pthread_kill takes the tid from the struct pthread and passes it to the kernel in sys_tkill. However, between the time userspace reads the tid and the time the kernel finds the task_struct, the thread might have exited and the tid reused, resulting in killing the wrong process. The fact that the tid can be immediately reused is a consequence of using CLONE_DETACHED, that however should IMHO not be removed since it avoids a syscall to free the zombie (and also avoids SIGCHLD). The fix that I propose is to change sys_tkill so that a pointer to the tid is passed. The kernel can then get the value and find the task while holding tasklist_lock, thus protecting from task_release resulting from an eventual thread exit. A related problem is that if the tid is 0, pthread_kill returns EINVAL, while according to SUSv3 it should return 0. BTW, can the sys_tkill ABI be broken or would a new syscall be needed?
Description: PGP signature