"Steven M. Bellovin" <smb@cs.columbia.edu> writes:

> >
> That's correct, but only under certain circumstances: if the wakeup 
> process is recalculating the physical address.  In many cases, the 
> wakeup address is stored in a per-instance data structure.

The only token associated with the futex syscall is an address in the
calling process. The problematic situation is:

process 1, thread1: futex(FUTEX_WAIT, &va1). va1 maps to pa1

pa1 is paged out; time passes; the contents are paged back in to pa2.

process 1, thread2: futex(FUTEX_WAKE, &va1). va1 maps to pa2.

To make this work, the value to sleep on needs to be more persistent
than a physical address. Something like a hash of the vm_map and the
virtual address would do the trick for one process; to make this work
across processes, the right thing is probably the kernel address of a
lower-level backing object.

        - Nathan