Currently need_futex_hash_allocate_default() depends on strict
pthread semantics, abusing CLONE_THREAD. This breaks the
non-concurrency assumptions when doing the mm->futex_ref pcpu
allocations, leading to bugs[0] when sharing the mm in other ways;
ie:

    BUG: KASAN: slab-use-after-free in futex_hash_put

... where the +1 bias can end up on a percpu counter that mm->futex_ref
no longer points at.

Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding
vfork keeps the existing paths untouched (no overhead), and we can't
race in the first place: either the parent is suspended and the child runs
alone, or mm->futex_ref is already allocated from an earlier CLONE_THREAD.

[0] https://lore.kernel.org/all/CAL_bE8LsmCQ-FAtYDuwbJhOkt9p2wwYQwAbMh=PifC=VsiBM6A@mail.gmail.com/
Fixes: d9b05321e21e ("futex: Move futex_hash_free() back to __mmput()")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
---
 kernel/fork.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/kernel/fork.c b/kernel/fork.c
index f1ad69c6dc2d..5f3fdfdb14c7 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1951,9 +1951,11 @@ static void rv_task_fork(struct task_struct *p)
 
 static bool need_futex_hash_allocate_default(u64 clone_flags)
 {
-	if ((clone_flags & (CLONE_THREAD | CLONE_VM)) != (CLONE_THREAD | CLONE_VM))
-		return false;
-	return true;
+	/*
+	 * Allocate a default futex hash for any sibling that will
+	 * share the parent's mm, except vfork.
+	 */
+	return (clone_flags & (CLONE_VM | CLONE_VFORK)) == CLONE_VM;
 }
 
 /*
@@ -2380,10 +2382,6 @@ __latent_entropy struct task_struct *copy_process(
 	if (retval)
 		goto bad_fork_cancel_cgroup;
 
-	/*
-	 * Allocate a default futex hash for the user process once the first
-	 * thread spawns.
-	 */
 	if (need_futex_hash_allocate_default(clone_flags)) {
 		retval = futex_hash_allocate_default();
 		if (retval)
-- 
2.39.5

On Fri, 1 May 2026 at 12:41, Davidlohr Bueso <dave@stgolabs.net> wrote:
>
> Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding
> vfork keeps the existing paths untouched (no overhead), and we can't
> race in the first place: either the parent is suspended and the child runs
> alone, or mm->futex_ref is already allocated from an earlier CLONE_THREAD.

That "earlier CLONE_THREAD" should presumably be "earlier CLONE_VM", no?

         Linus

On Fri, 01 May 2026, Linus Torvalds wrote:

>On Fri, 1 May 2026 at 12:41, Davidlohr Bueso <dave@stgolabs.net> wrote:
>>
>> Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding
>> vfork keeps the existing paths untouched (no overhead), and we can't
>> race in the first place: either the parent is suspended and the child runs
>> alone, or mm->futex_ref is already allocated from an earlier CLONE_THREAD.
>
>That "earlier CLONE_THREAD" should presumably be "earlier CLONE_VM", no?

yes :)

On Fri, 1 May 2026 at 13:05, Davidlohr Bueso <dave@stgolabs.net> wrote:
>
> On Fri, 01 May 2026, Linus Torvalds wrote:
> >
> >That "earlier CLONE_THREAD" should presumably be "earlier CLONE_VM", no?
>
> yes :)

I ended up applying this directly since I was looking at it anyway and
it felt like an obvious fix.

Famous last words.

             Linus