When non-leader thread does exec, de_thread calls release_task(leader) before
calling exit_itimers(). If local timer interrupt happens in between, it can
oops in send_group_sigqueue() while taking ->sighand->siglock == NULL.
However, we can't change send_group_sigqueue() to check p->signal != NULL,
because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID
case. So it is possible that this task_struct was already freed and we can't
trust p->signal.
This patch changes de_thread() so that leader released after exit_itimers()
call.
Signed-off-by: Oleg Nesterov <[email protected]>
--- 2.6.14/fs/exec.c~ 2005-09-21 21:08:33.000000000 +0400
+++ 2.6.14/fs/exec.c 2005-11-07 23:54:42.000000000 +0300
@@ -593,6 +593,7 @@ static inline int de_thread(struct task_
struct signal_struct *sig = tsk->signal;
struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
spinlock_t *lock = &oldsighand->siglock;
+ struct task_struct *leader = NULL;
int count;
/*
@@ -668,7 +669,7 @@ static inline int de_thread(struct task_
* and to assume its PID:
*/
if (!thread_group_leader(current)) {
- struct task_struct *leader = current->group_leader, *parent;
+ struct task_struct *parent;
struct dentry *proc_dentry1, *proc_dentry2;
unsigned long exit_state, ptrace;
@@ -677,6 +678,7 @@ static inline int de_thread(struct task_
* It should already be zombie at this point, most
* of the time.
*/
+ leader = current->group_leader;
while (leader->exit_state != EXIT_ZOMBIE)
yield();
@@ -736,7 +738,6 @@ static inline int de_thread(struct task_
proc_pid_flush(proc_dentry2);
BUG_ON(exit_state != EXIT_ZOMBIE);
- release_task(leader);
}
/*
@@ -746,8 +747,11 @@ static inline int de_thread(struct task_
sig->flags = 0;
no_thread_group:
- BUG_ON(atomic_read(&sig->count) != 1);
exit_itimers(sig);
+ if (leader)
+ release_task(leader);
+
+ BUG_ON(atomic_read(&sig->count) != 1);
if (atomic_read(&oldsighand->count) == 1) {
/*
* Oleg Nesterov ([email protected]) wrote:
> When non-leader thread does exec, de_thread calls release_task(leader) before
> calling exit_itimers(). If local timer interrupt happens in between, it can
> oops in send_group_sigqueue() while taking ->sighand->siglock == NULL.
>
> However, we can't change send_group_sigqueue() to check p->signal != NULL,
> because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID
> case. So it is possible that this task_struct was already freed and we can't
> trust p->signal.
>
> This patch changes de_thread() so that leader released after exit_itimers()
> call.
Nice catch. As soon as Linus picks it up we'll put it in -stable as
well.
> Signed-off-by: Oleg Nesterov <[email protected]>
Acked-by: Chris Wright <[email protected]>
> --- 2.6.14/fs/exec.c~ 2005-09-21 21:08:33.000000000 +0400
> +++ 2.6.14/fs/exec.c 2005-11-07 23:54:42.000000000 +0300
> @@ -593,6 +593,7 @@ static inline int de_thread(struct task_
> struct signal_struct *sig = tsk->signal;
> struct sighand_struct *newsighand, *oldsighand = tsk->sighand;
> spinlock_t *lock = &oldsighand->siglock;
> + struct task_struct *leader = NULL;
> int count;
>
> /*
> @@ -668,7 +669,7 @@ static inline int de_thread(struct task_
> * and to assume its PID:
> */
> if (!thread_group_leader(current)) {
> - struct task_struct *leader = current->group_leader, *parent;
> + struct task_struct *parent;
> struct dentry *proc_dentry1, *proc_dentry2;
> unsigned long exit_state, ptrace;
>
> @@ -677,6 +678,7 @@ static inline int de_thread(struct task_
> * It should already be zombie at this point, most
> * of the time.
> */
> + leader = current->group_leader;
> while (leader->exit_state != EXIT_ZOMBIE)
> yield();
>
> @@ -736,7 +738,6 @@ static inline int de_thread(struct task_
> proc_pid_flush(proc_dentry2);
>
> BUG_ON(exit_state != EXIT_ZOMBIE);
> - release_task(leader);
> }
>
> /*
> @@ -746,8 +747,11 @@ static inline int de_thread(struct task_
> sig->flags = 0;
>
> no_thread_group:
> - BUG_ON(atomic_read(&sig->count) != 1);
> exit_itimers(sig);
> + if (leader)
> + release_task(leader);
> +
> + BUG_ON(atomic_read(&sig->count) != 1);
>
> if (atomic_read(&oldsighand->count) == 1) {
> /*
On Tue, 8 Nov 2005, Chris Wright wrote:
> * Oleg Nesterov ([email protected]) wrote:
> > When non-leader thread does exec, de_thread calls release_task(leader) before
> > calling exit_itimers(). If local timer interrupt happens in between, it can
> > oops in send_group_sigqueue() while taking ->sighand->siglock == NULL.
> >
> > However, we can't change send_group_sigqueue() to check p->signal != NULL,
> > because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID
> > case. So it is possible that this task_struct was already freed and we can't
> > trust p->signal.
> >
> > This patch changes de_thread() so that leader released after exit_itimers()
> > call.
>
> Nice catch. As soon as Linus picks it up we'll put it in -stable as
> well.
Gaah. For some reason I was pretty much the only one not cc'd on the
original patch ;)
Found it on linux-kernel.
Linus