diff --git a/kernel.spec b/kernel.spec index 5ee7c55..099c390 100644 --- a/kernel.spec +++ b/kernel.spec @@ -840,6 +840,8 @@ Patch14301: ipc-shm-fix-information-leak-to-user.patch Patch14302: inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch +Patch14303: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch + # ============================================================================== %endif @@ -1551,6 +1553,9 @@ ApplyPatch ipc-shm-fix-information-leak-to-user.patch # rhbz#651264 (CVE-2010-3880) ApplyPatch inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch +# rhbz#656264 +ApplyPatch posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch + # END OF PATCH APPLICATIONS ==================================================== %endif @@ -2207,6 +2212,8 @@ fi - zero struct memory in ipc compat (CVE-2010-4073) (#648658) - zero struct memory in ipc shm (CVE-2010-4072) (#648656) - fix logic error in INET_DIAG bytecode auditing (CVE-2010-3880) (#651264) +- posix-cpu-timers: workaround to suppress the problems with mt exec + (rhbz#656264) * Mon Nov 22 2010 Kyle McMartin 2.6.32.26-174 - Linux 2.6.32.26 diff --git a/posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch b/posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch new file mode 100644 index 0000000..92c2849 --- /dev/null +++ b/posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch @@ -0,0 +1,60 @@ +From 9bdade1bc13e547130d2629291758a579722e5d1 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Fri, 5 Nov 2010 16:53:42 +0100 +Subject: posix-cpu-timers: workaround to suppress the problems with mt exec + +posix-cpu-timers.c correctly assumes that the dying process does +posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD +timers from signal->cpu_timers list. + +But, it also assumes that timer->it.cpu.task is always the group +leader, and thus the dead ->task means the dead thread group. + +This is obviously not true after de_thread() changes the leader. +After that almost every posix_cpu_timer_ method has problems. + +It is not simple to fix this bug correctly. First of all, I think +that timer->it.cpu should use struct pid instead of task_struct. +Also, the locking should be reworked completely. In particular, +tasklist_lock should not be used at all. This all needs a lot of +nontrivial and hard-to-test changes. + +Change __exit_signal() to do posix_cpu_timers_exit_group() when +the old leader dies during exec. This is not the fix, just the +temporary hack to hide the problem for 2.6.37 and stable. IOW, +this is obviously wrong but this is what we currently have anyway: +cpu timers do not work after mt exec. + +In theory this change adds another race. The exiting leader can +detach the timers which were attached to the new leader. However, +the window between de_thread() and release_task() is small, we +can pretend that sys_timer_create() was called before de_thread(). + +Signed-off-by: Oleg Nesterov +Signed-off-by: Linus Torvalds +--- + kernel/exit.c | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +diff --git a/kernel/exit.c b/kernel/exit.c +index 45102e9..02b7104 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -92,6 +92,14 @@ static void __exit_signal(struct task_struct *tsk) + posix_cpu_timers_exit_group(tsk); + else { + /* ++ * This can only happen if the caller is de_thread(). ++ * FIXME: this is the temporary hack, we should teach ++ * posix-cpu-timers to handle this case correctly. ++ */ ++ if (unlikely(has_group_leader_pid(tsk))) ++ posix_cpu_timers_exit_group(tsk); ++ ++ /* + * If there is any task waiting for the group exit + * then notify it: + */ +-- +1.7.3.2 +