Revision 9f96cb1e8bca179a92afa40dfc3c49990f1cfc71 authored by Martin Schwidefsky on 01 October 2007, 08:20:13 UTC, committed by Linus Torvalds on 01 October 2007, 14:52:23 UTC
Calling handle_futex_death in exit_robust_list for the different robust mutexes of a thread basically frees the mutex. Another thread might grab the lock immediately which updates the next pointer of the mutex. fetch_robust_entry over the next pointer might therefore branch into the robust mutex list of a different thread. This can cause two problems: 1) some mutexes held by the dead thread are not getting freed and 2) some mutexs held by a different thread are freed. The next point need to be read before calling handle_futex_death. Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Acked-by: Ingo Molnar <mingo@elte.hu> Acked-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 8792f96
list_debug.c
/*
* Copyright 2006, Red Hat, Inc., Dave Jones
* Released under the General Public License (GPL).
*
* This file contains the linked list implementations for
* DEBUG_LIST.
*/
#include <linux/module.h>
#include <linux/list.h>
/*
* Insert a new entry between two known consecutive entries.
*
* This is only for internal list manipulation where we know
* the prev/next entries already!
*/
void __list_add(struct list_head *new,
struct list_head *prev,
struct list_head *next)
{
if (unlikely(next->prev != prev)) {
printk(KERN_ERR "list_add corruption. next->prev should be "
"prev (%p), but was %p. (next=%p).\n",
prev, next->prev, next);
BUG();
}
if (unlikely(prev->next != next)) {
printk(KERN_ERR "list_add corruption. prev->next should be "
"next (%p), but was %p. (prev=%p).\n",
next, prev->next, prev);
BUG();
}
next->prev = new;
new->next = next;
new->prev = prev;
prev->next = new;
}
EXPORT_SYMBOL(__list_add);
/**
* list_add - add a new entry
* @new: new entry to be added
* @head: list head to add it after
*
* Insert a new entry after the specified head.
* This is good for implementing stacks.
*/
void list_add(struct list_head *new, struct list_head *head)
{
__list_add(new, head, head->next);
}
EXPORT_SYMBOL(list_add);
/**
* list_del - deletes entry from list.
* @entry: the element to delete from the list.
* Note: list_empty on entry does not return true after this, the entry is
* in an undefined state.
*/
void list_del(struct list_head *entry)
{
if (unlikely(entry->prev->next != entry)) {
printk(KERN_ERR "list_del corruption. prev->next should be %p, "
"but was %p\n", entry, entry->prev->next);
BUG();
}
if (unlikely(entry->next->prev != entry)) {
printk(KERN_ERR "list_del corruption. next->prev should be %p, "
"but was %p\n", entry, entry->next->prev);
BUG();
}
__list_del(entry->prev, entry->next);
entry->next = LIST_POISON1;
entry->prev = LIST_POISON2;
}
EXPORT_SYMBOL(list_del);
Computing file changes ...
