forked from Minki/linux
posix-timers: fix creation race
sys_timer_create() sets ->it_process and unlocks ->siglock, then checks tmr->it_sigev_notify to define if get_task_struct() is needed. We already passed ->it_id to the caller, another thread can delete this timer and free its memory in between. As a minimal fix, move this code under ->siglock, sys_timer_delete() takes it too before calling release_posix_timer(). A proper serialization would be to take ->it_lock, we add a partly initialized timer on posix_timers_id, not good. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
179394af7a
commit
d02479bdeb
@ -547,9 +547,9 @@ sys_timer_create(const clockid_t which_clock,
|
||||
new_timer->it_process = process;
|
||||
list_add(&new_timer->list,
|
||||
&process->signal->posix_timers);
|
||||
spin_unlock_irqrestore(&process->sighand->siglock, flags);
|
||||
if (new_timer->it_sigev_notify == (SIGEV_SIGNAL|SIGEV_THREAD_ID))
|
||||
get_task_struct(process);
|
||||
spin_unlock_irqrestore(&process->sighand->siglock, flags);
|
||||
} else {
|
||||
spin_unlock_irqrestore(&process->sighand->siglock, flags);
|
||||
process = NULL;
|
||||
|
Loading…
Reference in New Issue
Block a user