This push contains the following changes:

- Fix potential dead-lock in rhashtable when used by xattr. - Avoid calling kvfree on atomic path in rhashtable. -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEn51F/lCuNhUwmDeSxycdCkmxi6cFAmoG6NgACgkQxycdCkmx i6dpPA/9FUJGxLosr5LKlo71af5RpHuOAAVq9/3tjev9FLVR0IgqUuMpPqcKqaBC w4HL2drDcXUm3tlFLAgRgnCcIbz1lIVrZMTSHg1ivx9ZGNWm75o7n2gnYp4NnFzD 5A8AKHGUfnLf0y/nnrehvgGpnuyEGuMVL2+lTnkfJi1gYGQfJszC2pvC8a7gK2m1 ZXPdTEuMe58nfqHK0Jkhfwwjh8glpopvwfrEp5mByRqr3EELKznNGnTlPNpyjkPd vV0W8CM5qPJCn5Ts7OTKnZFktelSfgjKeHhxK3QFfUPV/fFQtwn2dNp099w00xMY GC3okWgDMGoXqnQ6nzNt9IGPXIvh1KgH76qY35R4gAjZ5JX8YF7ObJGylAthRYKz +AGx9Pl9u2GIE0EzkHDG5kxel2tCajWOgbdm78xYUtEn9ii3j8LInX63lB1bLLaq KIxMG/IuxP6mMaSiOs79/B9qmT/gYEfJvf4x8EXV1HXvzQh7SD5Zcep+krhVj49+ rsP5SBcTZfiZapU+AlicquLO/1kCYucUHz15KoKkeXiwj5ruWuUNx/wNblzft94d 9H4zfqL5hE41wiSOPdOT5fbGOI/a1PlMj4js3w+CGNh4BBOjAU6fZj86tO9gwI27 aRyR62ziteLck474PsYQbKx7J2qk2EARxO8QL9vHZhAsq3MBOck= =dSj/ -----END PGP SIGNATURE----- Merge tag 'v7.1-p4' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: - Fix potential dead-lock in rhashtable when used by xattr - Avoid calling kvfree on atomic path in rhashtable * tag 'v7.1-p4' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: rhashtable: Add bucket_table_free_atomic() helper mm/slab: Add kvfree_atomic() helper rhashtable: drop ht->mutex in rhashtable_free_and_destroy()
2026-05-29 09:33:31 +02:00 · 2026-05-15 10:38:37 -07:00 · 2026-05-15 10:38:37 -07:00 · fd6b566156
commit fd6b566156
parent 70eda68668 d1fa83ecac
3 changed files with 45 additions and 7 deletions
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@ -1234,6 +1234,9 @@ void *kvrealloc_node_align_noprof(const void *p, size_t size, unsigned long alig
 extern void kvfree(const void *addr);
 DEFINE_FREE(kvfree, void *, if (!IS_ERR_OR_NULL(_T)) kvfree(_T))

+extern void kvfree_atomic(const void *addr);
+DEFINE_FREE(kvfree_atomic, void *, if (!IS_ERR_OR_NULL(_T)) kvfree_atomic(_T))
+
 extern void kvfree_sensitive(const void *addr, size_t len);

 unsigned int kmem_cache_size(struct kmem_cache *s);
--- a/lib/rhashtable.c
+++ b/lib/rhashtable.c
@ -114,6 +114,14 @@ static void bucket_table_free(const struct bucket_table *tbl)
 	kvfree(tbl);
 }

