robust futex thread exit race

Calling handle_futex_death in exit_robust_list for the different robust mutexes of a thread basically frees the mutex. Another thread might grab the lock immediately which updates the next pointer of the mutex. fetch_robust_entry over the next pointer might therefore branch into the robust mutex list of a different thread. This can cause two problems: 1) some mutexes held by the dead thread are not getting freed and 2) some mutexs held by a different thread are freed. The next point need to be read before calling handle_futex_death. Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Acked-by: Ingo Molnar <mingo@elte.hu> Acked-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Martin Schwidefsky <schwidefsky@de.ibm.com> 2007-10-01 04:20:13 -0400
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> 2007-10-01 10:52:23 -0400
commit: 9f96cb1e8bca179a92afa40dfc3c49990f1cfc71 (patch)
tree: 7d1f921f488aa570083420dc3846856b17a7b2b6 /kernel/futex.c
parent: 8792f961ba8057d9f27987def3600253a3ba060f (diff)
1 files changed, 16 insertions, 10 deletions
diff --git a/kernel/futex.c b/kernel/futex.c
index e8935b195e88..fcc94e7b4086 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1943,9 +1943,10 @@ static inline int fetch_robust_entry(struct robust_list __user **entry,
 void exit_robust_list(struct task_struct *curr)
 {
        struct robust_list_head __user *head = curr->robust_list;
-        struct robust_list __user *entry, *pending;
+        struct robust_list __user *entry, *next_entry, *pending;
-        unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
+        unsigned int limit = ROBUST_LIST_LIMIT, pi, next_pi, pip;
        unsigned long futex_offset;
+        int rc;
        /*
         * Fetch the list head (which was registered earlier, via
@@ -1965,12 +1966,14 @@ void exit_robust_list(struct task_struct *curr)
        if (fetch_robust_entry(&pending, &head->list_op_pending, &pip))
                return;
-        if (pending)
+        next_entry = NULL;      /* avoid warning with gcc */
-                handle_futex_death((void __user *)pending + futex_offset,
-                                   curr, pip);
        while (entry != &head->list) {
                /*
+                 * Fetch the next entry in the list before calling
+                 * handle_futex_death:
+                 */
+                rc = fetch_robust_entry(&next_entry, &entry->next, &next_pi);
+                /*
                 * A pending lock might already be on the list, so
                 * don't process it twice:
                 */
@@ -1978,11 +1981,10 @@ void exit_robust_list(struct task_struct *curr)
                        if (handle_futex_death((void __user *)entry + futex_offset,
                                                curr, pi))
                                return;
-                /*
+                if (rc)
-                 * Fetch the next entry in the list:
-                 */
-                if (fetch_robust_entry(&entry, &entry->next, &pi))
                        return;
+                entry = next_entry;
+                pi = next_pi;
                /*
                 * Avoid excessively long or circular lists:
                 */
@@ -1991,6 +1993,10 @@ void exit_robust_list(struct task_struct *curr)
                cond_resched();
        }
+        if (pending)
+                handle_futex_death((void __user *)pending + futex_offset,
+                                   curr, pip);
 }
 long do_futex(u32 __user *uaddr, int op, u32 val, ktime_t *timeout,
author	Martin Schwidefsky <schwidefsky@de.ibm.com>	2007-10-01 04:20:13 -0400
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	2007-10-01 10:52:23 -0400
commit	9f96cb1e8bca179a92afa40dfc3c49990f1cfc71 (patch)
tree	7d1f921f488aa570083420dc3846856b17a7b2b6 /kernel/futex.c
parent	8792f961ba8057d9f27987def3600253a3ba060f (diff)