From: Oleg Nesterov Date: Wed, 23 Nov 2005 21:37:43 +0000 (-0800) Subject: [PATCH] fix do_wait() vs exec() race X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=962b564cf1ec8041e8890a3c3847e3a630a08f42;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git [PATCH] fix do_wait() vs exec() race When non-leader thread does exec, de_thread adds old leader to the init's ->children list in EXIT_ZOMBIE state and drops tasklist_lock. This means that release_task(leader) in de_thread() is racy vs do_wait() from init task. I think de_thread() should set old leader's state to EXIT_DEAD instead. Signed-off-by: Oleg Nesterov Cc: george anzinger Cc: Roland Dreier Cc: Ingo Molnar Cc: Linus Torvalds Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/fs/exec.c b/fs/exec.c index c466fec5de20..1f8a9fd2c9ed 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -668,7 +668,7 @@ static inline int de_thread(struct task_struct *tsk) if (!thread_group_leader(current)) { struct task_struct *parent; struct dentry *proc_dentry1, *proc_dentry2; - unsigned long exit_state, ptrace; + unsigned long ptrace; /* * Wait for the thread group leader to be a zombie. @@ -726,15 +726,15 @@ static inline int de_thread(struct task_struct *tsk) list_del(¤t->tasks); list_add_tail(¤t->tasks, &init_task.tasks); current->exit_signal = SIGCHLD; - exit_state = leader->exit_state; + + BUG_ON(leader->exit_state != EXIT_ZOMBIE); + leader->exit_state = EXIT_DEAD; write_unlock_irq(&tasklist_lock); spin_unlock(&leader->proc_lock); spin_unlock(¤t->proc_lock); proc_pid_flush(proc_dentry1); proc_pid_flush(proc_dentry2); - - BUG_ON(exit_state != EXIT_ZOMBIE); } /*