• Jeff Dike's avatar
    uml: fix irqstack crash · 508a9274
    Jeff Dike authored
    This patch fixes a crash caused by an interrupt coming in when an IRQ stack
    is being torn down.  When this happens, handle_signal will loop, setting up
    the IRQ stack again because the tearing down had finished, and handling
    whatever signals had come in.
    
    However, to_irq_stack returns a mask of pending signals to be handled, plus
    bit zero is set if the IRQ stack was already active, and thus shouldn't be
    torn down.  This causes a problem because when handle_signal goes around
    the loop, sig will be zero, and to_irq_stack will duly set bit zero in the
    returned mask, faking handle_signal into believing that it shouldn't tear
    down the IRQ stack and return thread_info pointers back to their original
    values.
    
    This will eventually cause a crash, as the IRQ stack thread_info will
    continue pointing to the original task_struct and an interrupt will look
    into it after it has been freed.
    
    The fix is to stop passing a signal number into to_irq_stack.  Rather, the
    pending signals mask is initialized beforehand with the bit for sig already
    set.  References to sig in to_irq_stack can be replaced with references to
    the mask.
    
    [akpm@linux-foundation.org: use UL]
    Signed-off-by: default avatarJeff Dike <jdike@linux.intel.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    508a9274
irq.c 13.5 KB