commit 962b564cf1ec8041e8890a3c3847e3a630a08f42 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[PATCH] fix do_wait() vs exec() race

When non-leader thread does exec, de_thread adds old leader to the init's
->children list in EXIT_ZOMBIE state and drops tasklist_lock.

This means that release_task(leader) in de_thread() is racy vs do_wait()
from init task.

I think de_thread() should set old leader's state to EXIT_DEAD instead.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: george anzinger <george@mvista.com>
Cc: Roland Dreier <rolandd@cisco.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by Oleg Nesterov and committed by Linus Torvalds 20 years ago 962b564c 8bf1101b

+4 -4

1 changed file

expand all

unified split

exec.c

+4 -4

fs/exec.c

··· 668 if (!thread_group_leader(current)) { 669 struct task_struct *parent; 670 struct dentry *proc_dentry1, *proc_dentry2; 671 - unsigned long exit_state, ptrace; 672 673 /* 674 * Wait for the thread group leader to be a zombie. ··· 726 list_del(&current->tasks); 727 list_add_tail(&current->tasks, &init_task.tasks); 728 current->exit_signal = SIGCHLD; 729 - exit_state = leader->exit_state; 730 731 write_unlock_irq(&tasklist_lock); 732 spin_unlock(&leader->proc_lock); 733 spin_unlock(&current->proc_lock); 734 proc_pid_flush(proc_dentry1); 735 proc_pid_flush(proc_dentry2); 736 - 737 - BUG_ON(exit_state != EXIT_ZOMBIE); 738 } 739 740 /*

··· 668 if (!thread_group_leader(current)) { 669 struct task_struct *parent; 670 struct dentry *proc_dentry1, *proc_dentry2; 671 + unsigned long ptrace; 672 673 /* 674 * Wait for the thread group leader to be a zombie. ··· 726 list_del(&current->tasks); 727 list_add_tail(&current->tasks, &init_task.tasks); 728 current->exit_signal = SIGCHLD; 729 + 730 + BUG_ON(leader->exit_state != EXIT_ZOMBIE); 731 + leader->exit_state = EXIT_DEAD; 732 733 write_unlock_irq(&tasklist_lock); 734 spin_unlock(&leader->proc_lock); 735 spin_unlock(&current->proc_lock); 736 proc_pid_flush(proc_dentry1); 737 proc_pid_flush(proc_dentry2); 738 } 739 740 /*