This is a note to let you know that I've just added the patch titled futex: Cleanup refcounting to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: futex-cleanup-refcounting.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Thu Mar 4 02:09:29 PM CET 2021 From: Ben Hutchings <ben@xxxxxxxxxxxxxxx> Date: Mon, 1 Mar 2021 18:31:22 +0100 Subject: futex: Cleanup refcounting To: stable@xxxxxxxxxxxxxxx Cc: Lee Jones <lee.jones@xxxxxxxxxx>, "Luis Claudio R. Goncalves" <lgoncalv@xxxxxxxxxx> Message-ID: <YD0k6ppZS2lYYEqg@xxxxxxxxxxxxxxx> Content-Disposition: inline From: Ben Hutchings <ben@xxxxxxxxxxxxxxx> From: Peter Zijlstra <peterz@xxxxxxxxxxxxx> commit bf92cf3a5100f5a0d5f9834787b130159397cb22 upstream. Add a put_pit_state() as counterpart for get_pi_state() so the refcounting becomes consistent. Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx> Cc: juri.lelli@xxxxxxx Cc: bigeasy@xxxxxxxxxxxxx Cc: xlpang@xxxxxxxxxx Cc: rostedt@xxxxxxxxxxx Cc: mathieu.desnoyers@xxxxxxxxxxxx Cc: jdesfossez@xxxxxxxxxxxx Cc: dvhart@xxxxxxxxxxxxx Cc: bristot@xxxxxxxxxx Link: http://lkml.kernel.org/r/20170322104151.801778516@xxxxxxxxxxxxx Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- kernel/futex.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- a/kernel/futex.c +++ b/kernel/futex.c @@ -827,7 +827,7 @@ static int refill_pi_state_cache(void) return 0; } -static struct futex_pi_state * alloc_pi_state(void) +static struct futex_pi_state *alloc_pi_state(void) { struct futex_pi_state *pi_state = current->pi_state_cache; @@ -860,6 +860,11 @@ static void pi_state_update_owner(struct } } +static void get_pi_state(struct futex_pi_state *pi_state) +{ + WARN_ON_ONCE(!atomic_inc_not_zero(&pi_state->refcount)); +} + /* * Drops a reference to the pi_state object and frees or caches it * when the last reference is gone. @@ -901,7 +906,7 @@ static void put_pi_state(struct futex_pi * Look up the task based on what TID userspace gave us. * We dont trust it. */ -static struct task_struct * futex_find_get_task(pid_t pid) +static struct task_struct *futex_find_get_task(pid_t pid) { struct task_struct *p; @@ -1149,7 +1154,7 @@ static int attach_to_pi_state(u32 __user goto out_einval; out_attach: - atomic_inc(&pi_state->refcount); + get_pi_state(pi_state); raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock); *ps = pi_state; return 0; @@ -2210,7 +2215,7 @@ retry_private: * refcount on the pi_state and store the pointer in * the futex_q object of the waiter. */ - atomic_inc(&pi_state->refcount); + get_pi_state(pi_state); this->pi_state = pi_state; ret = rt_mutex_start_proxy_lock(&pi_state->pi_mutex, this->rt_waiter, Patches currently in stable-queue which might be from ben@xxxxxxxxxxxxxxx are queue-4.9/futex-cleanup-refcounting.patch queue-4.9/futex-fix-more-put_pi_state-vs.-exit_pi_state_list-races.patch queue-4.9/futex-futex_unlock_pi-determinism.patch queue-4.9/futex-cleanup-variable-names-for-futex_top_waiter.patch queue-4.9/futex-don-t-enable-irqs-unconditionally-in-put_pi_state.patch queue-4.9/futex-fix-pi_state-owner-serialization.patch queue-4.9/futex-pull-rt_mutex_futex_unlock-out-from-under-hb-lock.patch