Commit 2cea0ed9 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'locking-urgent-2025-09-26' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull locking fixes from Ingo Molnar:
 "Fix a PI-futexes race, and fix a copy_process() futex cleanup bug"

* tag 'locking-urgent-2025-09-26' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  futex: Use correct exit on failure from futex_hash_allocate_default()
  futex: Prevent use-after-free during requeue-PI
parents 8b07f74c 4ec3c154

kernel/fork.c

+1 −1
Original line number Diff line number Diff line
@@ -2295,7 +2295,7 @@ __latent_entropy struct task_struct *copy_process( 
	if (need_futex_hash_allocate_default(clone_flags)) {

		retval = futex_hash_allocate_default();

		if (retval)

			goto bad_fork_core_free;

			goto bad_fork_cancel_cgroup;

		/*

		 * If we fail beyond this point we don't free the allocated

		 * futex hash map. We assume that another thread will be created

kernel/futex/requeue.c

+4 −2
Original line number Diff line number Diff line
@@ -230,8 +230,9 @@ static inline 
void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key,

			   struct futex_hash_bucket *hb)

{

	q->key = *key;

	struct task_struct *task;



	q->key = *key;

	__futex_unqueue(q);



	WARN_ON(!q->rt_waiter);
@@ -243,10 +244,11 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, 
	futex_hash_get(hb);

	q->drop_hb_ref = true;

	q->lock_ptr = &hb->lock;

	task = READ_ONCE(q->task);



	/* Signal locked state to the waiter */

	futex_requeue_pi_complete(q, 1);

	wake_up_state(q->task, TASK_NORMAL);

	wake_up_state(task, TASK_NORMAL);

}



/**