This was tested on 2.4.7 but I can't see any relevant changes in
the code or the changelog. In arch/i386/kernel/signal.c:
if (ka->sa.sa_handler == SIG_DFL) {
...
case SIGSTOP:
current->state = TASK_STOPPED;
current->exit_code = signr;
if (!(current->p_pptr->sig->action[SIGCHLD-1].sa
.sa_flags & SA_NOCLDSTOP))
notify_parent(current, SIGCHLD);
The problem is that if the parent is in the process of exiting,
do_exit calls exit_sighand which sets tsk->sig = NULL _before_
the children get reparented in exit_notify. So the above code
oopses dereferencing current->p_pptr->sig.
This simple program demonstrates the bug (when run in a while
true loop for a second or two):
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
int main()
{
switch (fork())
{
case -1:
perror("fork");
exit(1);
case 0: /* child */
kill(getpid(), SIGSTOP);
break;
default: /* parent */
exit(0);
}
}
The obvious (not necessarily best) fix is to check that
current->p_ptr->sig is not NULL.
Cheers,
Matt
diff -ru linux-2.4.10-pre8/arch/i386/kernel/signal.c linux-2.4.10-pre8-fix/arch/i386/kernel/signal.c
--- linux-2.4.10-pre8/arch/i386/kernel/signal.c Tue Sep 11 17:07:30 2001
+++ linux-2.4.10-pre8-fix/arch/i386/kernel/signal.c Tue Sep 11 17:12:27 2001
@@ -651,6 +651,7 @@
}
if (ka->sa.sa_handler == SIG_DFL) {
+ struct signal_struct *p_sig;
int exit_code = signr;
/* Init gets no signals it doesn't want. */
@@ -669,7 +670,8 @@
case SIGSTOP:
current->state = TASK_STOPPED;
current->exit_code = signr;
- if (!(current->p_pptr->sig->action[SIGCHLD-1].sa.sa_flags & SA_NOCLDSTOP))
+ p_sig = current->p_pptr->sig;
+ if ((p_sig != NULL) && !(p_sig->action[SIGCHLD-1].sa.sa_flags & SA_NOCLDSTOP))
notify_parent(current, SIGCHLD);
schedule();
continue;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Sep 15 2001 - 21:00:31 EST