[PATCH] fix race copy_process() vs de_thread()

From: Hiroshi Shimamoto
Date: Mon Aug 24 2009 - 00:03:07 EST

Next message: KOSAKI Motohiro: "Re: [PATCH] mm: make munlock fast when mlock is canceled by sigkill"
Previous message: Jacob Pan: "[PATCH] x86/apbt: Moorestown APB system timer driver"
Next in thread: KAMEZAWA Hiroyuki: "Re: [PATCH] fix race copy_process() vs de_thread()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hiroshi Shimamoto <h-shimamoto@xxxxxxxxxxxxx>

There is a race between de_thread() and copy_process().
When a thread is during execve and another thread is during clone, exec-ing
thread may be hung up in de_thread() waiting other threads are finished.
The root cause is that cleanup_signal() which is called when fork() failed
doesn't cause wake up the waiting thread at de_thread(), because there is no
check signal->count.

We need the check signal->group_exit_task and signal->notify_count.

Here is a reproducer, it may generate a thread which never die.

#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <pthread.h>

void *null_thread(void *p)
{
for (;;)
sleep(1);

return NULL;
}

void *exec_thread(void *p)
{
execl("/bin/true", "/bin/true", NULL);

return null_thread(p);
}

int main(int argc, char **argv)
{
for (;;) {
pid_t pid;
int ret, status;

pid = fork();
if (pid < 0)
break;

if (!pid) {
pthread_t tid;

pthread_create(&tid, NULL, exec_thread, NULL);
for (;;)
pthread_create(&tid, NULL, null_thread, NULL);
}

do {
ret = waitpid(pid, &status, 0);
} while (ret == -1 && errno == EINTR);
}

return 0;
}

Signed-off-by: Hiroshi Shimamoto <h-shimamoto@xxxxxxxxxxxxx>
---
kernel/fork.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/kernel/fork.c b/kernel/fork.c
index 3ffa10f..be6c5b5 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -882,6 +882,9 @@ static void cleanup_signal(struct task_struct *tsk)
{
struct signal_struct *sig = tsk->signal;

+ if (!sig)
+ return;
+
atomic_dec(&sig->live);

if (atomic_dec_and_test(&sig->count))
@@ -1230,6 +1233,15 @@ static struct task_struct *copy_process(unsigned long clone_flags,
*/
recalc_sigpending();
if (signal_pending(current)) {
+ /* If there is any task waiting for the group exit, notify it */
+ if ((clone_flags & CLONE_THREAD) &&
+ p->signal->group_exit_task) {
+ atomic_dec(&p->signal->live);
+ atomic_dec(&p->signal->count);
+ if (atomic_read(&p->signal->count) == p->signal->notify_count)
+ wake_up_process(p->signal->group_exit_task);
+ p->signal = NULL;
+ }
spin_unlock(&current->sighand->siglock);
write_unlock_irq(&tasklist_lock);
retval = -ERESTARTNOINTR;
--
1.6.3.3

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: KOSAKI Motohiro: "Re: [PATCH] mm: make munlock fast when mlock is canceled by sigkill"
Previous message: Jacob Pan: "[PATCH] x86/apbt: Moorestown APB system timer driver"
Next in thread: KAMEZAWA Hiroyuki: "Re: [PATCH] fix race copy_process() vs de_thread()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]