posix-cpu-timers: workaround to suppress the problems with mt exec (rhbz#656264)

2 files changed, 67 insertions, 0 deletions

diff --git a/kernel.spec b/kernel.spec
index 5ee7c55..099c390 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -840,6 +840,8 @@ Patch14301: ipc-shm-fix-information-leak-to-user.patch
 
 Patch14302: inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
 
+Patch14303: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
+
 # ==============================================================================
 %endif
 
@@ -1551,6 +1553,9 @@ ApplyPatch ipc-shm-fix-information-leak-to-user.patch
 # rhbz#651264 (CVE-2010-3880)
 ApplyPatch inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
 
+# rhbz#656264
+ApplyPatch posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
+
 # END OF PATCH APPLICATIONS ====================================================
 %endif
 
@@ -2207,6 +2212,8 @@ fi
 - zero struct memory in ipc compat (CVE-2010-4073) (#648658)
 - zero struct memory in ipc shm (CVE-2010-4072) (#648656)
 - fix logic error in INET_DIAG bytecode auditing (CVE-2010-3880) (#651264)
+- posix-cpu-timers: workaround to suppress the problems with mt exec
+  (rhbz#656264)
 
 * Mon Nov 22 2010 Kyle McMartin <kyle@redhat.com> 2.6.32.26-174
 - Linux 2.6.32.26
diff --git a/posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch b/posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
new file mode 100644
index 0000000..92c2849
--- /dev/null
+++ b/posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
@@ -0,0 +1,60 @@
+From 9bdade1bc13e547130d2629291758a579722e5d1 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Fri, 5 Nov 2010 16:53:42 +0100
+Subject: posix-cpu-timers: workaround to suppress the problems with mt exec
+
+posix-cpu-timers.c correctly assumes that the dying process does
+posix_cpu_timers_exit_group() and removes all !CPUCLOCK_PERTHREAD
+timers from signal->cpu_timers list.
+
+But, it also assumes that timer->it.cpu.task is always the group
+leader, and thus the dead ->task means the dead thread group.
+
+This is obviously not true after de_thread() changes the leader.
+After that almost every posix_cpu_timer_ method has problems.
+
+It is not simple to fix this bug correctly. First of all, I think
+that timer->it.cpu should use struct pid instead of task_struct.
+Also, the locking should be reworked completely. In particular,
+tasklist_lock should not be used at all. This all needs a lot of
+nontrivial and hard-to-test changes.
+
+Change __exit_signal() to do posix_cpu_timers_exit_group() when
+the old leader dies during exec. This is not the fix, just the
+temporary hack to hide the problem for 2.6.37 and stable. IOW,
+this is obviously wrong but this is what we currently have anyway:
+cpu timers do not work after mt exec.
+
+In theory this change adds another race. The exiting leader can
+detach the timers which were attached to the new leader. However,
+the window between de_thread() and release_task() is small, we
+can pretend that sys_timer_create() was called before de_thread().
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ kernel/exit.c |    8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 45102e9..02b7104 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -92,6 +92,14 @@ static void __exit_signal(struct task_struct *tsk)
+ 		posix_cpu_timers_exit_group(tsk);
+ 	else {
+ 		/*
++		 * This can only happen if the caller is de_thread().
++		 * FIXME: this is the temporary hack, we should teach
++		 * posix-cpu-timers to handle this case correctly.
++		 */
++		if (unlikely(has_group_leader_pid(tsk)))
++			posix_cpu_timers_exit_group(tsk);
++
++		/*
+ 		 * If there is any task waiting for the group exit
+ 		 * then notify it:
+ 		 */
+-- 
+1.7.3.2
+