From: Oleg Nesterov <[email protected]>
When non-leader thread does exec, de_thread calls release_task(leader) before
calling exit_itimers(). If local timer interrupt happens in between, it can
oops in send_group_sigqueue() while taking ->sighand->siglock == NULL.
However, we can't change send_group_sigqueue() to check p->signal != NULL,
because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID
case. So it is possible that this task_struct was already freed and we can't
trust p->signal.
This patch changes de_thread() so that leader released after exit_itimers()
call.
Signed-off-by: Oleg Nesterov <[email protected]>
Signed-off-by: Chris Wright <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/exec.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- linux-2.6.14.1.orig/fs/exec.c
+++ linux-2.6.14.1/fs/exec.c
@@ -593,6 +593,7 @@ static inline int de_thread(struct task_
struct signal_struct *sig = tsk->signal;
struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
spinlock_t *lock = &oldsighand->siglock;
+ struct task_struct *leader = NULL;
int count;
/*
@@ -668,7 +669,7 @@ static inline int de_thread(struct task_
* and to assume its PID:
*/
if (!thread_group_leader(current)) {
- struct task_struct *leader = current->group_leader, *parent;
+ struct task_struct *parent;
struct dentry *proc_dentry1, *proc_dentry2;
unsigned long exit_state, ptrace;
@@ -677,6 +678,7 @@ static inline int de_thread(struct task_
* It should already be zombie at this point, most
* of the time.
*/
+ leader = current->group_leader;
while (leader->exit_state != EXIT_ZOMBIE)
yield();
@@ -736,7 +738,6 @@ static inline int de_thread(struct task_
proc_pid_flush(proc_dentry2);
BUG_ON(exit_state != EXIT_ZOMBIE);
- release_task(leader);
}
/*
@@ -746,8 +747,11 @@ static inline int de_thread(struct task_
sig->flags = 0;
no_thread_group:
- BUG_ON(atomic_read(&sig->count) != 1);
exit_itimers(sig);
+ if (leader)
+ release_task(leader);
+
+ BUG_ON(atomic_read(&sig->count) != 1);
if (atomic_read(&oldsighand->count) == 1) {
/*
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
