diff options
author | Brian Silverman <bsilver16384@gmail.com> | 2014-10-25 20:20:37 -0400 |
---|---|---|
committer | Thomas Gleixner <tglx@linutronix.de> | 2014-10-26 16:16:18 +0100 |
commit | 30a6b8031fe14031ab27c1fa3483cb9780e7f63c (patch) | |
tree | da56baddfc24fef71ca5b6f123c947e784527d87 /Documentation/development-process | |
parent | 993b2ff221999066fcff231590593d0b98f45d32 (diff) | |
download | op-kernel-dev-30a6b8031fe14031ab27c1fa3483cb9780e7f63c.zip op-kernel-dev-30a6b8031fe14031ab27c1fa3483cb9780e7f63c.tar.gz |
futex: Fix a race condition between REQUEUE_PI and task death
free_pi_state and exit_pi_state_list both clean up futex_pi_state's.
exit_pi_state_list takes the hb lock first, and most callers of
free_pi_state do too. requeue_pi doesn't, which means free_pi_state
can free the pi_state out from under exit_pi_state_list. For example:
task A | task B
exit_pi_state_list |
pi_state = |
curr->pi_state_list->next |
| futex_requeue(requeue_pi=1)
| // pi_state is the same as
| // the one in task A
| free_pi_state(pi_state)
| list_del_init(&pi_state->list)
| kfree(pi_state)
list_del_init(&pi_state->list) |
Move the free_pi_state calls in requeue_pi to before it drops the hb
locks which it's already holding.
[ tglx: Removed a pointless free_pi_state() call and the hb->lock held
debugging. The latter comes via a seperate patch ]
Signed-off-by: Brian Silverman <bsilver16384@gmail.com>
Cc: austin.linux@gmail.com
Cc: darren@dvhart.com
Cc: peterz@infradead.org
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/1414282837-23092-1-git-send-email-bsilver16384@gmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Diffstat (limited to 'Documentation/development-process')
0 files changed, 0 insertions, 0 deletions