From patchwork Fri Jun 28 15:14:53 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dave Jones <davej@redhat.com>
X-Patchwork-Id: 255420
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 555A72C0090
	for <patchwork-incoming@ozlabs.org>;
	Sat, 29 Jun 2013 01:15:10 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755263Ab3F1PPF (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 28 Jun 2013 11:15:05 -0400
Received: from mx1.redhat.com ([209.132.183.28]:40045 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750818Ab3F1PPD (ORCPT <rfc822;netdev@vger.kernel.org>);
	Fri, 28 Jun 2013 11:15:03 -0400
Received: from int-mx01.intmail.prod.int.phx2.redhat.com
	(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r5SFF1Da001763
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <netdev@vger.kernel.org>; Fri, 28 Jun 2013 11:15:01 -0400
Received: from gelk.kernelslacker.org (ovpn-113-177.phx2.redhat.com
	[10.3.113.177])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with
	ESMTP id r5SFEtaI016527
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <netdev@vger.kernel.org>; Fri, 28 Jun 2013 11:15:01 -0400
Received: from gelk.kernelslacker.org (localhost [127.0.0.1])
	by gelk.kernelslacker.org (8.14.7/8.14.5) with ESMTP id
	r5SFEsnx009766
	for <netdev@vger.kernel.org>; Fri, 28 Jun 2013 11:14:54 -0400
Received: (from davej@localhost)
	by gelk.kernelslacker.org (8.14.7/8.14.7/Submit) id r5SFErPs009703
	for netdev@vger.kernel.org; Fri, 28 Jun 2013 11:14:53 -0400
X-Authentication-Warning: gelk.kernelslacker.org: davej set sender to
	davej@redhat.com using -f
Date: Fri, 28 Jun 2013 11:14:53 -0400
From: Dave Jones <davej@redhat.com>
To: netdev@vger.kernel.org
Subject: fix broken locking in x25 ioctl error paths
Message-ID: <20130628151453.GA29428@redhat.com>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Two of the x25 ioctl cases have error paths that break out of the function without
unlocking the socket, leading to this warning:
---
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

================================================
[ BUG: lock held when returning to user space! ]
3.10.0-rc7+ #36 Not tainted
------------------------------------------------
trinity-child2/31407 is leaving the kernel with locks still held!
1 lock held by trinity-child2/31407:
 #0:  (sk_lock-AF_X25){+.+.+.}, at: [<ffffffffa024b6da>] x25_ioctl+0x8a/0x740 [x25]

Signed-off-by: Dave Jones <davej@redhat.com>

diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 37ca969..2c1e633 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -1584,10 +1584,11 @@ out_cud_release:
 		rc = -EINVAL;
 		lock_sock(sk);
 		if (sk->sk_state != TCP_CLOSE)
-			break;
+			goto out_callaccpt_release;
 		clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
-		release_sock(sk);
 		rc = 0;
+out_callaccpt_release:
+		release_sock(sk);
 		break;
 	}
 
@@ -1595,14 +1596,15 @@ out_cud_release:
 		rc = -EINVAL;
 		lock_sock(sk);
 		if (sk->sk_state != TCP_ESTABLISHED)
-			break;
+			goto out_sendcallaccpt_release;
 		/* must call accptapprv above */
 		if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags))
-			break;
+			goto out_sendcallaccpt_release;
 		x25_write_internal(sk, X25_CALL_ACCEPTED);
 		x25->state = X25_STATE_3;
-		release_sock(sk);
 		rc = 0;
+out_sendcallaccpt_release:
+		release_sock(sk);
 		break;
 	}