Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix a PI-futexes race, and fix a copy_process() futex 

cleanup bug.
 
 Signed-off-by: Ingo Molnar <mingo@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCgAvFiEEBpT5eoXrXCwVQwEKEnMQ0APhK1gFAmjWmEcRHG1pbmdvQGtl
 cm5lbC5vcmcACgkQEnMQ0APhK1i3RBAAqG75bKH8LJHv8bceV+wcFI6w4gbhGHC7
 bWtz8PFjEfC7wYkcWpAKDAJhaauJuZa1cZ8nn59IIxSf2xjNedUYYigIdVm383Hq
 eG3ZYbQ46xsAeQeQqZjO7kA5CI4LunDXH/H59j3l+LxT91eow1sRUQK17biO+VcK
 Qeb1e7556tCME7Ih3ApqErVHKoUA1cYi9b3Mb0CB12f5P83NpDRHq7ZSkrcxvbc+
 X+wEJPEOZgCPil+rc3xg/UtP9oTwKjfbeRLekh3cyZCzRYvIgPJ5MZvqeUZh+NR8
 xN3vbLGwSyngGReWOuFlz9UJRfCxWtRDqN3p7iBaQxakcnmyvFvlxmGg4HTujtIR
 5AfHhwGo8xyPwII56EUUEfo1AuAD9neCL/UUNUSL2K1mCS9bzBED9pQTpdUAGMF5
 vpGFiDdVrhuEAjZgxaLKAFUMznRrM0WQSkP+rmFDyOsGYmCkLdQq5YCFXksXndwP
 plW0qR3fTdJU/E4cca0CmPQPPvdFtLTROV1hj/C3CFaBcX87wXMR/BnvYZiT06lq
 woD/MtNcAJHLg1y6h/2B5E10q0sqIvSZrCnBAWxnif+Xwyt3aeD8iTAM3eYFZ1cQ
 ErXpTo40KeUR8ZtDl9PwkJICbgNP4A9S1U16uCdWYnaxvSPeI2mh+JHkHptAaSA0
 UBVNGfvxyvo=
 =7i71
 -----END PGP SIGNATURE-----

Merge tag 'locking-urgent-2025-09-26' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull locking fixes from Ingo Molnar:
 "Fix a PI-futexes race, and fix a copy_process() futex cleanup bug"

* tag 'locking-urgent-2025-09-26' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  futex: Use correct exit on failure from futex_hash_allocate_default()
  futex: Prevent use-after-free during requeue-PI
This commit is contained in:
Linus Torvalds 2025-09-26 12:28:32 -07:00
parent 8b07f74c23 4ec3c15462
commit 2cea0ed979
2 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
kernel/fork.c
View File

@ -2295,7 +2295,7 @@ __latent_entropy struct task_struct *copy_process(
if (need_futex_hash_allocate_default(clone_flags)) {
retval = futex_hash_allocate_default();
if (retval)
goto bad_fork_core_free;
goto bad_fork_cancel_cgroup;
/*
* If we fail beyond this point we don't free the allocated
* futex hash map. We assume that another thread will be created

6
kernel/futex/requeue.c
View File

@ -230,8 +230,9 @@ static inline
void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
struct futex_hash_bucket *hb)
{
q->key = *key;
struct task_struct *task;
q->key = *key;
__futex_unqueue(q);
WARN_ON(!q->rt_waiter);
@ -243,10 +244,11 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,
futex_hash_get(hb);
q->drop_hb_ref = true;
q->lock_ptr = &hb->lock;
task = READ_ONCE(q->task);
/* Signal locked state to the waiter */
futex_requeue_pi_complete(q, 1);
wake_up_state(q->task, TASK_NORMAL);
wake_up_state(task, TASK_NORMAL);
}
/**