Git Repo - linux.git/commit

author	Martin Schwidefsky <[email protected]>
	Mon, 1 Oct 2007 08:20:13 +0000 (01:20 -0700)
committer	Linus Torvalds <[email protected]>
	Mon, 1 Oct 2007 14:52:23 +0000 (07:52 -0700)
commit	9f96cb1e8bca179a92afa40dfc3c49990f1cfc71
tree	7d1f921f488aa570083420dc3846856b17a7b2b6	tree \| snapshot
parent	8792f961ba8057d9f27987def3600253a3ba060f	commit \| diff

robust futex thread exit race

Calling handle_futex_death in exit_robust_list for the different robust
mutexes of a thread basically frees the mutex. Another thread might grab
the lock immediately which updates the next pointer of the mutex.
fetch_robust_entry over the next pointer might therefore branch into the
robust mutex list of a different thread. This can cause two problems: 1)
some mutexes held by the dead thread are not getting freed and 2) some
mutexs held by a different thread are freed.

The next point need to be read before calling handle_futex_death.

Signed-off-by: Martin Schwidefsky <[email protected]>
Acked-by: Ingo Molnar <[email protected]>
Acked-by: Thomas Gleixner <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>

kernel/futex.c		diff \| blob \| blame \| history
kernel/futex_compat.c		diff \| blob \| blame \| history