Commit 5ecb01cf authored by Mikael Pettersson's avatar Mikael Pettersson Committed by Thomas Gleixner

futex_lock_pi() key refcnt fix

This fixes a futex key reference count bug in futex_lock_pi(),
where a key's reference count is incremented twice but decremented
only once, causing the backing object to not be released.

If the futex is created in a temporary file in an ext3 file system,
this bug causes the file's inode to become an "undead" orphan,
which causes an oops from a BUG_ON() in ext3_put_super() when the
file system is unmounted. glibc's test suite is known to trigger this,
see <http://bugzilla.kernel.org/show_bug.cgi?id=14256>.

The bug is a regression from 2.6.28-git3, namely Peter Zijlstra's
38d47c1b "[PATCH] futex: rely on
get_user_pages() for shared futexes". That commit made get_futex_key()
also increment the reference count of the futex key, and updated its
callers to decrement the key's reference count before returning.
Unfortunately the normal exit path in futex_lock_pi() wasn't corrected:
the reference count is incremented by get_futex_key() and queue_lock(),
but the normal exit path only decrements once, via unqueue_me_pi().
The fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31
this is easily done by 'goto out_put_key' rather than 'goto out'.
Signed-off-by: default avatarMikael Pettersson <mikpe@it.uu.se>
Acked-by: default avatarPeter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: default avatarDarren Hart <dvhltc@us.ibm.com>
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Cc: <stable@kernel.org>
parent d6ad3e28
...@@ -1971,7 +1971,7 @@ static int futex_lock_pi(u32 __user *uaddr, int fshared, ...@@ -1971,7 +1971,7 @@ static int futex_lock_pi(u32 __user *uaddr, int fshared,
/* Unqueue and drop the lock */ /* Unqueue and drop the lock */
unqueue_me_pi(&q); unqueue_me_pi(&q);
goto out; goto out_put_key;
out_unlock_put_key: out_unlock_put_key:
queue_unlock(&q, hb); queue_unlock(&q, hb);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment