On 02/22, Andrew Morton wrote:
>
> Subject: redo locking of tty->pgrp
> From: Alan Cox <[email protected]>
>
> Historically tty->pgrp and friends were pid_t and the code "knew" they were
> safe. The change to pid structs opened up a few races and the removal of the
> BKL in places made them quite hittable. We put tty->pgrp under the ctrl_lock
> for the tty.
tiocgpgrp() still does pid_vnr(real_tty->pgrp) lockless, this is not safe, no?
(the same for do_task_stat).
It can race with tiocspgrp()->put_pid(real_tty->pgrp) which can actually free
that pid. If this memory is reused, pid_nr_ns() can (in theory) crash.
Oleg.
On Sat, Feb 23, 2008 at 08:17:46PM +0300, Oleg Nesterov wrote:
> tiocgpgrp() still does pid_vnr(real_tty->pgrp) lockless, this is not safe, no?
> (the same for do_task_stat).
Fixed both in my tree