signals: clear signal->tty when the last thread exits

When the last thread exits signal->tty is freed, but the pointer is not
cleared and points to nowhere.

This is OK.  Nobody should use signal->tty lockless, and it is no longer
possible to take ->siglock.  However this looks wrong even if correct, and
the nice OOPS is better than subtle and hard to find bugs.

Change __exit_signal() to clear signal->tty under ->siglock.

Note: __exit_signal() needs more cleanups.  It should not check "sig !=
NULL" to detect the all-dead case and we have the same issues with
signal->stats.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Alan Cox <alan@linux.intel.com>
Cc: Ingo Molnar <mingo@elte.hu>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/kernel/exit.c b/kernel/exit.c
index 92af5cde9bbe1414077f17421dd0c9f5515f7209..356d91fa095f8bafff7dbca30121d22d246fb5c4 100644 (file)
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -80,6 +80,7 @@ static void __exit_signal(struct task_struct *tsk)
 {
        struct signal_struct *sig = tsk->signal;
        struct sighand_struct *sighand;
+       struct tty_struct *uninitialized_var(tty);
 
        BUG_ON(!sig);
        BUG_ON(!atomic_read(&sig->count));
@@ -93,6 +94,8 @@ static void __exit_signal(struct task_struct *tsk)
        posix_cpu_timers_exit(tsk);
        if (thread_group_leader(tsk)) {
                posix_cpu_timers_exit_group(tsk);
+               tty = sig->tty;
+               sig->tty = NULL;
        } else {
                /*
                 * If there is any task waiting for the group exit
@@ -147,7 +150,7 @@ static void __exit_signal(struct task_struct *tsk)
                 * see account_group_exec_runtime().
                 */
                task_rq_unlock_wait(tsk);
-               tty_kref_put(sig->tty);
+               tty_kref_put(tty);
        }
 }