[3.13.y.z extended stable] Patch "futex: Unlock hb->lock in futex_wait_requeue_pi() error path" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Wed Oct 8 22:14:13 UTC 2014 

This is a note to let you know that I have just added a patch titled

    futex: Unlock hb->lock in futex_wait_requeue_pi() error path

to the linux-3.13.y-queue branch of the 3.13.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11.9.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 39aaf94d94a0e7af57e84774af1b431ea8d74f8d Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx at linutronix.de>
Date: Thu, 11 Sep 2014 23:44:35 +0200
Subject: futex: Unlock hb->lock in futex_wait_requeue_pi() error path

commit 13c42c2f43b19aab3195f2d357db00d1e885eaa8 upstream.

futex_wait_requeue_pi() calls futex_wait_setup(). If
futex_wait_setup() succeeds it returns with hb->lock held and
preemption disabled. Now the sanity check after this does:

        if (match_futex(&q.key, &key2)) {
	   	ret = -EINVAL;
		goto out_put_keys;
	}

which releases the keys but does not release hb->lock.

So we happily return to user space with hb->lock held and therefor
preemption disabled.

Unlock hb->lock before taking the exit route.

Reported-by: Dave "Trinity" Jones <davej at redhat.com>
Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
Reviewed-by: Darren Hart <dvhart at linux.intel.com>
Reviewed-by: Davidlohr Bueso <dave at stgolabs.net>
Cc: Peter Zijlstra <a.p.zijlstra at chello.nl>
Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1409112318500.4178@nanos
Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
[ kamal: backport to 3.13-stable: queue_unlock() args ]
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 kernel/futex.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/futex.c b/kernel/futex.c
index c265aac..4741b1f 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2465,6 +2465,7 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
 	 * shared futexes. We need to compare the keys:
 	 */
 	if (match_futex(&q.key, &key2)) {
+		queue_unlock(&q, hb);
 		ret = -EINVAL;
 		goto out_put_keys;
 	}
--
1.9.1

More information about the kernel-team mailing list