[PATCH] run_posix_cpu_timers: remove a bogus BUG_ON() (30f1e3dd) · Commits · e / devices / android_kernel_fairphone_FP4

do_exit() clears ->it_##clock##_expires, but nothing prevents another cpu to attach the timer to exiting process after that. arm_timer() tries to protect against this race, but the check is racy. After exit_notify() does 'write_unlock_irq(&tasklist_lock)' and before do_exit() calls 'schedule() local timer interrupt can find tsk->exit_state != 0. If that state was EXIT_DEAD (or another cpu does sys_wait4) interrupted task has ->signal == NULL. At this moment exiting task has no pending cpu timers, they were cleanuped in __exit_signal()->posix_cpu_timers_exit{,_group}(), so we can just return from irq. John Stultz recently confirmed this bug, see http://marc.theaimsgroup.com/?l=linux-kernel&m=115015841413687 Signed-off-by:

Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by:

Linus Torvalds <torvalds@osdl.org>

kernel/exit.c

+0 −8

Original line number	Diff line number	Diff line
		@@ -881,14 +881,6 @@ fastcall NORET_TYPE void do_exit(long code)

		tsk->flags \|= PF_EXITING;

		/*
		* Make sure we don't try to process any timer firings
		* while we are already exiting.
		*/
		tsk->it_virt_expires = cputime_zero;
		tsk->it_prof_expires = cputime_zero;
		tsk->it_sched_expires = 0;

		if (unlikely(in_atomic()))
		printk(KERN_INFO "note: %s[%d] exited with preempt_count %d\n",
		current->comm, current->pid,

kernel/posix-cpu-timers.c

+18 −18

Original line number	Diff line number	Diff line
		@@ -1288,12 +1288,11 @@ void run_posix_cpu_timers(struct task_struct *tsk)

		#undef UNEXPIRED

		BUG_ON(tsk->exit_state);

		/*
		* Double-check with locks held.
		*/
		read_lock(&tasklist_lock);
		if (likely(tsk->signal != NULL)) {
		spin_lock(&tsk->sighand->siglock);

		/*
		@@ -1312,6 +1311,7 @@ void run_posix_cpu_timers(struct task_struct *tsk)
		* spin until we've taken care of that timer below.
		*/
		spin_unlock(&tsk->sighand->siglock);
		}
		read_unlock(&tasklist_lock);

		/*