Re: [REPORT] futex: private hash refcount corruption and UAF via CLONE_VM PR_FUTEX_HASH race

Next message: Konstantin Shabanov: "[PATCH 2/4] dt-bindings: arm: qcom: Add HONOR MagicBook Art 14"
Previous message: Matthew Wilcox: "Re: [PATCH v2 0/5] mm: reduce mmap_lock contention and improve page fault performance"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Linus Torvalds

Date: Fri May 01 2026 - 12:11:02 EST

On Thu, 30 Apr 2026 at 18:22, Davidlohr Bueso <dave@xxxxxxxxxxxx> wrote:
>
> ... or keep the current assumption and update need_futex_hash_allocate_default()
> such that we only consider CLONE_VM (maybe also CLONE_VFORK check to return false).
>
> @@ -1948,8 +1948,11 @@ static void rv_task_fork(struct task_struct *p)
>
> static bool need_futex_hash_allocate_default(u64 clone_flags)
> {
> - if ((clone_flags & (CLONE_THREAD | CLONE_VM)) != (CLONE_THREAD | CLONE_VM))
> + if (!(clone_flags & CLONE_VM))
> return false;
> return true;
> }

So I'd prefer this approach just because I don't see why it's checking
for CLONE_THREAD in the first place.

I think somebody took the comment "first thread spawns" too literally
and thought CLONE_THREAD means "thread".

Which is kind of understandable - but CLONE_THREAD is about pthread
semantics for thread groups, not about "it's creating a new thread".

All clone variants create some kind of new threads, but CLONE_THREAD
creates a very _traditional_ kind of thread with shared signals and
shared pids etc.

Maybe the thing should have been called "CLONE_THREADGROUP" to make it
more obvious that it is about traditional unix pthread semantics, but
I don't think that would be much of an improvement.

But this futex thing seems actively buggy to me right now, and your
patch seems to be the RightThing(tm).

Linus