From: Oleg Nesterov <oleg@tv-sign.ru>
Date: Sun, 23 Oct 2005 16:25:39 +0000 (+0400)
Subject: [PATCH] posix-timers: fix cleanup_timers() and run_posix_cpu_timers() races
X-Git-Tag: v2.6.14~30
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=108150ea78003044e41150c75259447b2c0953b6;p=pandora-kernel.git

[PATCH] posix-timers: fix cleanup_timers() and run_posix_cpu_timers() races

1. cleanup_timers() sets timer->task = NULL under tasklist + ->sighand locks.
   That means that this code in posix_cpu_timer_del() and posix_cpu_timer_set()

   		lock_timer(timer);
		if (timer->task == NULL)
			return;
		read_lock(tasklist);
		put_task_struct(timer->task)

   is racy. With this patch timer->task modified and accounted only under
   timer->it_lock. Sadly, this means that dead task_struct won't be freed
   until timer deleted or armed.

2. run_posix_cpu_timers() collects expired timers into local list under
   tasklist + ->sighand again. That means that posix_cpu_timer_del()
   should check timer->it.cpu.firing under these locks too.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---

Reading git-diff-tree failed