The patch titled
futex_lock_pi() key refcnt fix
has been added to the -mm tree. Its filename is
futex_lock_pi-key-refcnt-fix.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: futex_lock_pi() key refcnt fix
From: Mikael Pettersson <mikpe@xxxxxxxx>
This fixes a futex key reference count bug in futex_lock_pi(), where a
key's reference count is incremented twice but decremented only once,
causing the backing object to not be released.
If the futex is created in a temporary file in an ext3 file system, this
bug causes the file's inode to become an "undead" orphan, which causes an
oops from a BUG_ON() in ext3_put_super() when the file system is
unmounted. glibc's test suite is known to trigger this, see
<http://bugzilla.kernel.org/show_bug.cgi?id=14256>.
The bug is a regression from 2.6.28-git3, namely Peter Zijlstra's
38d47c1b7075bd7ec3881141bb3629da58f88dab "[PATCH] futex: rely on
get_user_pages() for shared futexes". That commit made get_futex_key()
also increment the reference count of the futex key, and updated its
callers to decrement the key's reference count before returning.
Unfortunately the normal exit path in futex_lock_pi() wasn't corrected:
the reference count is incremented by get_futex_key() and queue_lock(),
but the normal exit path only decrements once, via unqueue_me_pi(). The
fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31 this is
easily done by 'goto out_put_key' rather than 'goto out'.
This patch also works for backports to 2.6.32 and 2.6.31, but 2.6.30 and
2.6.29 need a "put_futex_key(fshared, &q.key);" after "unqueue_me_pi(&q);"
instead. I can supply patches for these older kernels if necessary.
Signed-off-by: Mikael Pettersson <mikpe@xxxxxxxx>
Acked-by: Darren Hart <dvhltc@xxxxxxxxxx>
Cc: Peter Zijlstra <a.p.zijlstra@xxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxx>
Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
kernel/futex.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff -puN kernel/futex.c~futex_lock_pi-key-refcnt-fix kernel/futex.c
--- a/kernel/futex.c~futex_lock_pi-key-refcnt-fix
+++ a/kernel/futex.c
@@ -1971,7 +1971,7 @@ retry_private:
/* Unqueue and drop the lock */
unqueue_me_pi(&q);
- goto out;
+ goto out_put_key;
out_unlock_put_key:
queue_unlock(&q, hb);
_
Patches currently in -mm which might be from mikpe@xxxxxxxx are
futex_lock_pi-key-refcnt-fix.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
