Commit 4ada856f authored May 26, 2010 by Oleg Nesterov Committed by Linus Torvalds May 27, 2010

signals: clear signal->tty when the last thread exits



When the last thread exits signal->tty is freed, but the pointer is not
cleared and points to nowhere.

This is OK.  Nobody should use signal->tty lockless, and it is no longer
possible to take ->siglock.  However this looks wrong even if correct, and
the nice OOPS is better than subtle and hard to find bugs.

Change __exit_signal() to clear signal->tty under ->siglock.

Note: __exit_signal() needs more cleanups.  It should not check "sig !=
NULL" to detect the all-dead case and we have the same issues with
signal->stats.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Alan Cox <alan@linux.intel.com>
Cc: Ingo Molnar <mingo@elte.hu>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent ea6d290c

kernel/exit.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -80,6 +80,7 @@ static void __exit_signal(struct task_struct *tsk)
		{
		struct signal_struct *sig = tsk->signal;
		struct sighand_struct *sighand;
		struct tty_struct *uninitialized_var(tty);

		BUG_ON(!sig);
		BUG_ON(!atomic_read(&sig->count));
		@@ -93,6 +94,8 @@ static void __exit_signal(struct task_struct *tsk)
		posix_cpu_timers_exit(tsk);
		if (thread_group_leader(tsk)) {
		posix_cpu_timers_exit_group(tsk);
		tty = sig->tty;
		sig->tty = NULL;
		} else {
		/*
		* If there is any task waiting for the group exit
		@@ -147,7 +150,7 @@ static void __exit_signal(struct task_struct *tsk)
		* see account_group_exec_runtime().
		*/
		task_rq_unlock_wait(tsk);
		tty_kref_put(sig->tty);
		tty_kref_put(tty);
		}
		}