On 08/13, Rik van Riel wrote:
>
> Subject: fix sighand use after free
>
> __lock_task_sighand carefully takes the rcu_read_lock, gets
> tsk->sighand with rcu_dereference, and verifies that the task
> is still using the sighand_struct after taking the spinlock.
>
> This works much better if the sighand struct is actually rcu
> freed.
I promise, I'll send the doc patch soon ;)
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -1017,7 +1017,7 @@ void __cleanup_sighand(struct sighand_struct *sighand)
> {
> if (atomic_dec_and_test(&sighand->count)) {
> signalfd_cleanup(sighand);
> - kmem_cache_free(sighand_cachep, sighand);
> + rcu_free(sighand_cachep, sighand);
Please note that sighand_cachep is SLAB_DESTROY_BY_RCU.
Hmm. and what is rcu_free() ?
Oleg.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
