• Oleg Nesterov's avatar
    posix-timers: fix creation race · d02479bd
    Oleg Nesterov authored
    sys_timer_create() sets ->it_process and unlocks ->siglock, then checks
    tmr->it_sigev_notify to define if get_task_struct() is needed.
    
    We already passed ->it_id to the caller, another thread can delete this timer
    and free its memory in between.
    
    As a minimal fix, move this code under ->siglock, sys_timer_delete() takes it
    too before calling release_posix_timer().  A proper serialization would be to
    take ->it_lock, we add a partly initialized timer on posix_timers_id, not
    good.
    Signed-off-by: default avatarOleg Nesterov <oleg@tv-sign.ru>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    d02479bd
posix-timers.c 29.1 KB