From: Sonny Rao <sonnyrao@us.ibm.com>
Date: Fri, 10 Jul 2009 23:13:13 +0000 (-0500)
Subject: futexes: Fix infinite loop in get_futex_key() on huge page
X-Git-Tag: v2.6.30.2~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eadc4345f93b857cbf8c63400ea0a7ed9b6431a2;p=thirdparty%2Fkernel%2Fstable.git

futexes: Fix infinite loop in get_futex_key() on huge page

commit ce2ae53b750abfaa012ce408e93da131a5b5649b upstream.

get_futex_key() can infinitely loop if it is called on a
virtual address that is within a huge page but not aligned to
the beginning of that page.  The call to get_user_pages_fast
will return the struct page for a sub-page within the huge page
and the check for page->mapping will always fail.

The fix is to call compound_head on the page before checking
that it's mapped.

Signed-off-by: Sonny Rao <sonnyrao@us.ibm.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: anton@samba.org
Cc: rajamony@us.ibm.com
Cc: speight@us.ibm.com
Cc: mstephen@us.ibm.com
Cc: grimm@us.ibm.com
Cc: mikey@ozlabs.au.ibm.com
LKML-Reference: <20090710231313.GA23572@us.ibm.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/kernel/futex.c b/kernel/futex.c
index f2cee4b24c512..4d973bde85335 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -241,6 +241,7 @@ again:
 	if (err < 0)
 		return err;
 
+	page = compound_head(page);
 	lock_page(page);
 	if (!page->mapping) {
 		unlock_page(page);