Eric, I'll try to finally read the whole thread later, probably I missed
something, but...
On 02/07, Eric W. Biederman wrote:
>
> Recently syzkaller was able to create unkillablle processes by
> creating a timer that is delivered as a thread local signal on SIGHUP,
> and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop failing
> to deliver SIGHUP but always trying.
>
> When the stack overflows delivery of SIGHUP fails and force_sigsegv is
> called. Unfortunately because SIGSEGV is numerically higher than
> SIGHUP next_signal tries again to deliver a SIGHUP.
Confused... In this particular case next_signal() should return SIGSEGV
because it must be pending too and SYNCHRONOUS_MASK doesn't include SIGHUP.
Not that it really matters, the timer can deliver another SYNCHRONOUS_MASK
signal < SIGSEGV, just I am trying to understand what have I missed...
> + /*
> + * Check if there is another siginfo for the same signal.
> + */
> + list_for_each_entry_continue(q, &pending->list, list) {
> + if (q->info.si_signo == sync->info.si_signo)
> + goto still_pending;
> + }
But this must not be possible? SYNCHRONOUS_MASK doesn't include real-time
signals, we can't have 2 siginfo's for the same signal < SIGRTMIN.
Oleg.
