Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Make sure "user->sigpending" count is in sync

The previous commit (45c18b0bb579b5c1b89f8c99f1b6ffa4c586ba08, aka "Fix
unlikely (but possible) race condition on task->user access") fixed a
potential oops due to __sigqueue_alloc() getting its "user" pointer out
of sync with switch_user(), and accessing a user pointer that had been
de-allocated on another CPU.

It still left another (much less serious) problem, where a concurrent
__sigqueue_alloc and swich_user could cause sigqueue_alloc to do signal
pending reference counting for a _different_ user than the one it then
actually ended up using. No oops, but we'd end up with the wrong signal
accounting.

Another case of Oleg's eagle-eyes picking up the problem.

This is trivially fixed by just making sure we load whichever "user"
structure we decide to use (it doesn't matter _which_ one we pick, we
just need to pick one) just once.

Acked-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Andrew Morton <akpm@osdl.org>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

+11 -4
+11 -4
kernel/signal.c
··· 267 267 int override_rlimit) 268 268 { 269 269 struct sigqueue *q = NULL; 270 + struct user_struct *user; 270 271 271 - atomic_inc(&t->user->sigpending); 272 + /* 273 + * In order to avoid problems with "switch_user()", we want to make 274 + * sure that the compiler doesn't re-load "t->user" 275 + */ 276 + user = t->user; 277 + barrier(); 278 + atomic_inc(&user->sigpending); 272 279 if (override_rlimit || 273 - atomic_read(&t->user->sigpending) <= 280 + atomic_read(&user->sigpending) <= 274 281 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur) 275 282 q = kmem_cache_alloc(sigqueue_cachep, flags); 276 283 if (unlikely(q == NULL)) { 277 - atomic_dec(&t->user->sigpending); 284 + atomic_dec(&user->sigpending); 278 285 } else { 279 286 INIT_LIST_HEAD(&q->list); 280 287 q->flags = 0; 281 - q->user = get_uid(t->user); 288 + q->user = get_uid(user); 282 289 } 283 290 return(q); 284 291 }