The patch titled posix-timers: fix creation race has been added to the -mm tree. Its filename is posix-timers-fix-creation-race.patch *** Remember to use Documentation/SubmitChecklist when testing your code *** See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find out what to do about this ------------------------------------------------------ Subject: posix-timers: fix creation race From: Oleg Nesterov <oleg@xxxxxxxxxx> sys_timer_create() sets ->it_process and unlocks ->siglock, then checks tmr->it_sigev_notify to define if get_task_struct() is needed. We already passed ->it_id to the caller, another thread can delete this timer and free its memory in between. As a minimal fix, move this code under ->siglock, sys_timer_delete() takes it too before calling release_posix_timer(). A proper serialization would be to take ->it_lock, we add a partly initialized timer on posix_timers_id, not good. Signed-off-by: Oleg Nesterov <oleg@xxxxxxxxxx> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- kernel/posix-timers.c | 2 +- 1 files changed, 1 insertion(+), 1 deletion(-) diff -puN kernel/posix-timers.c~posix-timers-fix-creation-race kernel/posix-timers.c --- a/kernel/posix-timers.c~posix-timers-fix-creation-race +++ a/kernel/posix-timers.c @@ -547,9 +547,9 @@ sys_timer_create(const clockid_t which_c new_timer->it_process = process; list_add(&new_timer->list, &process->signal->posix_timers); - spin_unlock_irqrestore(&process->sighand->siglock, flags); if (new_timer->it_sigev_notify == (SIGEV_SIGNAL|SIGEV_THREAD_ID)) get_task_struct(process); + spin_unlock_irqrestore(&process->sighand->siglock, flags); } else { spin_unlock_irqrestore(&process->sighand->siglock, flags); process = NULL; _ Patches currently in -mm which might be from oleg@xxxxxxxxxx are origin.patch posix-timers-fix-creation-race.patch signalfd-fix-interaction-with-posix-timers.patch signalfd-make-it-group-wide-fix-posix-timers-scheduling.patch git-dvb.patch clone-flag-clone_parent_tidptr-leaves-invalid-results-in-memory.patch do_sys_poll-simplify-playing-with-on-stack-data.patch do_sys_poll-simplify-playing-with-on-stack-data-fix.patch do_poll-return-eintr-when-signalled.patch pi-futex-set-pf_exiting-without-taking-pi_lock.patch do_sigaction-remove-now-unneeded-recalc_sigpending.patch handle-the-multi-threaded-inits-exit-properly.patch wait_task_zombie-remove-unneeded-child-signal-check.patch wait_task_zombie-fix-2-3-races-vs-forget_original_parent.patch exit_notify-dont-take-tasklist-for-tif_sigpending-re-targeting.patch zap_other_threads-dont-optimize-thread_group_empty-case.patch cpu-hotplug-slab-cleanup-cpuup_callback.patch cpu-hotplug-slab-fix-memory-leak-in-cpu-hotplug-error-path.patch cpu-hotplug-cpu-deliver-cpu_up_canceled-only-to-notify_oked-callbacks-with-cpu_up_prepare.patch cpu-hotplug-topology-remove-topology_dev_map.patch cpu-hotplug-thermal_throttle-fix-cpu-hotplug-error-handling.patch cpu-hotplug-msr-fix-cpu-hotplug-error-handling.patch cpu-hotplug-cpuid-fix-cpu-hotplug-error-handling.patch cpu-hotplug-mce-fix-cpu-hotplug-error-handling.patch cpu-hotplug-intel_cacheinfo-fix-cpu-hotplug-error-handling.patch cpu-hotplug-intel_cacheinfo-fix-cpu-hotplug-error-handling-fix-a-section-mismatch-warning.patch make-access-to-tasks-nsproxy-lighter.patch workqueue-debug-flushing-deadlocks-with-lockdep.patch workqueue-debug-work-related-deadlocks-with-lockdep.patch pid-namespaces-rework-forget_original_parent.patch pid-namespaces-move-exit_task_namespaces.patch pid-namespaces-introduce-ms_kernmount-flag.patch pid-namespaces-prepare-proc_flust_task-to-flush-entries-from-multiple-proc-trees.patch pid-namespaces-introduce-struct-upid.patch pid-namespaces-add-support-for-pid-namespaces-hierarchy.patch pid-namespaces-make-alloc_pid-free_pid-and-put_pid-work-with-struct-upid.patch pid-namespaces-helpers-to-obtain-pid-numbers.patch pid-namespaces-helpers-to-find-the-task-by-its-numerical-ids.patch pid-namespaces-move-alloc_pid-lower-in-copy_process.patch pid-namespaces-make-proc-have-multiple-superblocks-one-for-each-namespace.patch pid-namespaces-miscelaneous-preparations-for-pid-namespaces.patch pid-namespaces-allow-cloning-of-new-namespace.patch pid-namespaces-make-proc_flush_task-actually-from-entries-from-multiple-namespaces.patch pid-namespaces-initialize-the-namespaces-proc_mnt.patch pid-namespaces-create-a-slab-cache-for-struct-pid_namespace.patch pid-namespaces-allow-signalling-container-init.patch pid-namespaces-destroy-pid-namespace-on-inits-death.patch pid-namespaces-changes-to-show-virtual-ids-to-user.patch pid-namespaces-remove-the-struct-pid-unneeded-fields.patch - To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html