On Tue, Sep 27, 2005 at 07:53:30AM -0700, Linus Torvalds wrote: > On Sun, 25 Sep 2005, Harald Welte wrote: > > > > async_completed() calls send_sig_info(), which in turn does a > > spin_lock(&tasklist_lock) to protect itself from task_struct->sighand > > from going away. However, the call to > > "spin_lock_irqsave(task_struct->sighand->siglock)" causes an oops, > > because "sighand" has disappeared. > > And the real bug is that you're buggering up the system in the first > place. > > You don't save "current". You save "pid", and then you send a signal using > that and kill_proc_info(). End of story, bug gone. And it works with > threaded programs too, which the old thing didn't work at all with.
And then a process calls USBDEVFS_SUBMITURB and immediately exits; its
pid gets reused by a completely different process (maybe even
root-owned), then the urb completes, and kill_proc_info() sends the
signal to the unsuspecting process.
> I refuse to apply this patch - Greg, don't even _try_ to sneak this in
> through a git merge. What a horribly broken thing to do: why would USB
> _ever_ need to know about things like tasklist_lock, and internal signal
> handling functions and rules like "p->sighand"?
Hmm, then probably send_sig_info() should check for non-NULL
p->sighand after taking tasklist_lock? Otherwise all uses of
send_sig_info() for non-current tasks are unsafe.
"git grep -w send_sig_info" shows that most callers call
send_sig_info() for the current task, except these:
arch/sparc/kernel/traps.c: send_sig_info(SIGFPE, &info, fpt);
arch/sparc64/kernel/sys_sunos32.c: send_sig_info(SIGSYS, &info, current);
drivers/char/drm/drm_irq.c: send_sig_info(
vbl_sig->info.si_signo, &vbl_sig->info, vbl_sig->task );
drivers/usb/core/devio.c: send_sig_info(as->signr, &sinfo,
as->task);
drivers/usb/core/inode.c: send_sig_info(ds->discsignr,
&sinfo, ds->disctask);
drivers/usb/gadget/file_storage.c: send_sig_info(SIGUSR1,
SEND_SIG_FORCED, thread_task);
kernel/signal.c: return send_sig_info(sig, (void*)(long)(priv != 0), p);
BTW, all other callers of send_sig_info() are under
arch/{alpha,arm,sparc,sparc64}/ - 23 total.
pgpnxF64VVDvl.pgp
Description: PGP signature
