posix-cpu-timers: workaround to suppress the problems with mt exec (rhbz#656264)
This commit is contained in:
parent
92cce7f8f6
commit
54c8f25d8d
|
@ -849,6 +849,8 @@ Patch13701: ipc-shm-fix-information-leak-to-user.patch
|
|||
|
||||
Patch13702: inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
|
||||
|
||||
Patch13703: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
@ -1614,6 +1616,9 @@ ApplyPatch ipc-shm-fix-information-leak-to-user.patch
|
|||
# rhbz#651264 (CVE-2010-3880)
|
||||
ApplyPatch inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
|
||||
|
||||
# rhbz#656264
|
||||
ApplyPatch posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2239,6 +2244,8 @@ fi
|
|||
- zero struct memory in ipc compat (CVE-2010-4073) (#648658)
|
||||
- zero struct memory in ipc shm (CVE-2010-4072) (#648656)
|
||||
- fix logic error in INET_DIAG bytecode auditing (CVE-2010-3880) (#651264)
|
||||
- posix-cpu-timers: workaround to suppress the problems with mt exec
|
||||
(rhbz#656264)
|
||||
|
||||
* Fri Oct 22 2010 Kyle McMartin <kyle@redhat.cmo> 2.6.34.7-62
|
||||
- tpm-autodetect-itpm-devices.patch: Auto-fix TPM issues on various
|
||||
|
|
|
@ -0,0 +1,60 @@
|
|||
From 4366640cd1342b3e77077d3d565dbaeff9b66d4d Mon Sep 17 00:00:00 2001
|
||||
From: Oleg Nesterov <oleg@redhat.com>
|
||||
Date: Fri, 5 Nov 2010 16:53:42 +0100
|
||||
Subject: posix-cpu-timers: workaround to suppress the problems with mt exec
|
||||
|
||||
posix-cpu-timers.c correctly assumes that the dying process does
|
||||
posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD
|
||||
timers from signal->cpu_timers list.
|
||||
|
||||
But, it also assumes that timer->it.cpu.task is always the group
|
||||
leader, and thus the dead ->task means the dead thread group.
|
||||
|
||||
This is obviously not true after de_thread() changes the leader.
|
||||
After that almost every posix_cpu_timer_ method has problems.
|
||||
|
||||
It is not simple to fix this bug correctly. First of all, I think
|
||||
that timer->it.cpu should use struct pid instead of task_struct.
|
||||
Also, the locking should be reworked completely. In particular,
|
||||
tasklist_lock should not be used at all. This all needs a lot of
|
||||
nontrivial and hard-to-test changes.
|
||||
|
||||
Change __exit_signal() to do posix_cpu_timers_exit_group() when
|
||||
the old leader dies during exec. This is not the fix, just the
|
||||
temporary hack to hide the problem for 2.6.37 and stable. IOW,
|
||||
this is obviously wrong but this is what we currently have anyway:
|
||||
cpu timers do not work after mt exec.
|
||||
|
||||
In theory this change adds another race. The exiting leader can
|
||||
detach the timers which were attached to the new leader. However,
|
||||
the window between de_thread() and release_task() is small, we
|
||||
can pretend that sys_timer_create() was called before de_thread().
|
||||
|
||||
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
kernel/exit.c | 8 ++++++++
|
||||
1 files changed, 8 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/kernel/exit.c b/kernel/exit.c
|
||||
index 7f2683a..34d4c33 100644
|
||||
--- a/kernel/exit.c
|
||||
+++ b/kernel/exit.c
|
||||
@@ -95,6 +95,14 @@ static void __exit_signal(struct task_struct *tsk)
|
||||
posix_cpu_timers_exit_group(tsk);
|
||||
else {
|
||||
/*
|
||||
+ * This can only happen if the caller is de_thread().
|
||||
+ * FIXME: this is the temporary hack, we should teach
|
||||
+ * posix-cpu-timers to handle this case correctly.
|
||||
+ */
|
||||
+ if (unlikely(has_group_leader_pid(tsk)))
|
||||
+ posix_cpu_timers_exit_group(tsk);
|
||||
+
|
||||
+ /*
|
||||
* If there is any task waiting for the group exit
|
||||
* then notify it:
|
||||
*/
|
||||
--
|
||||
1.7.3.2
|
||||
|
Loading…
Reference in New Issue