When the last thread exits signal->tty is freed, but the pointer is not
cleared and points to nowhere.

This is OK. Nobody should use signal->tty lockless, and it is no longer
possible to take ->siglock. However this looks wrong even if correct, and
the nice OOPS is better than subtle and hard to find bugs.

Change __exit_signal() to clear signal->tty under ->siglock.

Note: __exit_signal() needs more cleanups. It should not check "sig != NULL"
to detect the all-dead case and we have the same issues with signal->stats.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---

 kernel/exit.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- 34-rc1/kernel/exit.c~9_CLEAR_SIGNAL_TTY	2010-03-19 17:25:36.000000000 +0100
+++ 34-rc1/kernel/exit.c	2010-03-19 18:55:02.000000000 +0100
@@ -81,6 +81,7 @@ static void __exit_signal(struct task_st
 {
 	struct signal_struct *sig = tsk->signal;
 	struct sighand_struct *sighand;
+	struct tty_struct *tty;
 
 	BUG_ON(!sig);
 	BUG_ON(!atomic_read(&sig->count));
@@ -94,6 +95,8 @@ static void __exit_signal(struct task_st
 	posix_cpu_timers_exit(tsk);
 	if (thread_group_leader(tsk)) {
 		posix_cpu_timers_exit_group(tsk);
+		tty = sig->tty;
+		sig->tty = NULL;
 	} else {
 		/*
 		 * If there is any task waiting for the group exit
@@ -148,7 +151,7 @@ static void __exit_signal(struct task_st
 		 * see account_group_exec_runtime().
 		 */
 		task_rq_unlock_wait(tsk);
-		tty_kref_put(sig->tty);
+		tty_kref_put(tty);
 	}
 }
 

--

[ message continues ]

(fixup for signals-clear-signal-tty-when-the-last-thread-exits.patch)

I didn't get this warning, but the old gcc complains

	kernel/exit.c: In function 'release_task':
	kernel/exit.c:85: warning: 'tty' may be used uninitialized in this function

This clearly wrong, to the point it blames release_task() instead of
__exit_signal(). But let's make compiler happy anyway, hopefully this
is what it wants.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---

 kernel/exit.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- 34-rc1/kernel/exit.c~FIX_EXIT_SIGNAL_TTY_WARNING	2010-03-21 18:36:44.000000000 +0100
+++ 34-rc1/kernel/exit.c	2010-03-24 14:59:55.000000000 +0100
@@ -82,7 +82,7 @@ static void __exit_signal(struct task_st
 	struct signal_struct *sig = tsk->signal;
 	bool group_dead = thread_group_leader(tsk);
 	struct sighand_struct *sighand;
-	struct tty_struct *tty;
+	struct tty_struct *tty = NULL;	/* supress gcc warning */
 
 	BUG_ON(!sig);
 	BUG_ON(!atomic_read(&sig->count));

--

[ message continues ]

uninitialized_var() is a neater way.

(uninitialized_var() will save a teeny bit of .text on old gcc.  One
suspects that a newer gcc which is capable of working out that this
variable _isn't_ uninitialized would also be capable of eliding the `= 0').

--

[ message continues ]

Aha, indeed.

Will resend soon...

Oleg.

--

[ message continues ]

I didn't get this warning, but the old gcc complains

	kernel/exit.c: In function 'release_task':
	kernel/exit.c:85: warning: 'tty' may be used uninitialized in this function

This clearly wrong, to the point it blames release_task() instead of
__exit_signal(). But let's make compiler happy anyway.

Thanks Andrew, now I know we have the handy uninitialized_var() helper ;)

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---

 kernel/exit.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- 34-rc1/kernel/exit.c~FIX_EXIT_SIGNAL_TTY_WARNING	2010-03-21 18:36:44.000000000 +0100
+++ 34-rc1/kernel/exit.c	2010-03-24 17:36:32.000000000 +0100
@@ -82,7 +82,7 @@ static void __exit_signal(struct task_st
 	struct signal_struct *sig = tsk->signal;
 	bool group_dead = thread_group_leader(tsk);
 	struct sighand_struct *sighand;
-	struct tty_struct *tty;
+	struct tty_struct *uninitialized_var(tty);
 
 	BUG_ON(!sig);
 	BUG_ON(!atomic_read(&sig->count));

--

[ message continues ]

Acked-by: Roland McGrath <roland@redhat.com>


Thanks,
Roland
--

[ message continues ]