diff options
| author | Linus Torvalds <[email protected]> | 2025-09-26 19:28:32 +0000 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2025-09-26 19:28:32 +0000 |
| commit | 2cea0ed9796381b142f46bd8de97bb6b54b1df61 (patch) | |
| tree | 51bff718bfb5e2ad687f9e0e82c1d95c4dac5a22 | |
| parent | Merge tag 'core-urgent-2025-09-26' of git://git.kernel.org/pub/scm/linux/kern... (diff) | |
| parent | futex: Use correct exit on failure from futex_hash_allocate_default() (diff) | |
| download | kernel-2cea0ed9796381b142f46bd8de97bb6b54b1df61.tar.gz kernel-2cea0ed9796381b142f46bd8de97bb6b54b1df61.zip | |
Merge tag 'locking-urgent-2025-09-26' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull locking fixes from Ingo Molnar:
"Fix a PI-futexes race, and fix a copy_process() futex cleanup bug"
* tag 'locking-urgent-2025-09-26' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
futex: Use correct exit on failure from futex_hash_allocate_default()
futex: Prevent use-after-free during requeue-PI
| -rw-r--r-- | kernel/fork.c | 2 | ||||
| -rw-r--r-- | kernel/futex/requeue.c | 6 |
2 files changed, 5 insertions, 3 deletions
diff --git a/kernel/fork.c b/kernel/fork.c index c4ada32598bd..6ca8689a83b5 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -2295,7 +2295,7 @@ __latent_entropy struct task_struct *copy_process( if (need_futex_hash_allocate_default(clone_flags)) { retval = futex_hash_allocate_default(); if (retval) - goto bad_fork_core_free; + goto bad_fork_cancel_cgroup; /* * If we fail beyond this point we don't free the allocated * futex hash map. We assume that another thread will be created diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c index c716a66f8692..d818b4d47f1b 100644 --- a/kernel/futex/requeue.c +++ b/kernel/futex/requeue.c @@ -230,8 +230,9 @@ static inline void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, struct futex_hash_bucket *hb) { - q->key = *key; + struct task_struct *task; + q->key = *key; __futex_unqueue(q); WARN_ON(!q->rt_waiter); @@ -243,10 +244,11 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, futex_hash_get(hb); q->drop_hb_ref = true; q->lock_ptr = &hb->lock; + task = READ_ONCE(q->task); /* Signal locked state to the waiter */ futex_requeue_pi_complete(q, 1); - wake_up_state(q->task, TASK_NORMAL); + wake_up_state(task, TASK_NORMAL); } /** |