[tip: locking/urgent] futex: Allow to resize the private local hash
From: tip-bot2 for Sebastian Andrzej Siewior
Date: Wed Jun 11 2025 - 05:20:28 EST
The following commit has been merged into the locking/urgent branch of tip:
Commit-ID: cdd0f803c1f9b69785f5ff865864cfea11081c91
Gitweb: https://git.kernel.org/tip/cdd0f803c1f9b69785f5ff865864cfea11081c91
Author: Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx>
AuthorDate: Mon, 02 Jun 2025 13:00:27 +02:00
Committer: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
CommitterDate: Thu, 05 Jun 2025 14:37:59 +02:00
futex: Allow to resize the private local hash
On 2025-06-01 15:39:47 [+0800], Lai, Yi wrote:
> Hi Sebastian Andrzej Siewior,
Hi Yi,
> Greetings!
>
> I used Syzkaller and found that there is KASAN: null-ptr-deref Read in __futex_pivot_hash in linux-next next-20250527.
>
> After bisection and the first bad commit is:
> "
> bd54df5ea7ca futex: Allow to resize the private local hash
> "
Thank you for the report. Next time please trim your report. There is no
need to put your report in the middle of the patch.
The following fixes it:
Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
Link: https://lkml.kernel.org/r/20250602110027.wfqbHgzb@xxxxxxxxxxxxx
---
kernel/futex/core.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/kernel/futex/core.c b/kernel/futex/core.c
index b652d2f..33b3643 100644
--- a/kernel/futex/core.c
+++ b/kernel/futex/core.c
@@ -1629,6 +1629,16 @@ again:
mm->futex_phash_new = NULL;
if (fph) {
+ if (cur && !cur->hash_mask) {
+ /*
+ * If two threads simultaneously request the global
+ * hash then the first one performs the switch,
+ * the second one returns here.
+ */
+ free = fph;
+ mm->futex_phash_new = new;
+ return -EBUSY;
+ }
if (cur && !new) {
/*
* If we have an existing hash, but do not yet have