From: Thomas Gleixner <tglx@linutronix.de>
Date: Sat, 19 Dec 2015 20:07:38 +0000 (+0000)
Subject: futex: Drop refcount if requeue_pi() acquired the rtmutex
X-Git-Tag: v4.1.12-92~150^2~325
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=904e93f9d49858c8f27b9c643d198ad2a3c08a09;p=users%2Fjedix%2Flinux-maple.git

futex: Drop refcount if requeue_pi() acquired the rtmutex

Orabug: 23330599

[ Upstream commit fb75a4282d0d9a3c7c44d940582c2d226cf3acfb ]

If the proxy lock in the requeue loop acquires the rtmutex for a
waiter then it acquired also refcount on the pi_state related to the
futex, but the waiter side does not drop the reference count.

Add the missing free_pi_state() call.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Darren Hart <darren@dvhart.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Bhuvanesh_Surachari@mentor.com
Cc: Andy Lowe <Andy_Lowe@mentor.com>
Link: http://lkml.kernel.org/r/20151219200607.178132067@linutronix.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit e70aade221a271f91e2d71901b2d602df2faee15)

Signed-off-by: Dan Duval <dan.duval@oracle.com>
---

diff --git a/kernel/futex.c b/kernel/futex.c
index 2579e407ff67..f3043db6d36f 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2632,6 +2632,11 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
 		if (q.pi_state && (q.pi_state->owner != current)) {
 			spin_lock(q.lock_ptr);
 			ret = fixup_pi_state_owner(uaddr2, &q, current);
+			/*
+			 * Drop the reference to the pi state which
+			 * the requeue_pi() code acquired for us.
+			 */
+			free_pi_state(q.pi_state);
 			spin_unlock(q.lock_ptr);
 		}
 	} else {