releases/3.10.4/x25-fix-broken-locking-in-ioctl-error-paths.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From ebae8ce31e1b43d3bcf62d5e906cc9ece42428ab Mon Sep 17 00:00:00 2001
 From: Dave Jones <davej@redhat.com>
 Date: Fri, 28 Jun 2013 12:13:52 -0400
 Subject: x25: Fix broken locking in ioctl error paths.

 From: Dave Jones <davej@redhat.com>

 [ Upstream commit 4ccb93ce7439b63c31bc7597bfffd13567fa483d ]

 Two of the x25 ioctl cases have error paths that break out of the function without
 unlocking the socket, leading to this warning:

 ================================================
 [ BUG: lock held when returning to user space! ]
 3.10.0-rc7+ #36 Not tainted
 ------------------------------------------------
 trinity-child2/31407 is leaving the kernel with locks still held!
 1 lock held by trinity-child2/31407:
  #0:  (sk_lock-AF_X25){+.+.+.}, at: [<ffffffffa024b6da>] x25_ioctl+0x8a/0x740 [x25]

 Signed-off-by: Dave Jones <davej@redhat.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/x25/af_x25.c |   15 ++++++++-------
  1 file changed, 8 insertions(+), 7 deletions(-)

 --- a/net/x25/af_x25.c
 +++ b/net/x25/af_x25.c
 @@ -1583,11 +1583,11 @@ out_cud_release:
  	case SIOCX25CALLACCPTAPPRV: {
  		rc = -EINVAL;
  		lock_sock(sk);
 -		if (sk->sk_state != TCP_CLOSE)
 -			break;
 -		clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
 +		if (sk->sk_state == TCP_CLOSE) {
 +			clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
 +			rc = 0;
 +		}
  		release_sock(sk);
 -		rc = 0;
  		break;
  	}

 @@ -1595,14 +1595,15 @@ out_cud_release:
  		rc = -EINVAL;
  		lock_sock(sk);
  		if (sk->sk_state != TCP_ESTABLISHED)
 -			break;
 +			goto out_sendcallaccpt_release;
  		/* must call accptapprv above */
  		if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags))
 -			break;
 +			goto out_sendcallaccpt_release;
  		x25_write_internal(sk, X25_CALL_ACCEPTED);
  		x25->state = X25_STATE_3;
 -		release_sock(sk);
  		rc = 0;
 +out_sendcallaccpt_release:
 +		release_sock(sk);
  		break;
  	}
	From ebae8ce31e1b43d3bcf62d5e906cc9ece42428ab Mon Sep 17 00:00:00 2001
	From: Dave Jones <davej@redhat.com>
	Date: Fri, 28 Jun 2013 12:13:52 -0400
	Subject: x25: Fix broken locking in ioctl error paths.

	From: Dave Jones <davej@redhat.com>

	[ Upstream commit 4ccb93ce7439b63c31bc7597bfffd13567fa483d ]

	Two of the x25 ioctl cases have error paths that break out of the function without
	unlocking the socket, leading to this warning:

	================================================
	[ BUG: lock held when returning to user space! ]
	3.10.0-rc7+ #36 Not tainted
	------------------------------------------------
	trinity-child2/31407 is leaving the kernel with locks still held!
	1 lock held by trinity-child2/31407:
	#0: (sk_lock-AF_X25){+.+.+.}, at: [<ffffffffa024b6da>] x25_ioctl+0x8a/0x740 [x25]

	Signed-off-by: Dave Jones <davej@redhat.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/x25/af_x25.c \| 15 ++++++++-------
	1 file changed, 8 insertions(+), 7 deletions(-)

	--- a/net/x25/af_x25.c
	+++ b/net/x25/af_x25.c
	@@ -1583,11 +1583,11 @@ out_cud_release:
	case SIOCX25CALLACCPTAPPRV: {
	rc = -EINVAL;
	lock_sock(sk);
	- if (sk->sk_state != TCP_CLOSE)
	- break;
	- clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
	+ if (sk->sk_state == TCP_CLOSE) {
	+ clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
	+ rc = 0;
	+ }
	release_sock(sk);
	- rc = 0;
	break;
	}

	@@ -1595,14 +1595,15 @@ out_cud_release:
	rc = -EINVAL;
	lock_sock(sk);
	if (sk->sk_state != TCP_ESTABLISHED)
	- break;
	+ goto out_sendcallaccpt_release;
	/* must call accptapprv above */
	if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags))
	- break;
	+ goto out_sendcallaccpt_release;
	x25_write_internal(sk, X25_CALL_ACCEPTED);
	x25->state = X25_STATE_3;
	- release_sock(sk);
	rc = 0;
	+out_sendcallaccpt_release:
	+ release_sock(sk);
	break;
	}