[PATCH] uml: Fix process exit race

tt-mode closes switch_pipes in exit_thread_tt and kills processes in
switch_to_tt, if the exit_state is EXIT_DEAD or EXIT_ZOMBIE.

In very rare cases the exiting process can be scheduled out after having set
exit_state and closed switch_pipes (from release_task it calls proc_pid_flush,
which might sleep).  If this process is to be restarted, UML failes in
switch_to_tt with:

   write of switch_pipe failed, err = 9

We fix this by closing switch_pipes not in exit_thread_tt, but later in
release_thread_tt.  Additionally, we set switch_pipe[0] = 0 after closing.
switch_to_tt must not kill "from" process depending on its exit_state, but
must kill it after release_thread was processed only, so it examines
switch_pipe[0] for its decision.

Signed-off-by: Bodo Stroesser <bstroesser@fujitsu-siemens.com>
Signed-off-by: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

arch/um/kernel/process_kern.c

@@ -142,7 +142,6 @@ void release_thread(struct task_struct *task)
  
 void exit_thread(void)
 {
-	CHOOSE_MODE(exit_thread_tt(), exit_thread_skas());
 	unprotect_stack((unsigned long) current_thread);
 }
  

arch/um/kernel/skas/include/mode_kern-skas.h

@@ -18,7 +18,6 @@ extern int copy_thread_skas(int nr, unsigned long clone_flags,
 			    unsigned long sp, unsigned long stack_top,
 			    struct task_struct *p, struct pt_regs *regs);
 extern void release_thread_skas(struct task_struct *task);
-extern void exit_thread_skas(void);
 extern void initial_thread_cb_skas(void (*proc)(void *), void *arg);
 extern void init_idle_skas(void);
 extern void flush_tlb_kernel_range_skas(unsigned long start,

arch/um/kernel/skas/process_kern.c

@@ -83,10 +83,6 @@ void release_thread_skas(struct task_struct *task)
 {
 }
 
-void exit_thread_skas(void)
-{
-}
-
 void fork_handler(int sig)
 {
         change_sig(SIGUSR1, 1);

arch/um/kernel/tt/include/mode_kern-tt.h

@@ -19,7 +19,6 @@ extern int copy_thread_tt(int nr, unsigned long clone_flags, unsigned long sp,
 			  unsigned long stack_top, struct task_struct *p,
 			  struct pt_regs *regs);
 extern void release_thread_tt(struct task_struct *task);
-extern void exit_thread_tt(void);
 extern void initial_thread_cb_tt(void (*proc)(void *), void *arg);
 extern void init_idle_tt(void);
 extern void flush_tlb_kernel_range_tt(unsigned long start, unsigned long end);

arch/um/kernel/tt/process_kern.c

@@ -65,8 +65,7 @@ void *switch_to_tt(void *prev, void *next, void *last)
 		panic("write of switch_pipe failed, err = %d", -err);
 
 	reading = 1;
-	if((from->exit_state == EXIT_ZOMBIE) ||
+        if(from->thread.mode.tt.switch_pipe[0] == -1)
-	   (from->exit_state == EXIT_DEAD))
 		os_kill_process(os_getpid(), 0);
 
 	err = os_read_file(from->thread.mode.tt.switch_pipe[0], &c, sizeof(c));
@@ -81,8 +80,7 @@ void *switch_to_tt(void *prev, void *next, void *last)
 	 * in case it has not already killed itself.
 	 */
 	prev_sched = current->thread.prev_sched;
-	if((prev_sched->exit_state == EXIT_ZOMBIE) ||
+        if(prev_sched->thread.mode.tt.switch_pipe[0] == -1)
-	   (prev_sched->exit_state == EXIT_DEAD))
 		os_kill_process(prev_sched->thread.mode.tt.extern_pid, 1);
 
 	change_sig(SIGVTALRM, vtalrm);
@@ -101,14 +99,18 @@ void release_thread_tt(struct task_struct *task)
 {
 	int pid = task->thread.mode.tt.extern_pid;
 
+	/*
+         * We first have to kill the other process, before
+         * closing its switch_pipe. Else it might wake up
+         * and receive "EOF" before we could kill it.
+         */
 	if(os_getpid() != pid)
 		os_kill_process(pid, 0);
-}
 
-void exit_thread_tt(void)
+        os_close_file(task->thread.mode.tt.switch_pipe[0]);
-{
+        os_close_file(task->thread.mode.tt.switch_pipe[1]);
-	os_close_file(current->thread.mode.tt.switch_pipe[0]);
+	/* use switch_pipe as flag: thread is released */
-	os_close_file(current->thread.mode.tt.switch_pipe[1]);
+        task->thread.mode.tt.switch_pipe[0] = -1;
 }
 
 void suspend_new_thread(int fd)