Yes, I think it fixes a bug. The trigger would be an aio request doing
some work (inside aio_kick_handler) simultaneous with some thread in the
requester's mm doing a core dump (inside zap_threads).
It has probably never been seen for real, but might be possible to produce
with an exploit that works hard to hit the race. I'm not sure off hand
what all the bad effects would be, mainly those of SIGKILL'ing the
workqueue thread (keventd I guess). The core-dumping threads will be stuck
in uninterruptible waits and never be killable.
Oleg's cleanups make the fix much nicer because there is an easy persistent
flag to check without races. Probably the most isolated fix for this is
something like the bit below (wholly untested). This is hairy enough that
I think Oleg's 1/3 + 2/3 would be preferable even for -stable.
Thanks,
Roland
diff --git a/fs/exec.c b/fs/exec.c
index 9448f1b..0000000 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1545,8 +1545,23 @@ static inline int zap_threads(struct tas
p = g;
do {
- if (p->mm) {
- if (p->mm == mm) {
+ struct mm_struct *pmm = p->mm;
+ if (pmm) {
+ /*
+ * We must ignore a kernel thread (aio)
+ * using PF_BORROWED_MM. But we need
+ * task_lock() to avoid races with use_mm()
+ * or unuse_mm().
+ */
+ if (pmm == mm) {
+ task_lock(p);
+ if (p->flags & PF_BORROWED_MM)
+ pmm = NULL;
+ else
+ pmm = p->mm;
+ task_unlock(p);
+ }
+ if (pmm == mm) {
/*
* p->sighand can't disappear, but
* may be changed by de_thread()
--
