Re: 2.6.0-test6 oops futex"

From: Jamie Lokier
Date: Wed Oct 01 2003 - 01:37:15 EST

Next message: Andrew Morton: "Re: [PATCH] Mutilated form of Andi Kleen's AMD prefetch erratapatch"
Previous message: Jamie Lokier: "Re: [PATCH] Mutilated form of Andi Kleen's AMD prefetch errata patch"
In reply to: Rusty Russell: "Re: 2.6.0-test6 oops futex""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rusty Russell wrote:
> +again:
> + key = q->key;
> + bh = hash_futex(&key);
> spin_lock(&bh->lock);
> + if (unlikely(!match_futex(&key, q->key)) {
> + /* Race against futex_requeue */
> + spin_unlock(&bh_lock);
> + goto again;
> + }

Bug:

1. key = q->key copies bad key, while it is being changed.

2. That makes the spin_lock() irrelevant.

3. match_futex() compares word by word against another bad
key, while it is being changed again (by a second futex_requeue).

4. It can match even though the key is wrong.

For example, say the first requeue changes q->key from (1,2) to (3,4).
key = q->key could read (1,4).

Say the second requeue changes q->key from (3,4) to (1,5).
match_futex() could read (1,4) and pass the test, even though (1,4)
is never a valid key.

-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: [PATCH] Mutilated form of Andi Kleen's AMD prefetch erratapatch"
Previous message: Jamie Lokier: "Re: [PATCH] Mutilated form of Andi Kleen's AMD prefetch errata patch"
In reply to: Rusty Russell: "Re: 2.6.0-test6 oops futex""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]