• Oleg Nesterov's avatar
    [PATCH] fix de_thread() vs send_group_sigqueue() race · 6b85cfab
    Oleg Nesterov authored
    When non-leader thread does exec, de_thread calls release_task(leader) before
    calling exit_itimers(). If local timer interrupt happens in between, it can
    oops in send_group_sigqueue() while taking ->sighand->siglock == NULL.
    
    However, we can't change send_group_sigqueue() to check p->signal != NULL,
    because sys_timer_create() does get_task_struct() only in SIGEV_THREAD_ID
    case. So it is possible that this task_struct was already freed and we can't
    trust p->signal.
    
    This patch changes de_thread() so that leader released after exit_itimers()
    call.
    Signed-off-by: default avatarOleg Nesterov <oleg@tv-sign.ru>
    Signed-off-by: default avatarChris Wright <chrisw@osdl.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
    6b85cfab
exec.c 34.6 KB