[PATCH] fix de_thread vs it_real_fn() deadlock

de_thread() calls del_timer_sync(->real_timer) under ->sighand->siglock.
This is deadlockable, it_real_fn sends a signal and needs this lock too.

Also, delete unneeded ->real_timer.data assignment.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

diff --git a/fs/exec.c b/fs/exec.c
index 1de69cdc0e6c5433c0ebf5d6a94bcf3b319b5c8b..fc02dadc604a8685b97424d592465dcba691d8a4 100644 (file)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -641,8 +641,10 @@ static inline int de_thread(struct task_struct *tsk)
                 * before we can safely let the old group leader die.
                 */
                sig->real_timer.data = (unsigned long)current;
+               spin_unlock_irq(lock);
                if (del_timer_sync(&sig->real_timer))
                        add_timer(&sig->real_timer);
+               spin_lock_irq(lock);
        }
        while (atomic_read(&sig->count) > count) {
                sig->group_exit_task = current;
@@ -654,7 +656,6 @@ static inline int de_thread(struct task_struct *tsk)
        }
        sig->group_exit_task = NULL;
        sig->notify_count = 0;
-       sig->real_timer.data = (unsigned long)current;
        spin_unlock_irq(lock);
 
        /*