Description of problem: If the owner of a PI futex dies we fix up the pi_state and set pi_state->owner to NULL. When a malicious or just sloppy programmed user space application sets the futex value to 0 e.g. by calling pthread_mutex_init(), then the futex can be acquired again. A new waiter manages to enqueue itself on the pi_state w/o damage, but on unlock the kernel dereferences pi_state->owner and oopses. Prevent this by checking pi_state->owner in the unlock path. If pi_state->owner is not current we know that user space manipulated the futex value. Ignore the mess and return -EINVAL. This catches the above case and also the case where a task hijacks the futex by setting the tid value and then tries to unlock it. Upstream commit: http://git.kernel.org/linus/51246bfd189064079c54421507236fd2723b18f3 Note that pi-futex was introduced in: http://git.kernel.org/linus/c87e2837be82df479a6bae9f155c43516d2feebc
Note that Red Hat Enterprise Linux 3 and 4 did not backport the support for priority-inheriting futex, and therefore not affected by this.
Thanks, just committed to Fedora for 2.6.3{0,1,2}.
kernel-2.6.31.12-174.2.17.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/kernel-2.6.31.12-174.2.17.fc12
kernel-2.6.30.10-105.2.23.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kernel-2.6.30.10-105.2.23.fc11
kernel-2.6.31.12-174.2.19.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/kernel-2.6.31.12-174.2.19.fc12
kernel-2.6.30.10-105.2.23.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
kernel-2.6.31.12-174.2.19.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: MRG for RHEL-5 Via RHSA-2010:0161 https://rhn.redhat.com/errata/RHSA-2010-0161.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0504 https://rhn.redhat.com/errata/RHSA-2010-0504.html
https://bugzilla.kernel.org/show_bug.cgi?id=15160