From nobody Sun Jun 14 06:07:10 2026 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 71DF637FF6F for ; Sat, 2 May 2026 15:57:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777737462; cv=none; b=X1jNuUjm5WBwpY3+yPDkxhcUsQMXCjOI5N9GGbQrxSPzbSaYONLeuDmg0wB7NXV8DyfzNo31ik+9EajjjkORdJ1SQ+LNBT2F77MRMwXx8cdkJ4sCo0M8Yu0X+Tb1kROSnbbytXATska0ZsaeVjv+ZF9ARd0vuEZZQXD2OdcjpDg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777737462; c=relaxed/simple; bh=cfK917WdsI1dkNL9a+B69wiIS2gOKV3UDT+ZmmDT8sc=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=XlXlx5RSk/kFDfJJzPcTrXu8SF3p7jD5BPkD5FrkgrpgJI/94vObpiicnVrqp1w+pP5bs0aQb2w5Kr3tMpFWhGVpY61JJ1l8dasYLjFYCvmuGbvTCUyHi9ihhWr4yjZUjTjoJ4SFmqzCOpBdoEwT+b26wrBpJrKV9MIL7m8Xy84= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=oa4PeuK8; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="oa4PeuK8" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-4891cd41959so23223775e9.3 for ; Sat, 02 May 2026 08:57:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777737460; x=1778342260; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=RcVZiQ30W1huw4BV8djFk9EqcnFjYr+6xdWEC/QCnS0=; b=oa4PeuK8qotoAkri9FHFFPewFsKuie4bVqQ9mhDdNXfbAeTaUcLVFeMznZzXHH3kVY sKQIFX8YdcchIVJBdtnu/EEZcNx24aRWJFcPG1nct+wTYUXu5d09/m7KNqwDYjvCsp7t eEei4s5ocUPb6r7TbUwlj/7HkZKHLEOPQdUkF1oZgLmS/Yi9sdfqZowTnJO7mN8Qv8zD av6/6wdsEN9hW/3nSRj4CMLGMkTEjR1hLM5N4XP8+8EnChsJV18jEVFokvflv34eBC9D U0z4jpF9CQ64EE8gIFxvKOBRlxCB0GfAKEV76a2+3tifJUHYL0FbJPmwRh5LoTmXsxTc JsGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777737460; x=1778342260; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=RcVZiQ30W1huw4BV8djFk9EqcnFjYr+6xdWEC/QCnS0=; b=E4anmidfAGkhHawsJQWxJlAT5gKbcY9y3dihcdRisDXowcSNIKGDRsCXneiURS8YVk mIr/lDbmITV0MsgkYeRuKpO7/vt/QpAJFDvUpV4bJfQqufL4WH67+htC1jerI+SxtUte tii6RNOkok/dBs0pVZyQej0YHDlPsvPzqJB4VbN0h9/WmyzHc+b9ca35sDuiH//I+kjp Aru07Lt3hvixzG7IwTMkRDRZ5MdMfHkVjHkj5HHweF/YXEqoMj/G94lcHvGnMLuk+0Aa 8TwQK6vH7h0DD1xR7KBJrc45lCXXpuuctKDLGKQHSFc9unPalqZSRtQEzbUHZnX87Ech saxQ== X-Forwarded-Encrypted: i=1; AFNElJ+EQpfMSSjZ0ZPE1Y2iRjegij6WTUzn5PL0TPQL7X7m44lDc+gMP2pJiNaou6obmDuQpwqgYx/IrAPDbmc=@vger.kernel.org X-Gm-Message-State: AOJu0YyLLn2uRbsdW7O7ZykbO0fEtx6IBrEigXtDDmqtByMPJVKGdmDa IYpuqCgeSxaIjLob7RTng1zl119OXB8NcHj3QYWb97+CxY7RHgvZaunJ X-Gm-Gg: AeBDievuOym4/C6UT04mTBveCFfzGvNNpJ4pfmXOVCW7unXRDvwjW4zxOOMVX5x4GHm P14pOZ171OdrjuqyzdWghqNE//wzyLrUmiXtp44P7SJTKq34I03YRKtuT6l7nTRWs4ZpdSfkOyg Sk4fURUwY+TwF+qterO2xJeL+nvXp1XlQHEP/MkxWuITbTY1riTrZjTb/5ln1m9FO1tY/ZQPHz8 Yq9CBlMtcGeNglFmOuwiTz/cdNys04cucV2AtKLAxRCzPYVE9EnNneFnw6Y/WtCG6SIqf7okBTE xiuO7Na7rMpt2e16K+Gw1AzOZQxmpeknljk1BPSQuKnDslzhsNSGbMU4oYZ61d4bN8hG9tWMxvz u8p1oUHU2vjUXMScyL16YliFgG4YdLUW1GU1uKpM9m6v7fbJkeTEOqg7MsdXGrEgGIvMrwEKLxg GXLlF8nHqZGhOiHJxEN3X61HxrS/x8227rdew2GCXtj5+n6leCFR2zQD510mDPg7oetsVddbq7 X-Received: by 2002:a05:600c:a118:b0:488:ffad:6728 with SMTP id 5b1f17b1804b1-48a9865f342mr36104835e9.19.1777737459692; Sat, 02 May 2026 08:57:39 -0700 (PDT) Received: from ST.. ([196.221.137.242]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a8eb3427fsm228091245e9.0.2026.05.02.08.57.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 May 2026 08:57:39 -0700 (PDT) From: Mohamed Ayman To: Kees Cook , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Valentin Schneider , K Prateek Nayak , Andrew Morton , David Hildenbrand , Lorenzo Stoakes , "Liam R. Howlett" , Vlastimil Babka , Mike Rapoport , Suren Baghdasaryan , Michal Hocko , "Borislav Petkov (AMD)" , Sebastian Andrzej Siewior , linux-mm@kvack.org (open list:EXEC & BINFMT API, ELF), linux-kernel@vger.kernel.org (open list:SCHEDULER) Cc: Davidlohr Bueso , Yiming Qian , Linus Torvalds , linux-mm@kvack.org (open list:MEMORY MANAGEMENT - CORE), linux-kernel@vger.kernel.org (open list:SCHEDULER) Subject: [PATCH] futex: Drop CLONE_THREAD requirement for private default hash alloc Date: Sat, 2 May 2026 18:57:29 +0300 Message-Id: <20260502155730.430232-1-mohamedaymanworkspace@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Davidlohr Bueso Currently need_futex_hash_allocate_default() depends on strict pthread semantics, abusing CLONE_THREAD. This breaks the non-concurrency assumptions when doing the mm->futex_ref pcpu allocations, leading to bugs[0] when sharing the mm in other ways; ie: BUG: KASAN: slab-use-after-free in futex_hash_put ... where the +1 bias can end up on a percpu counter that mm->futex_ref no longer points at. Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding vfork keeps the existing paths untouched (no overhead), and we can't race in the first place: either the parent is suspended and the child runs alone, or mm->futex_ref is already allocated from an earlier CLONE_VM. Link: https://lore.kernel.org/all/CAL_bE8LsmCQ-FAtYDuwbJhOkt9p2wwYQwAbMh=3D= PifC=3DVsiBM6A@mail.gmail.com/ [0] Fixes: d9b05321e21e ("futex: Move futex_hash_free() back to __mmput()") Reported-by: Yiming Qian Signed-off-by: Davidlohr Bueso Signed-off-by: Linus Torvalds --- kernel/fork.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index f1ad69c6dc2d..5f3fdfdb14c7 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -1951,9 +1951,11 @@ static void rv_task_fork(struct task_struct *p) =20 static bool need_futex_hash_allocate_default(u64 clone_flags) { - if ((clone_flags & (CLONE_THREAD | CLONE_VM)) !=3D (CLONE_THREAD | CLONE_= VM)) - return false; - return true; + /* + * Allocate a default futex hash for any sibling that will + * share the parent's mm, except vfork. + */ + return (clone_flags & (CLONE_VM | CLONE_VFORK)) =3D=3D CLONE_VM; } =20 /* @@ -2380,10 +2382,6 @@ __latent_entropy struct task_struct *copy_process( if (retval) goto bad_fork_cancel_cgroup; =20 - /* - * Allocate a default futex hash for the user process once the first - * thread spawns. - */ if (need_futex_hash_allocate_default(clone_flags)) { retval =3D futex_hash_allocate_default(); if (retval) --=20 2.34.1