Bernhard Kaindl noticed a race in the lockless receive path of msgrcv():
If a signal wakes up the thread that sleeps in msgrcv(), then
pipelined_send() can access an already invalid structure. This can cause
oopses during wake_up_process().
http://marc.theaimsgroup.com/?l=linux-kernel&m=103599896511067&w=2
The simplest solution is to remove the lockless receive, and always
acquire the spinlock during receive.
Unfortunately this would increase the number of spinlock operations for
ipc/msg.c by up to 50%. (from 2 to 3 spinlock calls for msgrcv()+msgsnd())
Any other ideas? Are there workloads that heavily rely on sysv msg?
Patch against 2.5.46 is attached.
-- Manfred
--- 2.5/ipc/msg.c 2002-11-09 00:45:37.000000000 +0100 +++ build-2.5/ipc/msg.c 2002-11-09 15:01:13.000000000 +0100 @@ -799,10 +799,6 @@ schedule(); current->state = TASK_RUNNING; - msg = (struct msg_msg*) msr_d.r_msg; - if(!IS_ERR(msg)) - goto out_success; - msq = msg_lock(msqid); msg = (struct msg_msg*)msr_d.r_msg; if(!IS_ERR(msg)) {
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Nov 15 2002 - 22:00:17 EST