There's an error when the f_setown() call fails.
Not the FD but the return code of f_setown() is free'ed. Oops.
I fixed that by renaming the outer variable "ret" to "fd" - of
course you could rename the inner one to rc or similar.
--- futex.c.orig 2002-10-17 17:29:39.000000000 +0200
+++ futex.c 2002-10-17 18:55:26.000000000 +0200
@@ -352,19 +352,19 @@
struct page *page = NULL;
struct futex_q *q;
struct file *filp;
- int ret;
+ int fd;
- ret = -EINVAL;
+ fd = -EINVAL;
if (signal < 0 || signal > _NSIG)
goto out;
- ret = get_unused_fd();
- if (ret < 0)
+ fd = get_unused_fd();
+ if (fd < 0)
goto out;
filp = get_empty_filp();
if (!filp) {
- put_unused_fd(ret);
- ret = -ENFILE;
+ put_unused_fd(fd);
+ fd = -ENFILE;
goto out;
}
filp->f_op = &futex_fops;
@@ -376,7 +376,7 @@
ret = f_setown(filp, current->tgid, 1);
if (ret) {
- put_unused_fd(ret);
+ put_unused_fd(fd);
put_filp(filp);
goto out;
}
@@ -385,9 +385,9 @@
q = kmalloc(sizeof(*q), GFP_KERNEL);
if (!q) {
- put_unused_fd(ret);
+ put_unused_fd(fd);
put_filp(filp);
- ret = -ENOMEM;
+ fd = -ENOMEM;
goto out;
}
@@ -397,7 +397,7 @@
if (!page) {
unlock_futex_mm();
- put_unused_fd(ret);
+ put_unused_fd(fd);
put_filp(filp);
kfree(q);
return -EFAULT;
@@ -406,17 +406,17 @@
init_waitqueue_head(&q->waiters);
filp->private_data = q;
- __queue_me(q, page, uaddr, offset, ret, filp);
+ __queue_me(q, page, uaddr, offset, fd, filp);
unlock_futex_mm();
/* Now we map fd to filp, so userspace can access it */
- fd_install(ret, filp);
+ fd_install(fd, filp);
page = NULL;
out:
if (page)
unpin_page(page);
- return ret;
+ return fd;
}
asmlinkage int sys_futex(unsigned long uaddr, int op, int val, struct timespec *utime)