git://ftp.safe.ca / safe / jmp / linux-2.6 / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8792f96) | patch
robust futex thread exit race
authorMartin Schwidefsky <schwidefsky@de.ibm.com>
Mon, 1 Oct 2007 08:20:13 +0000 (01:20 -0700)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Mon, 1 Oct 2007 14:52:23 +0000 (07:52 -0700)
commit9f96cb1e8bca179a92afa40dfc3c49990f1cfc71
tree7d1f921f488aa570083420dc3846856b17a7b2b6tree | snapshot
parent8792f961ba8057d9f27987def3600253a3ba060fcommit | diff
robust futex thread exit race

Calling handle_futex_death in exit_robust_list for the different robust
mutexes of a thread basically frees the mutex.  Another thread might grab
the lock immediately which updates the next pointer of the mutex.
fetch_robust_entry over the next pointer might therefore branch into the
robust mutex list of a different thread.  This can cause two problems: 1)
some mutexes held by the dead thread are not getting freed and 2) some
mutexs held by a different thread are freed.

The next point need to be read before calling handle_futex_death.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Acked-by: Ingo Molnar <mingo@elte.hu>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
kernel/futex.c diff | blob | history
kernel/futex_compat.c diff | blob | history
Full containers within linux kernel