robust futex thread exit race

Calling handle_futex_death in exit_robust_list for the different robust
mutexes of a thread basically frees the mutex.  Another thread might grab
the lock immediately which updates the next pointer of the mutex.
fetch_robust_entry over the next pointer might therefore branch into the
robust mutex list of a different thread.  This can cause two problems: 1)
some mutexes held by the dead thread are not getting freed and 2) some
mutexs held by a different thread are freed.

The next point need to be read before calling handle_futex_death.

Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Acked-by: Ingo Molnar <mingo@elte.hu>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 18 insertions, 10 deletions

diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
index 7e52eb051f22..2c2e2954b713 100644
--- a/kernel/futex_compat.c
+++ b/kernel/futex_compat.c
@@ -38,10 +38,11 @@ fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
 void compat_exit_robust_list(struct task_struct *curr)
 {
         struct compat_robust_list_head __user *head = curr->compat_robust_list;
-        struct robust_list __user *entry, *pending;
-        unsigned int limit = ROBUST_LIST_LIMIT, pi, pip;
-        compat_uptr_t uentry, upending;
+        struct robust_list __user *entry, *next_entry, *pending;
+        unsigned int limit = ROBUST_LIST_LIMIT, pi, next_pi, pip;
+        compat_uptr_t uentry, next_uentry, upending;
         compat_long_t futex_offset;
+        int rc;
 
         /*
          * Fetch the list head (which was registered earlier, via
@@ -61,11 +62,16 @@ void compat_exit_robust_list(struct task_struct *curr)
         if (fetch_robust_entry(&upending, &pending,
                                &head->list_op_pending, &pip))
                 return;
-        if (pending)
-                handle_futex_death((void __user *)pending + futex_offset, curr, pip);
 
+        next_entry = NULL;      /* avoid warning with gcc */
         while (entry != (struct robust_list __user *) &head->list) {
                 /*
+                 * Fetch the next entry in the list before calling
+                 * handle_futex_death:
+                 */
+                rc = fetch_robust_entry(&next_uentry, &next_entry,
+                        (compat_uptr_t __user *)&entry->next, &next_pi);
+                /*
                  * A pending lock might already be on the list, so
                  * dont process it twice:
                  */
@@ -74,12 +80,11 @@ void compat_exit_robust_list(struct task_struct *curr)
                                                 curr, pi))
                                 return;
 
-                /*
-                 * Fetch the next entry in the list:
-                 */
-                if (fetch_robust_entry(&uentry, &entry,
-                                       (compat_uptr_t __user *)&entry->next, &pi))
+                if (rc)
                         return;
+                uentry = next_uentry;
+                entry = next_entry;
+                pi = next_pi;
                 /*
                  * Avoid excessively long or circular lists:
                  */
@@ -88,6 +93,9 @@ void compat_exit_robust_list(struct task_struct *curr)
 
                 cond_resched();
         }
+        if (pending)
+                handle_futex_death((void __user *)pending + futex_offset,
+                                   curr, pip);
 }
 
 asmlinkage long