On Tue, 6 Sep 2011, Eric Dumazet wrote:

> Le mardi 06 septembre 2011 à 16:51 +0200, Oleg Nesterov a écrit :
> > On 09/05, Andi Kleen wrote:
> > >
> > > > I forgot everything I knew about ->it_requeue_pending logic, but it
> > > > seems to me that do_schedule_next_timer()->lock_timer() can find and
> > > > lock successfully the wrong timer. Another thread can do timer_delete()
> > > > and then re-create the timer with the same id.
> > >
> > > Do you mean after my patches or even before?
> > 
> > Ah, sorry for confusion.
> > 
> > Before. And after. IOW, I think this has nothing to do with your patches.
> > 
> 
> Hmm, you mean following patch is needed ?
> 
> Before release of timer id to idr pool, we should make sure
> do_schedule_next_timer() wont be called, or it could find another timer
> reusing the just released id.

I don't see how that makes it sure. If the signal is queued, then it
stays queued and the put_pid() has no effect either.

Thanks,

	tglx

> diff --git a/kernel/posix-timers.c b/kernel/posix-timers.c
> index 4556182..4369747 100644
> --- a/kernel/posix-timers.c
> +++ b/kernel/posix-timers.c
> @@ -502,14 +502,14 @@ static void k_itimer_rcu_free(struct rcu_head *head)
>  #define IT_ID_NOT_SET	0
>  static void release_posix_timer(struct k_itimer *tmr, int it_id_set)
>  {
> +	put_pid(tmr->it_pid);
> +	sigqueue_free(tmr->sigq);
>  	if (it_id_set) {
>  		unsigned long flags;
>  		spin_lock_irqsave(&idr_lock, flags);
>  		idr_remove(&posix_timers_id, tmr->it_id);
>  		spin_unlock_irqrestore(&idr_lock, flags);
>  	}
> -	put_pid(tmr->it_pid);
> -	sigqueue_free(tmr->sigq);
>  	call_rcu(&tmr->it.rcu, k_itimer_rcu_free);
>  }
>  
> 
> 
> 
>