futex: Initialize futex_phash_new during fork().

Sebastian Andrzej Siewior · Peter Zijlstra · commit a24cc6ce1933 · 2025-06-23T14:50:37.000+02:00
During a hash resize operation the new private hash is stored in mm_struct::futex_phash_new if the current hash can not be immediately replaced. The new hash must not be copied during fork() into the new task. Doing so will lead to a double-free of the memory by the two tasks. Initialize the mm_struct::futex_phash_new during fork(). Closes: https://lore.kernel.org/all/aFBQ8CBKmRzEqIfS@mozart.vkv.me/ Fixes: bd54df5 ("futex: Allow to resize the private local hash") Reported-by: Calvin Owens <calvin@wbinvd.org> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Tested-by: Calvin Owens <calvin@wbinvd.org> Link: https://lkml.kernel.org/r/20250623083408.jTiJiC6_@linutronix.de
diff --git a/include/linux/futex.h b/include/linux/futex.h
@@ -89,6 +89,7 @@ void futex_hash_free(struct mm_struct *mm);
 static inline void futex_mm_init(struct mm_struct *mm)
 {
 	RCU_INIT_POINTER(mm->futex_phash, NULL);
+	mm->futex_phash_new = NULL;
 	mutex_init(&mm->futex_hash_lock);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,7 @@ void futex_hash_free(struct mm_struct *mm);`
`89`	`89`	`static inline void futex_mm_init(struct mm_struct *mm)`
`90`	`90`	`{`
`91`	`91`	`RCU_INIT_POINTER(mm->futex_phash, NULL);`
	`92`	`+ mm->futex_phash_new = NULL;`
`92`	`93`	`mutex_init(&mm->futex_hash_lock);`
`93`	`94`	`}`
`94`	`95`