diff options
| author | Darren Hart <dvhart@linux.intel.com> | 2012-07-20 14:53:31 -0400 |
|---|---|---|
| committer | Luis Henriques <luis.henriques@canonical.com> | 2012-08-13 09:10:40 -0400 |
| commit | 63baf9a34fa8f0c3946d13ef30106b45dc1999cc (patch) | |
| tree | 2c006ace58bbe994521e9662d61fac0ce2dc01a4 /kernel/wait.c | |
| parent | 9340679edbbc64ce01e5f1b757ba928deff7dc37 (diff) | |
futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()
BugLink: http://bugs.launchpad.net/bugs/1034988
commit 6f7b0a2a5c0fb03be7c25bd1745baa50582348ef upstream.
If uaddr == uaddr2, then we have broken the rule of only requeueing
from a non-pi futex to a pi futex with this call. If we attempt this,
as the trinity test suite manages to do, we miss early wakeups as
q.key is equal to key2 (because they are the same uaddr). We will then
attempt to dereference the pi_mutex (which would exist had the futex_q
been properly requeued to a pi futex) and trigger a NULL pointer
dereference.
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: Dave Jones <davej@redhat.com>
Link: http://lkml.kernel.org/r/ad82bfe7f7d130247fbe2b5b4275654807774227.1342809673.git.dvhart@linux.intel.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Diffstat (limited to 'kernel/wait.c')
0 files changed, 0 insertions, 0 deletions