• Corey Minyard's avatar
    [PATCH] signal handling race fix · ffe362b0
    Corey Minyard authored
    The problem:
    
      In arch/i386/signal.c, in the do_signal() function, it calls
      get_signal_to_deliver() which returns the signal number to deliver (along
      with siginfo).  get_signal_to_deliver() grabs and releases the lock, so
      the signal handler lock is not held in do_signal().  Then the do_signal()
      calls handle_signal(), which uses the signal number to extract the
      sa_handler, etc.
    
      Since no lock is held, it seems like another thread with the same
      signal handler set can come in and call sigaction(), it can change
      sa_handler between the call to get_signal_to_deliver() and fetching the
      value of sa_handler.  If the sigaction() call set it to SIG_IGN, SIG_DFL,
      or some other fundamental change, that bad things can happen.
    
    The patch:
    
      You have to get the sigaction information that will be delivered while
      holding sighand->siglock in get_signal_to_deliver().
    
      In 2.4, it can be fixed per-arch and requires no change to the
      arch-independent code because the arch fetches the signal with
      dequeue_signal() and does all the checking.
    
    The test app:
    
      The program below has three threads that share signal handlers.  Thread
      1 changes the signal handler for a signal from a handler to SIG_IGN and
      back.  Thread 0 sends signals to thread 3, which just receives them.
      What I believe is happening is that thread 1 changes the signal handler
      in the process of thread 3 receiving the signal, between the time that
      thread 3 fetches the signal info using get_signal_to_deliver() and
      actually delivers the signal with handle_signal().
    
      Although the program is obvously an extreme case, it seems like any
      time you set the handler value of a signal to SIG_IGN or SIG_DFL, you can
      have this happen.  Changing signal attributes might also cause problems,
      although I am not so sure about that.
    
      (akpm: this test app segv'd on SMP within milliseconds for me)
    
    
    #include <signal.h>
    #include <stdio.h>
    #include <sched.h>
    
    char stack1[16384];
    char stack2[16384];
    
    void sighnd(int sig)
    {
    }
    
    int child1(void *data)
    {
    	struct sigaction act;
    
    	sigemptyset(&act.sa_mask);
    	act.sa_flags = 0;
    	for (;;) {
    		act.sa_handler = sighnd;
    		sigaction(45, &act, NULL);
    		act.sa_handler = SIG_IGN;
    		sigaction(45, &act, NULL);
    	}
    }
    
    int child2(void *data)
    {
    	for (;;) {
    		sleep(100);
    	}
    }
    
    int main(int argc, char *argv[])
    {
    	int pid1, pid2;
    
    	signal(45, SIG_IGN);
    	pid2 = clone(child2, stack2 + sizeof(stack2) - 8,
    			CLONE_SIGHAND | CLONE_VM, NULL);
    	pid1 = clone(child1, stack1 + sizeof(stack2) - 8,
    			CLONE_SIGHAND | CLONE_VM, NULL);
    
    	for (;;) {
    		kill(pid2, 45);
    	}
    }
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    ffe362b0
signal.h 4.82 KB
#ifndef _LINUX_SIGNAL_H
#define _LINUX_SIGNAL_H

#include <linux/list.h>
#include <linux/spinlock.h>
#include <asm/signal.h>
#include <asm/siginfo.h>

#ifdef __KERNEL__

#define MAX_SIGPENDING	1024

/*
 * Real Time signals may be queued.
 */

struct sigqueue {
	struct list_head list;
	spinlock_t *lock;
	int flags;
	siginfo_t info;
	struct user_struct *user;
};

/* flags values. */
#define SIGQUEUE_PREALLOC	1

struct sigpending {
	struct list_head list;
	sigset_t signal;
};

/*
 * Define some primitives to manipulate sigset_t.
 */

#ifndef __HAVE_ARCH_SIG_BITOPS
#include <linux/bitops.h>

/* We don't use <linux/bitops.h> for these because there is no need to
   be atomic.  */
static inline void sigaddset(sigset_t *set, int _sig)
{
	unsigned long sig = _sig - 1;
	if (_NSIG_WORDS == 1)
		set->sig[0] |= 1UL << sig;
	else
		set->sig[sig / _NSIG_BPW] |= 1UL << (sig % _NSIG_BPW);
}

static inline void sigdelset(sigset_t *set, int _sig)
{
	unsigned long sig = _sig - 1;
	if (_NSIG_WORDS == 1)
		set->sig[0] &= ~(1UL << sig);
	else
		set->sig[sig / _NSIG_BPW] &= ~(1UL << (sig % _NSIG_BPW));
}

static inline int sigismember(sigset_t *set, int _sig)
{
	unsigned long sig = _sig - 1;
	if (_NSIG_WORDS == 1)
		return 1 & (set->sig[0] >> sig);
	else
		return 1 & (set->sig[sig / _NSIG_BPW] >> (sig % _NSIG_BPW));
}

static inline int sigfindinword(unsigned long word)
{
	return ffz(~word);
}

#endif /* __HAVE_ARCH_SIG_BITOPS */

#define sigmask(sig)	(1UL << ((sig) - 1))

