From nobody Sun Jun 14 07:36:19 2026 Received: from toucan.tulip.relay.mailchannels.net (toucan.tulip.relay.mailchannels.net [23.83.218.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C7AC3D88F9 for ; Fri, 1 May 2026 19:41:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=23.83.218.254 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777664515; cv=pass; b=CtgfgAfL4iBPp3F1gisXQC+DmNi1NbTgS6V38Q2xeiNS6X/D1jxrc/XeGCH3md7LmO+cLYtQBX+OStAMf+7h+qaXhzZl26iGRhcZhqqG8SeEbziV05t9aljNPHIWJ2dO++DdY9LTBPskFvmLLyHTzNUDgnB7nvT5RbvS967xyUA= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777664515; c=relaxed/simple; bh=Pq+QlwSSPJ20Lg12zpW42txU4f1DsPfAM/autGEkEWU=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=gnpKKGKZZ7wVL/OaZQ1U3BvQBI/wEi92E3H1R/qF1966aZeHZ3AscaynrRViUmc7MY23vMprqdcvXFcMIpw4X3wlx3aZobUEYIVNu0HQUyDUMxIS8rDzm1a8DWmZqAkRcMXK+viu4aHbec04T37enirKZ1kgAaBv01JzmJVARis= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=stgolabs.net; spf=fail smtp.mailfrom=stgolabs.net; dkim=pass (2048-bit key) header.d=stgolabs.net header.i=@stgolabs.net header.b=ASEWw7Xf; arc=pass smtp.client-ip=23.83.218.254 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=stgolabs.net Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=stgolabs.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=stgolabs.net header.i=@stgolabs.net header.b="ASEWw7Xf" X-Sender-Id: dreamhost|x-authsender|dave@stgolabs.net Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 832814011CC; Fri, 01 May 2026 19:41:48 +0000 (UTC) Received: from pdx1-sub0-mail-a229.dreamhost.com (100-96-24-249.trex-nlb.outbound.svc.cluster.local [100.96.24.249]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 29B4E400F74; Fri, 01 May 2026 19:41:46 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1777664506; b=DYZQXUKH2ATuINWmjC+ybz3Ujb1oeqnBU9ArnshyX6OTHICuYKPTFvkRzyOnicGGsuiY2C 4iAyI/q/osj9LSld2pCYH3Za2ko809qjoYURb0pz9miLT4H96bY4C7qdvY1blegOf1mCDJ nQW7qq9f77sNV2ulzIOHUb26q4HaQcXdcznEk6mqfKd8h0h8HfCQL5O6T484FfBVdIV4lx WY5DL9gQ97oeqeQIXfaTP13/lXHlOw8PhdRgWtpQxdyXcLNiURpZ1IcjO+6du8iMG+tdDW G9vI9kO1KLF2NHAhbiiut0rcWpmlupipWJDOTQOjPflt+15LqlYueGzQpsWPFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1777664506; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=EEBZCBReX9SvcKisprA1cWukKYSKppiiIWPXYUTFda8=; b=Zn3Jav44zN4YcIs0Fgt9AHZ3M36aFNLH8cQppzxUnYjrZYKb3vEtTnuJYfYoIa1Lv67Ouj oysCoKg/qGTQsU8XTLB10JSowBISOJOR5votKcuICdCAmWqu1MCoqIr3vC0NELEQSx5I44 a8vs+A4++7wB6GXCRSmGBWYvPy/axhRNrHZhgIy7zqTDiOwN/w+hv1UYitFraI2Bvq5/4u YcVUiksrfYagdVgPBC1AhflGceYHUd2Wr+geA3tRAIIVknIdynZpI2qZLs6kidUkqOegsz hkLompzAEeTPCi3HXZ7+XeYfCdD1fz1j2wWBqpb/62tNBsNx6Uv5Y+BoFVSsjg== ARC-Authentication-Results: i=1; rspamd-7766795c76-gf8d6; auth=pass smtp.auth=dreamhost smtp.mailfrom=dave@stgolabs.net X-Sender-Id: dreamhost|x-authsender|dave@stgolabs.net X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|dave@stgolabs.net X-MailChannels-Auth-Id: dreamhost X-Ski-Eyes: 1075afe5472275db_1777664508424_2804452845 X-MC-Loop-Signature: 1777664508424:1444294043 X-MC-Ingress-Time: 1777664508424 Received: from pdx1-sub0-mail-a229.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.96.24.249 (trex/7.1.5); Fri, 01 May 2026 19:41:48 +0000 Received: from localhost.localdomain (unknown [172.58.119.185]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: dave@stgolabs.net) by pdx1-sub0-mail-a229.dreamhost.com (Postfix) with ESMTPSA id 4g6hHs0Rs2z2V; Fri, 1 May 2026 12:41:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stgolabs.net; s=dreamhost; t=1777664505; bh=EEBZCBReX9SvcKisprA1cWukKYSKppiiIWPXYUTFda8=; h=From:To:Cc:Subject:Date:Content-Transfer-Encoding; b=ASEWw7XfCv6AD6b1NjDDiCqHPGDOA+H7yT8Yer85cWtZI2YEdl65+lPssHJBCVQyE 783DcYWvFXqhdXBw4HHJa9lLGpXdBaSk0Q/QcRSOfEqt4ApOx5EkKwe/sB6nz/mwvi fKIxVR011+SWSoayNTlRIAAVO91hQGVX5e1x/I6MJUUQ6bq/6gd1OUXPClgR9fhqPF zPV5v/hv9gkMIdWqKw1l3ELpLSfQMEI2b+5Qp7eZnibBjtR90Gpr/80w+9xaj6PT1C ffV9loq6rPpJz6KouFKbnCp2wIiP16lOTWvmKNIHClnWU2FPtDOvr3mNzKDS2sJUC7 bc59q7dTJe5dQ== From: Davidlohr Bueso To: torvalds@linuxfoundation.org, tglx@kernel.org, mingo@redhat.com, peterz@infradead.org Cc: bigeasy@linutronix.de, yimingqian591@gmail.com, dvhart@infradead.org, andrealmeid@igalia.com, dave@stgolabs.net, linux-kernel@vger.kernel.org Subject: [PATCH] futex: Drop CLONE_THREAD requirement for private default hash alloc Date: Fri, 1 May 2026 12:41:23 -0700 Message-Id: <20260501194123.948643-1-dave@stgolabs.net> X-Mailer: git-send-email 2.39.5 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Currently need_futex_hash_allocate_default() depends on strict pthread semantics, abusing CLONE_THREAD. This breaks the non-concurrency assumptions when doing the mm->futex_ref pcpu allocations, leading to bugs[0] when sharing the mm in other ways; ie: BUG: KASAN: slab-use-after-free in futex_hash_put ... where the +1 bias can end up on a percpu counter that mm->futex_ref no longer points at. Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding vfork keeps the existing paths untouched (no overhead), and we can't race in the first place: either the parent is suspended and the child runs alone, or mm->futex_ref is already allocated from an earlier CLONE_THREAD. [0] https://lore.kernel.org/all/CAL_bE8LsmCQ-FAtYDuwbJhOkt9p2wwYQwAbMh=3DPi= fC=3DVsiBM6A@mail.gmail.com/ Fixes: d9b05321e21e ("futex: Move futex_hash_free() back to __mmput()") Reported-by: Yiming Qian Signed-off-by: Davidlohr Bueso --- kernel/fork.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index f1ad69c6dc2d..5f3fdfdb14c7 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1951,9 +1951,11 @@ static void rv_task_fork(struct task_struct *p) =20 static bool need_futex_hash_allocate_default(u64 clone_flags) { - if ((clone_flags & (CLONE_THREAD | CLONE_VM)) !=3D (CLONE_THREAD | CLONE_= VM)) - return false; - return true; + /* + * Allocate a default futex hash for any sibling that will + * share the parent's mm, except vfork. + */ + return (clone_flags & (CLONE_VM | CLONE_VFORK)) =3D=3D CLONE_VM; } =20 /* @@ -2380,10 +2382,6 @@ __latent_entropy struct task_struct *copy_process( if (retval) goto bad_fork_cancel_cgroup; =20 - /* - * Allocate a default futex hash for the user process once the first - * thread spawns. - */ if (need_futex_hash_allocate_default(clone_flags)) { retval =3D futex_hash_allocate_default(); if (retval) --=20 2.39.5