigqueue() race
    • From: Linus Torvalds <[email protected]>

• References:
  • [PATCH] Additional/catchup RCU signal fixes for -mm
    • From: "Paul E. McKenney" <[email protected]>
  • Re: [PATCH] Additional/catchup RCU signal fixes for -mm
    • From: Oleg Nesterov <[email protected]>
  • Re: [PATCH] Additional/catchup RCU signal fixes for -mm
    • From: "Paul E. McKenney" <[email protected]>
  • Posix timers vs exec problems
    • From: Oleg Nesterov <[email protected]>
  • [PATCH] fix de_thread() vs send_group_sigqueue() race
    • From: Oleg Nesterov <[email protected]>

• Prev by Date: Re: [PATCH 3/18] allow callers of seq_open do allocation themselves
• Next by Date: Re: [PATCH 7/6] fat: Support a truncate() for expanding size
• Previous by thread: [PATCH] fix de_thread() vs send_group_sigqueue() race
• Next by thread: Re: [PATCH] fix de_thread() vs send_group_sigqueue() race
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]