When using RT signals, during do_sigaction(), if the signal is queued
already and this queued instance it is not exactly at
current->sigqueue, then the queue structure is freed however
current->sigqueue_tail is not updated and thus later during
dequeue_signal() and other places we will reference it again
and even kfree it a second time, which causes an instant oops
in kmem_cache_free.
This behavior was seen on an SMP system running several concurrent
copies of ncml mirroring software under heavy load.
Here is the fix, it makes the freeing logic identical to similar
code in dequeue_signal().
--- kernel/signal.c.~1~ Wed Sep 22 06:00:40 1999
+++ kernel/signal.c Tue Oct 12 02:01:23 1999
@@ -872,7 +872,8 @@
if (q->info.si_signo != sig)
pp = &q->next;
else {
- *pp = q->next;
+ if ((*pp = q->next) == NULL)
+ current->sigqueue_tail = pp;
kmem_cache_free(signal_queue_cachep, q);
atomic_dec(&nr_queued_signals);
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/