[PATCH] fix send_sigqueue() vs thread exit race
authorOleg Nesterov <oleg@tv-sign.ru>
Tue, 6 Sep 2005 22:17:42 +0000 (15:17 -0700)
committerLinus Torvalds <torvalds@g5.osdl.org>
Wed, 7 Sep 2005 23:57:33 +0000 (16:57 -0700)
commite752dd6cc66a3e6a11396928998baf390cc00420
treeb24b388d80acec6527e66b07f0d308d48319c476
parenta97c9bf33f4612e2aed6f000f6b1d268b6814f3c
[PATCH] fix send_sigqueue() vs thread exit race

posix_timer_event() first checks that the thread (SIGEV_THREAD_ID case)
does not have PF_EXITING flag, then it calls send_sigqueue() which locks
task list.  But if the thread exits in between the kernel will oops
(->sighand == NULL after __exit_sighand).

This patch moves the PF_EXITING check into the send_sigqueue(), it must be
done atomically under tasklist_lock.  When send_sigqueue() detects exiting
thread it returns -1.  In that case posix_timer_event will send the signal
to thread group.

Also, this patch fixes task_struct use-after-free in posix_timer_event.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
kernel/posix-timers.c
kernel/signal.c