[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pthread_kill is racy: probably needs kernel change

pthread_kill takes the tid from the struct pthread and passes it to
the kernel in sys_tkill.

However, between the time userspace reads the tid and the time the
kernel finds the task_struct, the thread might have exited and the tid
reused, resulting in killing the wrong process.

The fact that the tid can be immediately reused is a consequence of
using CLONE_DETACHED, that however should IMHO not be removed since it
avoids a syscall to free the zombie (and also avoids SIGCHLD).

The fix that I propose is to change sys_tkill so that a pointer to the
tid is passed. The kernel can then get the value and find the task
while holding tasklist_lock, thus protecting from task_release
resulting from an eventual thread exit.

A related problem is that if the tid is 0, pthread_kill returns
EINVAL, while according to SUSv3 it should return 0.

BTW, can the sys_tkill ABI be broken or would a new syscall be needed?

Attachment: pgp00037.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]