The procfs code can have a reference even to an already exited task, so it
needs to follow special rules accessing p->sig. The atomic-signals patch
made this bug happen at a much higher frequency, but procfs i believe was
buggy ever since, it potentially used the freed signal structure - which
just did not result in a crash like it does today.
The proper fix is to take the tasklist read-lock in
collect_sigign_sigcatch(), this excludes __exit_sighand() freeing the
signal structure prematurely.
Ingo
--- linux/fs/proc/array.c.orig Mon Sep 30 09:06:16 2002
+++ linux/fs/proc/array.c Mon Sep 30 09:06:43 2002
@@ -228,8 +228,9 @@
sigemptyset(ign);
sigemptyset(catch);
- spin_lock_irq(&p->sig->siglock);
+ read_lock(&tasklist_lock);
if (p->sig) {
+ spin_lock_irq(&p->sig->siglock);
k = p->sig->action;
for (i = 1; i <= _NSIG; ++i, ++k) {
if (k->sa.sa_handler == SIG_IGN)
@@ -237,8 +238,9 @@
else if (k->sa.sa_handler != SIG_DFL)
sigaddset(catch, i);
}
+ spin_unlock_irq(&p->sig->siglock);
}
- spin_unlock_irq(&p->sig->siglock);
+ read_unlock(&tasklist_lock);
}
static inline char * task_sig(struct task_struct *p, char *buffer)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/