[PATCH 3/4] signalfd: signalfd_cleanup() can race withremove_wait_queue()

From: Oleg Nesterov
Date: Wed Feb 22 2012 - 12:41:43 EST

Next message: Oleg Nesterov: "[PATCH 4/4] epoll: ep_unregister_pollwait() can use the freedpwq->whead"
Previous message: Meelis Roos: "Re: OF-related boot crash in 3.3.0-rc3-00188-g3ec1e88"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

signalfd_cleanup() checks waitqueue_active() lockless, this can
race with ep_unregister_pollwait(). We can see list_empty() == T
before remove_wait_queue() completes and list_empty_careful()
can't help. Add spin_unlock_wait() to serialize.

Reported-by: Maxime Bizon <mbizon@xxxxxxxxxx>
Cc: <stable@xxxxxxxxxx>
Signed-off-by: Oleg Nesterov <oleg@xxxxxxxxxx>
---
fs/signalfd.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/fs/signalfd.c b/fs/signalfd.c
index 838ba21..6e51887 100644
--- a/fs/signalfd.c
+++ b/fs/signalfd.c
@@ -34,6 +34,10 @@ void signalfd_cleanup(struct sighand_struct *sighand)
{
wait_queue_head_t *wqh = &sighand->signalfd_wqh;

+ /* make sure we can't race with remove_wait_queue() in progress */
+ spin_unlock_wait(&wqh->lock);
+ smp_rmb();
+
if (likely(!waitqueue_active(wqh)))
return;

--
1.5.5.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Oleg Nesterov: "[PATCH 4/4] epoll: ep_unregister_pollwait() can use the freedpwq->whead"
Previous message: Meelis Roos: "Re: OF-related boot crash in 3.3.0-rc3-00188-g3ec1e88"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]