• Jason Baron's avatar
    [PATCH] fix disassociate_ctty vs. fork race · b0d62e6d
    Jason Baron authored
    Race is as follows. Process A forks process B, both being part of the same
    session. Then, A calls disassociate_ctty while B forks C:
    
    A				B
    ====				====
    				fork()
    				  copy_signal()
    dissasociate_ctty()		....
    				  attach_pid(p, PIDTYPE_SID, p->signal->session);
    
    Now, C can have current->signal->tty pointing to a freed tty structure, as
    it hasn't yet been added to the session group (to have its controlling tty
    cleared on the diassociate_ctty() call).
    
    This has shown up as an oops but could be even more serious.  I haven't
    tried to create a test case, but a customer has verified that the patch
    below resolves the issue, which was occuring quite frequently.  I'll try
    and post the test case if i can.
    
    The patch simply checks for a NULL tty *after* it has been attached to the
    proper session group and clears it as necessary.  Alternatively, we could
    simply do the tty assignment after the the process is added to the proper
    session group.
    Signed-off-by: default avatarJason Baron <jbaron@redhat.com>
    Cc: Roland McGrath <roland@redhat.com>
    Cc: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    b0d62e6d
fork.c 31.9 KB