Possible race in signal handling

From: Corey Minyard
Date: Wed Mar 10 2004 - 17:12:25 EST

I'm hoping I am wrong, but I think I have found a race in signal handling. I believe this can only happen in an SMP system or a system with preempt on. I'll use 2.6 for the example, but I think it applies to 2.4, too.

In arch/i386/signal.c, in the do_signal() function, it calls get_signal_to_deliver() which returns the signal number to deliver (along with siginfo). get_signal_to_deliver() grabs and releases the lock, so the signal handler lock is not held in do_signal(). Then the do_signal() calls handle_signal(), which uses the signal number to extract the sa_handler, etc.

Since no lock is held, it seems like another thread with the same signal handler set can come in and call sigaction(), it can change sa_handler between the call to get_signal_to_deliver() and fetching the value of sa_handler. If the sigaction() call set it to SIG_IGN, SIG_DFL, or some other fundamental change, that bad things can happen.

Am I correct here, or am I missing something?


