Possible race in signal handling
From: Corey Minyard
Date: Wed Mar 10 2004 - 17:12:25 EST
I'm hoping I am wrong, but I think I have found a race in signal
handling. I believe this can only happen in an SMP system or a system
with preempt on. I'll use 2.6 for the example, but I think it applies
to 2.4, too.
In arch/i386/signal.c, in the do_signal() function, it calls
get_signal_to_deliver() which returns the signal number to deliver
(along with siginfo). get_signal_to_deliver() grabs and releases the
lock, so the signal handler lock is not held in do_signal(). Then the
do_signal() calls handle_signal(), which uses the signal number to
extract the sa_handler, etc.
Since no lock is held, it seems like another thread with the same signal
handler set can come in and call sigaction(), it can change sa_handler
between the call to get_signal_to_deliver() and fetching the value of
sa_handler. If the sigaction() call set it to SIG_IGN, SIG_DFL, or some
other fundamental change, that bad things can happen.
Am I correct here, or am I missing something?
-Corey
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/