+static void bucket_table_free_atomic(const struct bucket_table *tbl)
+{
+	if (tbl->nest)
+		nested_bucket_table_free(tbl);
+
+	kvfree_atomic(tbl);
+}
+
 static void bucket_table_free_rcu(struct rcu_head *head)
 {
 	bucket_table_free(container_of(head, struct bucket_table, rcu));
@ -496,7 +504,7 @@ static int rhashtable_insert_rehash(struct rhashtable *ht,

 	err = rhashtable_rehash_attach(ht, tbl, new_tbl);
 	if (err) {
-		bucket_table_free(new_tbl);
+		bucket_table_free_atomic(new_tbl);
 		if (err == -EEXIST)
 			err = 0;
 	} else
@ -1166,6 +1174,11 @@ static void rhashtable_free_one(struct rhashtable *ht, struct rhash_head *obj,
 * This function will eventually sleep to wait for an async resize
 * to complete. The caller is responsible that no further write operations
 * occurs in parallel.
+ *
+ * After cancel_work_sync() has returned, the deferred rehash worker is
+ * quiesced and, per the contract above, no other concurrent access to the
+ * rhashtable is possible. The tables are therefore owned exclusively by
+ * this function and can be walked without ht->mutex held.
 */
 void rhashtable_free_and_destroy(struct rhashtable *ht,
 				 void (*free_fn)(void *ptr, void *arg),
@ -1177,8 +1190,15 @@ void rhashtable_free_and_destroy(struct rhashtable *ht,
 	irq_work_sync(&ht->run_irq_work);
 	cancel_work_sync(&ht->run_work);

-	mutex_lock(&ht->mutex);
-	tbl = rht_dereference(ht->tbl, ht);
+	/*
+	 * Do NOT take ht->mutex here. The rehash worker establishes
+	 * ht->mutex -> fs_reclaim via GFP_KERNEL bucket allocation under
+	 * the mutex; callers on the reclaim path (e.g. simple_xattr_ht_free()
+	 * from evict() under the dcache shrinker for shmem/kernfs/pidfs
+	 * inodes) would otherwise close a circular dependency
+	 * fs_reclaim -> ht->mutex.
+	 */
+	tbl = rcu_dereference_raw(ht->tbl);
 restart:
 	if (free_fn) {
 		for (i = 0; i < tbl->size; i++) {
@ -1187,22 +1207,21 @@ void rhashtable_free_and_destroy(struct rhashtable *ht,
 			cond_resched();
 			for (pos = rht_ptr_exclusive(rht_bucket(tbl, i)),
 			     next = !rht_is_a_nulls(pos) ?
-					rht_dereference(pos->next, ht) : NULL;
+					rcu_dereference_raw(pos->next) : NULL;
 			     !rht_is_a_nulls(pos);
 			     pos = next,
 			     next = !rht_is_a_nulls(pos) ?
-					rht_dereference(pos->next, ht) : NULL)
+					rcu_dereference_raw(pos->next) : NULL)
 				rhashtable_free_one(ht, pos, free_fn, arg);
 		}
 	}

-	next_tbl = rht_dereference(tbl->future_tbl, ht);
+	next_tbl = rcu_dereference_raw(tbl->future_tbl);
 	bucket_table_free(tbl);
 	if (next_tbl) {
 		tbl = next_tbl;
 		goto restart;
 	}
-	mutex_unlock(&ht->mutex);
 }
 EXPORT_SYMBOL_GPL(rhashtable_free_and_destroy);

--- a/mm/slub.c
+++ b/mm/slub.c
@ -6882,6 +6882,22 @@ void kvfree(const void *addr)
 }
 EXPORT_SYMBOL(kvfree);

+/**
+ * kvfree_atomic() - Free memory.
+ * @addr: Pointer to allocated memory.
+ *
+ * Same as kvfree(), but uses vfree_atomic() for vmalloc
+ * backed memory. Must not be called from NMI context.
+ */
+void kvfree_atomic(const void *addr)
+{
+	if (is_vmalloc_addr(addr))
+		vfree_atomic(addr);
+	else
+		kfree(addr);
+}
+EXPORT_SYMBOL(kvfree_atomic);
+
 /**
 * kvfree_sensitive - Free a data object containing sensitive information.
 * @addr: address of the data object to be freed.