From: Jamie Lokier <jamie@shareable.org>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: Hugh Dickins <hugh@veritas.com>,
Klaus Dittrich <kladit@t-online.de>,
linux mailing-list <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@zip.com.au>, "Hu, Boris" <boris.hu@intel.com>,
Ulrich Drepper <drepper@redhat.com>
Subject: Re: 2.6.0-test6 oops futex"
Date: Wed, 1 Oct 2003 07:35:45 +0100 [thread overview]
Message-ID: <20031001063545.GG1131@mail.shareable.org> (raw)
In-Reply-To: <20031001054619.976472C105@lists.samba.org>
Rusty Russell wrote:
> +again:
> + key = q->key;
> + bh = hash_futex(&key);
> spin_lock(&bh->lock);
> + if (unlikely(!match_futex(&key, q->key)) {
> + /* Race against futex_requeue */
> + spin_unlock(&bh_lock);
> + goto again;
> + }
Bug:
1. key = q->key copies bad key, while it is being changed.
2. That makes the spin_lock() irrelevant.
3. match_futex() compares word by word against another bad
key, while it is being changed again (by a second futex_requeue).
4. It can match even though the key is wrong.
For example, say the first requeue changes q->key from (1,2) to (3,4).
key = q->key could read (1,4).
Say the second requeue changes q->key from (3,4) to (1,5).
match_futex() could read (1,4) and pass the test, even though (1,4)
is never a valid key.
-- Jamie
next prev parent reply other threads:[~2003-10-01 6:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-29 9:23 2.6.0-test6 oops futex" Klaus Dittrich
2003-09-30 8:48 ` Jamie Lokier
2003-09-30 20:53 ` Hugh Dickins
2003-09-30 21:48 ` Ulrich Drepper
2003-09-30 23:44 ` Rusty Russell
2003-10-01 6:35 ` Jamie Lokier [this message]
2003-10-01 1:01 ` Jamie Lokier
2003-10-01 2:41 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20031001063545.GG1131@mail.shareable.org \
--to=jamie@shareable.org \
--cc=akpm@zip.com.au \
--cc=boris.hu@intel.com \
--cc=drepper@redhat.com \
--cc=hugh@veritas.com \
--cc=kladit@t-online.de \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox