1. Patchew
  2. linux
  3. View series

[PATCH] futex: Initialize mm_struct::futex_ref on mm_init()

Sebastian Andrzej Siewior posted 1 patch 1 month ago 
kernel/futex/core.c | 1 +
1 file changed, 1 insertion(+)
[PATCH] futex: Initialize mm_struct::futex_ref on mm_init()
Posted by Sebastian Andrzej Siewior 1 month ago 
mm_struct::futex_ref needs to be set to NULL during mm_init() to ensure
that it is not copied during fork(). Reusing the previous pointer can
lead to use-after-free which can trigger

| WARNING: kernel/futex/core.c:1604 at futex_ref_rcu+0xe1/0xf0, CPU#2: swapper/2/0

Initialize mm_struct::futex_ref on mm_init().

Fixes: 1b708b38414d3 ("futex: Move futex_hash_free() back to __mmput()")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 kernel/futex/core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/futex/core.c b/kernel/futex/core.c
index fb63c13aa66fc..125804fbb5cb1 100644
--- a/kernel/futex/core.c
+++ b/kernel/futex/core.c
@@ -1722,6 +1722,7 @@ int futex_mm_init(struct mm_struct *mm)
 	RCU_INIT_POINTER(mm->futex_phash, NULL);
 	mm->futex_phash_new = NULL;
 	/* futex-ref */
+	mm->futex_ref = NULL;
 	atomic_long_set(&mm->futex_atomic, 0);
 	mm->futex_batches = get_state_synchronize_rcu();
 	return 0;
-- 
2.51.0
Re: [PATCH] futex: Initialize mm_struct::futex_ref on mm_init()
Posted by Borislav Petkov 1 month ago 
On Sat, Aug 30, 2025 at 11:38:06PM +0200, Sebastian Andrzej Siewior wrote:
> mm_struct::futex_ref needs to be set to NULL during mm_init() to ensure
> that it is not copied during fork(). Reusing the previous pointer can
> lead to use-after-free which can trigger
> 
> | WARNING: kernel/futex/core.c:1604 at futex_ref_rcu+0xe1/0xf0, CPU#2: swapper/2/0
> 
> Initialize mm_struct::futex_ref on mm_init().
> 
> Fixes: 1b708b38414d3 ("futex: Move futex_hash_free() back to __mmput()")

So this one is queued in locking/urgent and I guess I can fold this new one into
it so that that commit is whole and fixed.

And then leave it in that branch for one more week for some more testing...

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette
Re: [PATCH] futex: Initialize mm_struct::futex_ref on mm_init()
Posted by Borislav Petkov 1 month ago 
On Sun, Aug 31, 2025 at 12:25:45AM +0200, Borislav Petkov wrote:
> And then leave it in that branch for one more week for some more testing...

Ok, boots on one of my machines, fix folded in and force-pushed.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette
Re: [PATCH] futex: Initialize mm_struct::futex_ref on mm_init()
Posted by Sebastian Andrzej Siewior 1 month ago 
On 2025-08-31 14:21:45 [+0200], Borislav Petkov wrote:
> On Sun, Aug 31, 2025 at 12:25:45AM +0200, Borislav Petkov wrote:
> > And then leave it in that branch for one more week for some more testing...
> 
> Ok, boots on one of my machines, fix folded in and force-pushed.

Thank you.

> Thx.

Sebastian

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.