signals: clear signal->tty when the last thread exits

When the last thread exits signal->tty is freed, but the pointer is not
cleared and points to nowhere.

This is OK.  Nobody should use signal->tty lockless, and it is no longer
possible to take ->siglock.  However this looks wrong even if correct, and
the nice OOPS is better than subtle and hard to find bugs.

Change __exit_signal() to clear signal->tty under ->siglock.

Note: __exit_signal() needs more cleanups.  It should not check "sig !=
NULL" to detect the all-dead case and we have the same issues with
signal->stats.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Alan Cox <alan@linux.intel.com>
Cc: Ingo Molnar <mingo@elte.hu>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Oleg Nesterov 2010-05-26 14:43:17 -07:00 committed by Linus Torvalds
parent ea6d290ca3
commit 4ada856fb0
1 changed files with 4 additions and 1 deletions

View File

@ -80,6 +80,7 @@ static void __exit_signal(struct task_struct *tsk)
{
struct signal_struct *sig = tsk->signal;
struct sighand_struct *sighand;
struct tty_struct *uninitialized_var(tty);
BUG_ON(!sig);
BUG_ON(!atomic_read(&sig->count));
@ -93,6 +94,8 @@ static void __exit_signal(struct task_struct *tsk)
posix_cpu_timers_exit(tsk);
if (thread_group_leader(tsk)) {
posix_cpu_timers_exit_group(tsk);
tty = sig->tty;
sig->tty = NULL;
} else {
/*
* If there is any task waiting for the group exit
@ -147,7 +150,7 @@ static void __exit_signal(struct task_struct *tsk)
* see account_group_exec_runtime().
*/
task_rq_unlock_wait(tsk);
tty_kref_put(sig->tty);
tty_kref_put(tty);
}
}