Memory safety - Use-after-free in futex hash allocation during fork/VM cloning
Description
The patch fixes a memory-safety use-after-free in futex hash handling during process cloning. Previously, the kernel allocated a private default futex hash only when both CLONE_VM and CLONE_THREAD were set for the child (i.e., a thread-like clone). The patch relaxes this requirement to allocate the default futex hash for any CLONE_VM clone except vfork, by changing need_futex_hash_allocate_default() to return true when the clone_flags indicate a VM clone without VFORK. This prevents a scenario where mm->futex_ref is not allocated soon enough during certain forking/cloning paths, which could lead to use-after-free in futex_hash_put and related memory-safety issues (as reported by KASAN). The change targets the fork path in kernel/fork.c and ensures the default futex hash is allocated for more cloning scenarios, avoiding a potential memory-safety bug in futex hash handling when sharing a parent's mm.
Commit Details
Author: Davidlohr Bueso
Date: 2026-05-01 19:41 UTC
Message:
futex: Drop CLONE_THREAD requirement for private default hash alloc
Currently need_futex_hash_allocate_default() depends on strict pthread
semantics, abusing CLONE_THREAD. This breaks the non-concurrency
assumptions when doing the mm->futex_ref pcpu allocations, leading to
bugs[0] when sharing the mm in other ways; ie:
BUG: KASAN: slab-use-after-free in futex_hash_put
... where the +1 bias can end up on a percpu counter that mm->futex_ref
no longer points at.
Loosen the check to cover any CLONE_VM clone, except vfork(). Excluding
vfork keeps the existing paths untouched (no overhead), and we can't
race in the first place: either the parent is suspended and the child
runs alone, or mm->futex_ref is already allocated from an earlier
CLONE_VM.
Link: https://lore.kernel.org/all/CAL_bE8LsmCQ-FAtYDuwbJhOkt9p2wwYQwAbMh=PifC=VsiBM6A@mail.gmail.com/ [0]
Fixes: d9b05321e21e ("futex: Move futex_hash_free() back to __mmput()")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Triage Assessment
Vulnerability Type: Memory safety (Use-after-free)
Confidence: HIGH
Reasoning:
The patch relaxes fork semantics to allocate the default futex hash in more cases, addressing a use-after-free / memory safety bug in futex_hash handling that could trigger under certain cloning scenarios and cause memory safety issues (KASAN reported). This is a memory-safety vulnerability fix related to futex hash allocation and race conditions.
Verification Assessment
Vulnerability Type: Memory safety - Use-after-free in futex hash allocation during fork/VM cloning
Confidence: HIGH
Affected Versions: Before this commit (up to and including v7.0-rc5 in the v7.0-rc series); the fix landed in v7.0-rc6.
Code Diff
diff --git a/kernel/fork.c b/kernel/fork.c
index f1ad69c6dc2d4e..5f3fdfdb14c7c7 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1951,9 +1951,11 @@ static void rv_task_fork(struct task_struct *p)
static bool need_futex_hash_allocate_default(u64 clone_flags)
{
- if ((clone_flags & (CLONE_THREAD | CLONE_VM)) != (CLONE_THREAD | CLONE_VM))
- return false;
- return true;
+ /*
+ * Allocate a default futex hash for any sibling that will
+ * share the parent's mm, except vfork.
+ */
+ return (clone_flags & (CLONE_VM | CLONE_VFORK)) == CLONE_VM;
}
/*
@@ -2380,10 +2382,6 @@ __latent_entropy struct task_struct *copy_process(
if (retval)
goto bad_fork_cancel_cgroup;
- /*
- * Allocate a default futex hash for the user process once the first
- * thread spawns.
- */
if (need_futex_hash_allocate_default(clone_flags)) {
retval = futex_hash_allocate_default();
if (retval)