Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752594AbbLROzt (ORCPT <rfc822;w@1wt.eu>);
	Fri, 18 Dec 2015 09:55:49 -0500
Received: from mx2.suse.de ([195.135.220.15]:34834 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751277AbbLROzs (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 18 Dec 2015 09:55:48 -0500
Date: Fri, 18 Dec 2015 06:55:34 -0800
From: Davidlohr Bueso <dave@stgolabs.net>
To: Bhuvanesh_Surachari@mentor.com
Cc: tglx@linutronix.de, peterz@infradead.org, mingo@kernel.org,
        akpm@linux-foundation.org, linux@rasmusvillemoes.dk,
        viresh.kumar@linaro.org, luto@amacapital.net, bigeasy@linutronix.de,
        mtk.manpages@gmail.com, linux-kernel@vger.kernel.org,
        Andy Lowe <Andy_Lowe@mentor.com>
Subject: Re: [PATCH] futex: Prevent pi_state from double freeing in case of
 error
Message-ID: <20151218145534.GD17386@linux-uzut.site>
References: <1450428223-7655-1-git-send-email-Bhuvanesh_Surachari@mentor.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <1450428223-7655-1-git-send-email-Bhuvanesh_Surachari@mentor.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1571
Lines: 50

On Fri, 18 Dec 2015, Bhuvanesh_Surachari@mentor.com wrote:

>From: Bhuvanesh Surachari <bhuvanesh_surachari@mentor.com>
>
>In case of error from rt_mutex_start_proxy_lock pi_state is freed
>twice in futex_requeue function. Hence removing free_pi_state in
>else branch and branching to the location where pi_state is freed.

This reads weird.

Do note that free_pi_state is already protected against passing it a nil
pi_state, so this is merely cosmetic.

Hmm but yeah, looks legit. The cases were we free the pi_state on error
are when doing retry kind of paths, EDEADLK not being one of those cases.

>
>Signed-off-by: Bhuvanesh Surachari <Bhuvanesh_Surachari@mentor.com>
>Signed-off-by: Andy Lowe <Andy_Lowe@mentor.com>

This last SoB tag is incorrect, Andy Lowe is not carrying the patch for you.

>---
> kernel/futex.c |    1 -
> 1 file changed, 1 deletion(-)
>
>diff --git a/kernel/futex.c b/kernel/futex.c
>index 684d754..264b3f2 100644
>--- a/kernel/futex.c
>+++ b/kernel/futex.c
>@@ -1815,7 +1815,6 @@ retry_private:
> 			} else if (ret) {
> 				/* -EDEADLK */
> 				this->pi_state = NULL;
>-				free_pi_state(pi_state);
> 				goto out_unlock;
> 			}
> 		}


Nit but I think we also want to set pi_state to nil after freeing it
in out_unlock. That way this scenario would simply be goto out_unlock.

Thanks,
Davidlohr
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/