Commit b7369eb7 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'locking-urgent-2025-09-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 

Pull locking fix from Ingo Molnar:
 "Fix an 'allocation from atomic context' regression in the futex
  vmalloc variant"

* tag 'locking-urgent-2025-09-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  futex: Move futex_hash_free() back to __mmput()
parents 6a8a34a5 d9b05321

kernel/fork.c

+1 −1
Original line number Diff line number Diff line
@@ -689,7 +689,6 @@ void __mmdrop(struct mm_struct *mm) 
	mm_pasid_drop(mm);

	mm_destroy_cid(mm);

	percpu_counter_destroy_many(mm->rss_stat, NR_MM_COUNTERS);

	futex_hash_free(mm);



	free_mm(mm);

}
@@ -1138,6 +1137,7 @@ static inline void __mmput(struct mm_struct *mm) 
	if (mm->binfmt)

		module_put(mm->binfmt->module);

	lru_gen_del_mm(mm);

	futex_hash_free(mm);

	mmdrop(mm);

}

kernel/futex/core.c

+12 −4
Original line number Diff line number Diff line
@@ -1722,12 +1722,9 @@ int futex_mm_init(struct mm_struct *mm) 
	RCU_INIT_POINTER(mm->futex_phash, NULL);

	mm->futex_phash_new = NULL;

	/* futex-ref */

	mm->futex_ref = NULL;

	atomic_long_set(&mm->futex_atomic, 0);

	mm->futex_batches = get_state_synchronize_rcu();

	mm->futex_ref = alloc_percpu(unsigned int);

	if (!mm->futex_ref)

		return -ENOMEM;

	this_cpu_inc(*mm->futex_ref); /* 0 -> 1 */

	return 0;

}
@@ -1801,6 +1798,17 @@ static int futex_hash_allocate(unsigned int hash_slots, unsigned int flags) 
		}

	}



	if (!mm->futex_ref) {

		/*

		 * This will always be allocated by the first thread and

		 * therefore requires no locking.

		 */

		mm->futex_ref = alloc_percpu(unsigned int);

		if (!mm->futex_ref)

			return -ENOMEM;

		this_cpu_inc(*mm->futex_ref); /* 0 -> 1 */

	}



	fph = kvzalloc(struct_size(fph, queues, hash_slots),

		       GFP_KERNEL_ACCOUNT | __GFP_NOWARN);

	if (!fph)