Fix a dangling pointer bug in the futex code used by the
uring code, which isn't causing problems at the moment due to uring ABI limitations leaving it essentially unused in current usages, but is a good idea to fix nevertheless. Signed-off-by: Ingo Molnar <mingo@kernel.org> -----BEGIN PGP SIGNATURE----- iQJFBAABCgAvFiEEBpT5eoXrXCwVQwEKEnMQ0APhK1gFAmenHrkRHG1pbmdvQGtl cm5lbC5vcmcACgkQEnMQ0APhK1jnLQ//T+vNYeyQ5Nc3CuqsZfv5h77ijCLzazSh qu5LXyGHHIlLLPEzh53wRQQbGBQ6A2HdbVVphn8k/0v4eT1Ez5yN7AiTYuPkEP73 m6MWQAWcGQ7M7vR7cvWIsIB1wS5PD2g3UdvS8x+OECZk4lnSx4Xh/TfbRIURwhe2 SS6jgRGhaodsp8N2o8c/BgrvvHY9aedJQhx4iAh3PiuPomygr9kfIAaQstQNKx61 w4NQBQhK93LD9duESc+ONDlRhzSvbdJfRby1hbHzvcnCGe5S2aZzOfY31CPJbOt6 UvbfeStEGEHkfqbZOXEtwVPZ80+U2hWvD67wSXFB0pTc68zkuGN3/Ko88GCyZx5+ mxDRYWLoExknEUuk/Mc+hOzu1uaCjpXxA8qRr7SW3ewH1QOGr+ZISQgSffRdujbH 2E2cBh9/HOeVZ/7nAvfkSU+yyfvBwZBP/Q0PN5ODpk3S7ZfCC7h57oClWx4WUuTX 0H9N2IvPG0hqmqljKkt/5Xc4Qgvh6RA+pmxK0uUngViuw+v81Ea7/m+kbetQRO07 OPOH/UT4nlmwoCwch+nKr/MRmZADpXEZyeRKS0kBJQLRMkN9VT1+e2Zf3Yir2Ji4 hveqiJKiIgCPPxz3w+N/XcSgOTQUN1PmOLjEXB+gRNRctsvGZOtuY2HZIydQAMbT EjJBwkEWIQo= =qhN4 -----END PGP SIGNATURE----- Merge tag 'locking-urgent-2025-02-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fix from Ingo Molnar: "Fix a dangling pointer bug in the futex code used by the uring code. It isn't causing problems at the moment due to uring ABI limitations leaving it essentially unused in current usages, but is a good idea to fix nevertheless" * tag 'locking-urgent-2025-02-08' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: futex: Pass in task to futex_queue()
This commit is contained in:
Linus Torvalds
commit
fa76887bb7
5 changed files with 15 additions and 9 deletions
|
|
@ -338,7 +338,7 @@ int io_futex_wait(struct io_kiocb *req, unsigned int issue_flags)
|
|||
hlist_add_head(&req->hash_node, &ctx->futex_list);
|
||||
io_ring_submit_unlock(ctx, issue_flags);
|
||||
|
||||
futex_queue(&ifd->q, hb);
|
||||
futex_queue(&ifd->q, hb, NULL);
|
||||
return IOU_ISSUE_SKIP_COMPLETE;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -532,7 +532,8 @@ void futex_q_unlock(struct futex_hash_bucket *hb)
|
|||
futex_hb_waiters_dec(hb);
|
||||
}
|
||||
|
||||
void __futex_queue(struct futex_q *q, struct futex_hash_bucket *hb)
|
||||
void __futex_queue(struct futex_q *q, struct futex_hash_bucket *hb,
|
||||
struct task_struct *task)
|
||||
{
|
||||
int prio;
|
||||
|
||||
|
|
@ -548,7 +549,7 @@ void __futex_queue(struct futex_q *q, struct futex_hash_bucket *hb)
|
|||
|
||||
plist_node_init(&q->list, prio);
|
||||
plist_add(&q->list, &hb->chain);
|
||||
q->task = current;
|
||||
q->task = task;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -285,13 +285,15 @@ static inline int futex_get_value_locked(u32 *dest, u32 __user *from)
|
|||
}
|
||||
|
||||
extern void __futex_unqueue(struct futex_q *q);
|
||||
extern void __futex_queue(struct futex_q *q, struct futex_hash_bucket *hb);
|
||||
extern void __futex_queue(struct futex_q *q, struct futex_hash_bucket *hb,
|
||||
struct task_struct *task);
|
||||
extern int futex_unqueue(struct futex_q *q);
|
||||
|
||||
/**
|
||||
* futex_queue() - Enqueue the futex_q on the futex_hash_bucket
|
||||
* @q: The futex_q to enqueue
|
||||
* @hb: The destination hash bucket
|
||||
* @task: Task queueing this futex
|
||||
*
|
||||
* The hb->lock must be held by the caller, and is released here. A call to
|
||||
* futex_queue() is typically paired with exactly one call to futex_unqueue(). The
|
||||
|
|
@ -299,11 +301,14 @@ extern int futex_unqueue(struct futex_q *q);
|
|||
* or nothing if the unqueue is done as part of the wake process and the unqueue
|
||||
* state is implicit in the state of woken task (see futex_wait_requeue_pi() for
|
||||
* an example).
|
||||
*
|
||||
* Note that @task may be NULL, for async usage of futexes.
|
||||
*/
|
||||
static inline void futex_queue(struct futex_q *q, struct futex_hash_bucket *hb)
|
||||
static inline void futex_queue(struct futex_q *q, struct futex_hash_bucket *hb,
|
||||
struct task_struct *task)
|
||||
__releases(&hb->lock)
|
||||
{
|
||||
__futex_queue(q, hb);
|
||||
__futex_queue(q, hb, task);
|
||||
spin_unlock(&hb->lock);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -982,7 +982,7 @@ retry_private:
|
|||
/*
|
||||
* Only actually queue now that the atomic ops are done:
|
||||
*/
|
||||
__futex_queue(&q, hb);
|
||||
__futex_queue(&q, hb, current);
|
||||
|
||||
if (trylock) {
|
||||
ret = rt_mutex_futex_trylock(&q.pi_state->pi_mutex);
|
||||
|
|
|
|||
|
|
@ -349,7 +349,7 @@ void futex_wait_queue(struct futex_hash_bucket *hb, struct futex_q *q,
|
|||
* access to the hash list and forcing another memory barrier.
|
||||
*/
|
||||
set_current_state(TASK_INTERRUPTIBLE|TASK_FREEZABLE);
|
||||
futex_queue(q, hb);
|
||||
futex_queue(q, hb, current);
|
||||
|
||||
/* Arm the timer */
|
||||
if (timeout)
|
||||
|
|
@ -460,7 +460,7 @@ retry:
|
|||
* next futex. Queue each futex at this moment so hb can
|
||||
* be unlocked.
|
||||
*/
|
||||
futex_queue(q, hb);
|
||||
futex_queue(q, hb, current);
|
||||
continue;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue