• Oleg Nesterov's avatar
    [PATCH] fix send_sigqueue() vs thread exit race · e752dd6c
    Oleg Nesterov authored
    posix_timer_event() first checks that the thread (SIGEV_THREAD_ID case)
    does not have PF_EXITING flag, then it calls send_sigqueue() which locks
    task list.  But if the thread exits in between the kernel will oops
    (->sighand == NULL after __exit_sighand).
    
    This patch moves the PF_EXITING check into the send_sigqueue(), it must be
    done atomically under tasklist_lock.  When send_sigqueue() detects exiting
    thread it returns -1.  In that case posix_timer_event will send the signal
    to thread group.
    
    Also, this patch fixes task_struct use-after-free in posix_timer_event.
    Signed-off-by: default avatarOleg Nesterov <oleg@tv-sign.ru>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    e752dd6c
posix-timers.c 44 KB