[PATCH] futex: Initialize mm_struct::futex_ref on mm

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] futex: Initialize mm_struct::futex_ref on mm_init()
@ 2025-08-30 21:38 Sebastian Andrzej Siewior
  2025-08-30 22:25 ` Borislav Petkov
  0 siblings, 1 reply; 4+ messages in thread
From: Sebastian Andrzej Siewior @ 2025-08-30 21:38 UTC (permalink / raw)
  To: linux-kernel
  Cc: André Almeida, Borislav Petkov, Darren Hart, Davidlohr Bueso,
	Ingo Molnar, Peter Zijlstra, Thomas Gleixner

mm_struct::futex_ref needs to be set to NULL during mm_init() to ensure
that it is not copied during fork(). Reusing the previous pointer can
lead to use-after-free which can trigger

| WARNING: kernel/futex/core.c:1604 at futex_ref_rcu+0xe1/0xf0, CPU#2: swapper/2/0

Initialize mm_struct::futex_ref on mm_init().

Fixes: 1b708b38414d3 ("futex: Move futex_hash_free() back to __mmput()")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 kernel/futex/core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/futex/core.c b/kernel/futex/core.c
index fb63c13aa66fc..125804fbb5cb1 100644
--- a/kernel/futex/core.c
+++ b/kernel/futex/core.c
@@ -1722,6 +1722,7 @@ int futex_mm_init(struct mm_struct *mm)
 	RCU_INIT_POINTER(mm->futex_phash, NULL);
 	mm->futex_phash_new = NULL;
 	/* futex-ref */
+	mm->futex_ref = NULL;
 	atomic_long_set(&mm->futex_atomic, 0);
 	mm->futex_batches = get_state_synchronize_rcu();
 	return 0;
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] futex: Initialize mm_struct::futex_ref on mm_init()
  2025-08-30 21:38 [PATCH] futex: Initialize mm_struct::futex_ref on mm_init() Sebastian Andrzej Siewior
@ 2025-08-30 22:25 ` Borislav Petkov
  2025-08-31 12:21   ` Borislav Petkov
  0 siblings, 1 reply; 4+ messages in thread
From: Borislav Petkov @ 2025-08-30 22:25 UTC (permalink / raw)
  To: Sebastian Andrzej Siewior
  Cc: linux-kernel, André Almeida, Darren Hart, Davidlohr Bueso,
	Ingo Molnar, Peter Zijlstra, Thomas Gleixner

On Sat, Aug 30, 2025 at 11:38:06PM +0200, Sebastian Andrzej Siewior wrote:
> mm_struct::futex_ref needs to be set to NULL during mm_init() to ensure
> that it is not copied during fork(). Reusing the previous pointer can
> lead to use-after-free which can trigger
> 
> | WARNING: kernel/futex/core.c:1604 at futex_ref_rcu+0xe1/0xf0, CPU#2: swapper/2/0
> 
> Initialize mm_struct::futex_ref on mm_init().
> 
> Fixes: 1b708b38414d3 ("futex: Move futex_hash_free() back to __mmput()")

So this one is queued in locking/urgent and I guess I can fold this new one into
it so that that commit is whole and fixed.

And then leave it in that branch for one more week for some more testing...

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] futex: Initialize mm_struct::futex_ref on mm_init()
  2025-08-30 22:25 ` Borislav Petkov
@ 2025-08-31 12:21   ` Borislav Petkov
  2025-09-01  6:21     ` Sebastian Andrzej Siewior
  0 siblings, 1 reply; 4+ messages in thread
From: Borislav Petkov @ 2025-08-31 12:21 UTC (permalink / raw)
  To: Sebastian Andrzej Siewior
  Cc: linux-kernel, André Almeida, Darren Hart, Davidlohr Bueso,
	Ingo Molnar, Peter Zijlstra, Thomas Gleixner

On Sun, Aug 31, 2025 at 12:25:45AM +0200, Borislav Petkov wrote:
> And then leave it in that branch for one more week for some more testing...

Ok, boots on one of my machines, fix folded in and force-pushed.

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] futex: Initialize mm_struct::futex_ref on mm_init()
  2025-08-31 12:21   ` Borislav Petkov
@ 2025-09-01  6:21     ` Sebastian Andrzej Siewior
  0 siblings, 0 replies; 4+ messages in thread
From: Sebastian Andrzej Siewior @ 2025-09-01  6:21 UTC (permalink / raw)
  To: Borislav Petkov
  Cc: linux-kernel, André Almeida, Darren Hart, Davidlohr Bueso,
	Ingo Molnar, Peter Zijlstra, Thomas Gleixner

On 2025-08-31 14:21:45 [+0200], Borislav Petkov wrote:
> On Sun, Aug 31, 2025 at 12:25:45AM +0200, Borislav Petkov wrote:
> > And then leave it in that branch for one more week for some more testing...
> 
> Ok, boots on one of my machines, fix folded in and force-pushed.

Thank you.

> Thx.

Sebastian

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-09-01  6:21 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-30 21:38 [PATCH] futex: Initialize mm_struct::futex_ref on mm_init() Sebastian Andrzej Siewior
2025-08-30 22:25 ` Borislav Petkov
2025-08-31 12:21   ` Borislav Petkov
2025-09-01  6:21     ` Sebastian Andrzej Siewior

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).