[PATCH] futex bug fixes
This fixes two serious bugs in the futex code. One is a race condition which results in list corruption when FUTEX_REQUEUE is used. It is due to the split locks change introduced in 2.6.0-test6, and oopses when triggered. The other is a security hole. A program can use FUTEX_FD to create futexes on mms or inodes which don't reference them, and when those structures are reused by a different mm or inode, the addresses match. The effect is that a malicious or flawed program can steal wakeups from completely unrelated tasks, causing them to block (or worse if they are counting on the token passing property). These are the specific changes: 1. Each futex_q retains a reference to its key mm or inode. 2. The condition for a futex_q to indicate that it's woken can usually be interrogated lock-free. 3. futex_wait calls the hash function once instead of three times, and usually takes the per-bucket lock once too. 4. When a futex is woken, the per-bucket lock is not usually taken, so that's one less cache line transfer during heavy SMP futex use. 5. The wait condition and barriers in futex_wait are simpler. 5. FUTEX_REQUEUE is fixed. The per-bucket lock juggling is done in such a way that there are no race conditions against the tests for whether a futex is woken. This patch is an combination of patches previously sent to the list. An equivalent patch has been in Andrew Morton's tree for a while, with no failure reports. Also I have been running it on my own SMP box for a while. Conversely, we have received an oops report for the 2.6.0-test6 code, so the fix is needed.
Showing
Please register or sign in to comment