futex: Move futex cleanup to __mmdrop()

KAGA-KOKO · KAGA-KOKO · commit e703b7e24750 · 2025-08-02T15:11:52.000+02:00
Futex hash allocations are done in mm_init() and the cleanup happens in __mmput(). That works most of the time, but there are mm instances which are instantiated via mm_alloc() and freed via mmdrop(), which causes the futex hash to be leaked. Move the cleanup to __mmdrop(). Fixes: 56180dd ("futex: Use RCU-based per-CPU reference counting instead of rcuref_t") Reported-by: André Draszik <andre.draszik@linaro.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: André Draszik <andre.draszik@linaro.org> Link: https://lore.kernel.org/all/87ldo5ihu0.ffs@tglx Closes: https://lore.kernel.org/all/0c8cc83bb73abf080faf584f319008b67d0931db.camel@linaro.org
diff --git a/kernel/fork.c b/kernel/fork.c
@@ -686,6 +686,7 @@ void __mmdrop(struct mm_struct *mm)
 	mm_pasid_drop(mm);
 	mm_destroy_cid(mm);
 	percpu_counter_destroy_many(mm->rss_stat, NR_MM_COUNTERS);
+	futex_hash_free(mm);
 
 	free_mm(mm);
 }
@@ -1133,7 +1134,6 @@ static inline void __mmput(struct mm_struct *mm)
 	if (mm->binfmt)
 		module_put(mm->binfmt->module);
 	lru_gen_del_mm(mm);
-	futex_hash_free(mm);
 	mmdrop(mm);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -686,6 +686,7 @@ void __mmdrop(struct mm_struct *mm)`
`686`	`686`	`mm_pasid_drop(mm);`
`687`	`687`	`mm_destroy_cid(mm);`
`688`	`688`	`percpu_counter_destroy_many(mm->rss_stat, NR_MM_COUNTERS);`
	`689`	`+ futex_hash_free(mm);`
`689`	`690`
`690`	`691`	`free_mm(mm);`
`691`	`692`	`}`
`@@ -1133,7 +1134,6 @@ static inline void __mmput(struct mm_struct *mm)`
`1133`	`1134`	`if (mm->binfmt)`
`1134`	`1135`	`module_put(mm->binfmt->module);`
`1135`	`1136`	`lru_gen_del_mm(mm);`
`1136`		`- futex_hash_free(mm);`
`1137`	`1137`	`mmdrop(mm);`
`1138`	`1138`	`}`
`1139`	`1139`