Skip to main content

Browse the archive

Revision 9f96cb1e8bca179a92afa40dfc3c49990f1cfc71 authored by Martin Schwidefsky on 01 October 2007, 08:20:13 UTC, committed by Linus Torvalds on 01 October 2007, 14:52:23 UTC 
robust futex thread exit race
 
Calling handle_futex_death in exit_robust_list for the different robust
mutexes of a thread basically frees the mutex.  Another thread might grab
the lock immediately which updates the next pointer of the mutex.
fetch_robust_entry over the next pointer might therefore branch into the
robust mutex list of a different thread.  This can cause two problems: 1)
some mutexes held by the dead thread are not getting freed and 2) some
mutexs held by a different thread are freed.

The next point need to be read before calling handle_futex_death.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Acked-by: Ingo Molnar <mingo@elte.hu>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 8792f96
History
File Mode Size
lzo
reed_solomon
zlib_deflate
zlib_inflate
.gitignore -rw-r--r-- 51 bytes
Kconfig -rw-r--r-- 2.8 KB
Kconfig.debug -rw-r--r-- 16.6 KB
Makefile -rw-r--r-- 2.3 KB
argv_split.c -rw-r--r-- 1.8 KB
audit.c -rw-r--r-- 1.2 KB
bitmap.c -rw-r--r-- 24.0 KB
bitrev.c -rw-r--r-- 2.1 KB
bug.c -rw-r--r-- 4.1 KB
bust_spinlocks.c -rw-r--r-- 582 bytes
check_signature.c -rw-r--r-- 599 bytes
cmdline.c -rw-r--r-- 3.5 KB
cpumask.c -rw-r--r-- 565 bytes
crc-ccitt.c -rw-r--r-- 3.0 KB
crc-itu-t.c -rw-r--r-- 2.8 KB
crc16.c -rw-r--r-- 2.8 KB
crc32.c -rw-r--r-- 15.0 KB
crc32defs.h -rw-r--r-- 1.0 KB
crc7.c -rw-r--r-- 2.3 KB
ctype.c -rw-r--r-- 1.3 KB
debug_locks.c -rw-r--r-- 1.1 KB
dec_and_lock.c -rw-r--r-- 806 bytes
devres.c -rw-r--r-- 7.1 KB
div64.c -rw-r--r-- 1.6 KB
dump_stack.c -rw-r--r-- 290 bytes
extable.c -rw-r--r-- 1.9 KB
fault-inject.c -rw-r--r-- 7.8 KB
find_next_bit.c -rw-r--r-- 4.3 KB
gen_crc32table.c -rw-r--r-- 1.8 KB
genalloc.c -rw-r--r-- 5.3 KB
halfmd4.c -rw-r--r-- 2.0 KB
hexdump.c -rw-r--r-- 6.0 KB
hweight.c -rw-r--r-- 1.6 KB
idr.c -rw-r--r-- 19.4 KB
inflate.c -rw-r--r-- 37.8 KB
int_sqrt.c -rw-r--r-- 533 bytes
iomap.c -rw-r--r-- 7.5 KB
iomap_copy.c -rw-r--r-- 2.1 KB
ioremap.c -rw-r--r-- 2.1 KB
irq_regs.c -rw-r--r-- 578 bytes
kasprintf.c -rw-r--r-- 680 bytes
kernel_lock.c -rw-r--r-- 4.6 KB
klist.c -rw-r--r-- 6.8 KB
kobject.c -rw-r--r-- 14.3 KB
kobject_uevent.c -rw-r--r-- 7.7 KB
kref.c -rw-r--r-- 1.6 KB
libcrc32c.c -rw-r--r-- 6.5 KB
list_debug.c -rw-r--r-- 2.0 KB
locking-selftest-hardirq.h -rw-r--r-- 207 bytes
locking-selftest-mutex.h -rw-r--r-- 120 bytes
locking-selftest-rlock-hardirq.h -rw-r--r-- 74 bytes
locking-selftest-rlock-softirq.h -rw-r--r-- 74 bytes
locking-selftest-rlock.h -rw-r--r-- 158 bytes
locking-selftest-rsem.h -rw-r--r-- 163 bytes
locking-selftest-softirq.h -rw-r--r-- 207 bytes
locking-selftest-spin-hardirq.h -rw-r--r-- 73 bytes
locking-selftest-spin-softirq.h -rw-r--r-- 73 bytes
locking-selftest-spin.h -rw-r--r-- 118 bytes
locking-selftest-wlock-hardirq.h -rw-r--r-- 74 bytes
locking-selftest-wlock-softirq.h -rw-r--r-- 74 bytes
locking-selftest-wlock.h -rw-r--r-- 158 bytes
locking-selftest-wsem.h -rw-r--r-- 163 bytes
locking-selftest.c -rw-r--r-- 28.6 KB
parser.c -rw-r--r-- 5.9 KB
percpu_counter.c -rw-r--r-- 2.4 KB
plist.c -rw-r--r-- 2.8 KB
prio_tree.c -rw-r--r-- 12.2 KB
radix-tree.c -rw-r--r-- 25.2 KB
random32.c -rw-r--r-- 3.6 KB
rbtree.c -rw-r--r-- 8.6 KB
reciprocal_div.c -rw-r--r-- 159 bytes
rwsem-spinlock.c -rw-r--r-- 6.9 KB
rwsem.c -rw-r--r-- 6.4 KB
semaphore-sleepers.c -rw-r--r-- 4.7 KB
sha1.c -rw-r--r-- 2.4 KB
smp_processor_id.c -rw-r--r-- 1.1 KB
sort.c -rw-r--r-- 2.5 KB
spinlock_debug.c -rw-r--r-- 6.8 KB
string.c -rw-r--r-- 12.9 KB
swiotlb.c -rw-r--r-- 22.3 KB
textsearch.c -rw-r--r-- 9.2 KB
ts_bm.c -rw-r--r-- 4.9 KB
ts_fsm.c -rw-r--r-- 10.5 KB
ts_kmp.c -rw-r--r-- 3.8 KB
vsprintf.c -rw-r--r-- 22.0 KB
back to top