I'm on PTO until May 15, can't read the code.
Did you verify that 5.14 has all the necessary "recent" posixtimer changes?
Oleg.
On 05/05, Sasha Levin wrote:
From: Oleg Nesterov oleg@redhat.com
[ Upstream commit fb3bbcfe344e64a46574a638b051ffd78762c12d ]
A task can block a signal, accumulate up to RLIMIT_SIGPENDING sigqueues, and exit. In this case __exit_signal()->flush_sigqueue() called with irqs disabled can trigger a hard lockup, see https://lore.kernel.org/all/20190322114917.GC28876@redhat.com/
Fortunately, after the recent posixtimer changes sys_timer_delete() paths no longer try to clear SIGQUEUE_PREALLOC and/or free tmr->sigq, and after the exiting task passes __exit_signal() lock_task_sighand() can't succeed and pid_task(tmr->it_pid) will return NULL.
This means that after __exit_signal(tsk) nobody can play with tsk->pending or (if group_dead) with tsk->signal->shared_pending, so release_task() can safely call flush_sigqueue() after write_unlock_irq(&tasklist_lock).
TODO:
- we can probably shift posix_cpu_timers_exit() as well
- do_sigaction() can hit the similar problem
Signed-off-by: Oleg Nesterov oleg@redhat.com Link: https://lore.kernel.org/r/20250206152314.GA14620@redhat.com Reviewed-by: Frederic Weisbecker frederic@kernel.org Signed-off-by: Christian Brauner brauner@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org
kernel/exit.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/kernel/exit.c b/kernel/exit.c index 5015ecdda6d95..69deb2901ec55 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -204,20 +204,13 @@ static void __exit_signal(struct task_struct *tsk) __unhash_process(tsk, group_dead); write_sequnlock(&sig->stats_lock);
- /*
* Do this under ->siglock, we can race with another thread* doing sigqueue_free() if we have SIGQUEUE_PREALLOC signals.*/- flush_sigqueue(&tsk->pending); tsk->sighand = NULL; spin_unlock(&sighand->siglock);
__cleanup_sighand(sighand); clear_tsk_thread_flag(tsk, TIF_SIGPENDING);
- if (group_dead) {
flush_sigqueue(&sig->shared_pending);
- if (group_dead) tty_kref_put(tty);
- }
} static void delayed_put_task_struct(struct rcu_head *rhp) @@ -277,6 +270,16 @@ void release_task(struct task_struct *p) write_unlock_irq(&tasklist_lock); release_thread(p);
- /*
* This task was already removed from the process/thread/pid lists* and lock_task_sighand(p) can't succeed. Nobody else can touch* ->pending or, if group dead, signal->shared_pending. We can call* flush_sigqueue() lockless.*/- flush_sigqueue(&p->pending);
- if (thread_group_leader(p))
flush_sigqueue(&p->signal->shared_pending);- put_task_struct_rcu_user(p);
p = leader; -- 2.39.5