#ifndef __HAVE_ARCH_SIG_SETOPS
#include <linux/string.h>

#define _SIG_SET_BINOP(name, op)					\
static inline void name(sigset_t *r, const sigset_t *a, const sigset_t *b) \
{									\
	extern void _NSIG_WORDS_is_unsupported_size(void);		\
	unsigned long a0, a1, a2, a3, b0, b1, b2, b3;			\
									\
	switch (_NSIG_WORDS) {						\
	    case 4:							\
		a3 = a->sig[3]; a2 = a->sig[2];				\
		b3 = b->sig[3]; b2 = b->sig[2];				\
		r->sig[3] = op(a3, b3);					\
		r->sig[2] = op(a2, b2);					\
	    case 2:							\
		a1 = a->sig[1]; b1 = b->sig[1];				\
		r->sig[1] = op(a1, b1);					\
	    case 1:							\
		a0 = a->sig[0]; b0 = b->sig[0];				\
		r->sig[0] = op(a0, b0);					\
		break;							\
	    default:							\
		_NSIG_WORDS_is_unsupported_size();			\
	}								\
}

#define _sig_or(x,y)	((x) | (y))
_SIG_SET_BINOP(sigorsets, _sig_or)

#define _sig_and(x,y)	((x) & (y))
_SIG_SET_BINOP(sigandsets, _sig_and)

#define _sig_nand(x,y)	((x) & ~(y))
_SIG_SET_BINOP(signandsets, _sig_nand)

#undef _SIG_SET_BINOP
#undef _sig_or
#undef _sig_and
#undef _sig_nand

#define _SIG_SET_OP(name, op)						\
static inline void name(sigset_t *set)					\
{									\
	extern void _NSIG_WORDS_is_unsupported_size(void);		\
									\
	switch (_NSIG_WORDS) {						\
	    case 4: set->sig[3] = op(set->sig[3]);			\
		    set->sig[2] = op(set->sig[2]);			\
	    case 2: set->sig[1] = op(set->sig[1]);			\
	    case 1: set->sig[0] = op(set->sig[0]);			\
		    break;						\
	    default:							\
		_NSIG_WORDS_is_unsupported_size();			\
	}								\
}

#define _sig_not(x)	(~(x))
_SIG_SET_OP(signotset, _sig_not)

#undef _SIG_SET_OP
#undef _sig_not

static inline void sigemptyset(sigset_t *set)
{
	switch (_NSIG_WORDS) {
	default:
		memset(set, 0, sizeof(sigset_t));
		break;
	case 2: set->sig[1] = 0;
	case 1:	set->sig[0] = 0;
		break;
	}
}

static inline void sigfillset(sigset_t *set)
{
	switch (_NSIG_WORDS) {
	default:
		memset(set, -1, sizeof(sigset_t));
		break;
	case 2: set->sig[1] = -1;
	case 1:	set->sig[0] = -1;
		break;
	}
}

/* Some extensions for manipulating the low 32 signals in particular.  */

static inline void sigaddsetmask(sigset_t *set, unsigned long mask)
{
	set->sig[0] |= mask;
}

static inline void sigdelsetmask(sigset_t *set, unsigned long mask)
{
	set->sig[0] &= ~mask;
}

static inline int sigtestsetmask(sigset_t *set, unsigned long mask)
{
	return (set->sig[0] & mask) != 0;
}

static inline void siginitset(sigset_t *set, unsigned long mask)
{
	set->sig[0] = mask;
	switch (_NSIG_WORDS) {
	default:
		memset(&set->sig[1], 0, sizeof(long)*(_NSIG_WORDS-1));
		break;
	case 2: set->sig[1] = 0;
	case 1: ;
	}
}

static inline void siginitsetinv(sigset_t *set, unsigned long mask)
{
	set->sig[0] = ~mask;
	switch (_NSIG_WORDS) {
	default:
		memset(&set->sig[1], -1, sizeof(long)*(_NSIG_WORDS-1));
		break;
	case 2: set->sig[1] = -1;
	case 1: ;
	}
}

#endif /* __HAVE_ARCH_SIG_SETOPS */

static inline void init_sigpending(struct sigpending *sig)
{
	sigemptyset(&sig->signal);
	INIT_LIST_HEAD(&sig->list);
}

extern int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p);
extern long do_sigpending(void __user *, unsigned long);
extern int sigprocmask(int, sigset_t *, sigset_t *);

#ifndef HAVE_ARCH_GET_SIGNAL_TO_DELIVER
struct pt_regs;
extern int get_signal_to_deliver(siginfo_t *info, struct k_sigaction *return_ka, struct pt_regs *regs, void *cookie);
#endif

#endif /* __KERNEL__ */

#endif /* _LINUX_SIGNAL_H */