From nobody Tue Apr 7 11:16:37 2026 Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1BB238C425 for ; Fri, 13 Mar 2026 12:39:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773405597; cv=none; b=X+daixBc2uJ9zFS0hxYrw2Mo2s/LEQeIF5nZPLa6ysuGuF0A0g4cjN7mjLdKF4YHd4C1dJALEXXh60icHwUzplqBdO6SSyP0aS1BEcpnbtDpoYoWbPtPs5w+R8M1oWIhkFffC99XzqSBTq2JAjwdaa26i3SSxiy4cq3XyI6rseE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773405597; c=relaxed/simple; bh=XfKfXzjf7gbxNC6vib8RG4R2P1jsad/9oN/bvop1Wqc=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=r3Oe1i/gNgvDHG4ETqWyljMakZvC7ag2QCdgnYx9duhKXE++ILkMzHC4Jr5njWsET2JE1KNTSHaL7vWqIj+ZGvdONTw4xvIkkwNuCr4QBdPrzWXTMUmc/FHTCsD3ZvdOSQ/NK7a2o8HCPt6pa7QDwmpPONFdJWBn3qe0/Ci9imo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=G4kbBN54; arc=none smtp.client-ip=209.85.214.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="G4kbBN54" Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2a8fba3f769so10765765ad.2 for ; Fri, 13 Mar 2026 05:39:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773405595; x=1774010395; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=JVbq1+5JLiB1PQXQIov/VgYGmmN3xnvNqpwoZJ8TqWI=; b=G4kbBN54Cww5EJIKlQ4mFT2800McOLVOv3qHfjILoNSBb2nUpTbZri9OvSbggZT4r3 E7SBNfd+0rXzckiMttGCjApNdQCrqFdYHO/9DK4soq3kUQsjrpddQiw6l2R2OVv3V0S7 xMy5izp6yu65j1nLhrcNkbmaAYGXR12bWGivTnicnVSXapMw+aTuEXNPE/wqlCioCKFu /XDRmMqxTNUQsdastsnD8JpfMDNQPsUPBQWtWo/PJGbOo1AdLCaDQw3cpSrwqsDbB0Ql CnuPKvQgO+ixajEdtSR0iltbY020d97FulXyZgcz+cNNH3mY/4NIRsmJ4CuFud0Jc5uk +j1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773405595; x=1774010395; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=JVbq1+5JLiB1PQXQIov/VgYGmmN3xnvNqpwoZJ8TqWI=; b=CUgyh9tru0SUjfnMfo4rgWq5F/TkuRBd88UyPA8qewPmmHwvIJ0Zkqji793SEPRhG2 ko5eXGoltxjDzWmC9CcAX7gswve25EAqzocNqCJqnlFAdN9VkE/ExHDlsBPLk2haP06g phr4BA/W61GF17f9VSI8ebLXP6BwOK71SVY7NzjQlrdVFegnH6qmisU0bOvG75gZUZuS pFLJaJ3AhX3wSETo9TDvbgJ1oeuNOxe+epRsx+mb/JLzgMeJDsBWqnoycjRxLaNbu7xU CL0eN16f/bgd1Hx06LPDz8iIDNQsIq72KeUXGwZx9yGkTvRUy9EA4GzJuqiNWClv3IDP KskA== X-Forwarded-Encrypted: i=1; AJvYcCVI50FcTCo4WZuWAzJU1Ykes0cPJ+Bpli16ks63+kLaoJT6biYhalSTCtUbycpFvMjjh0LDfbDm9AalgjA=@vger.kernel.org X-Gm-Message-State: AOJu0Yz4++yhiPkNk7BveqB5MfA5nG5m9TDL2lggoxmFfWPKZ1wq6RIi S84krz6O5GgvlQEVpy1ATBptSunjf6e9OU66bJlwihiM4MlGPolG+hW2 X-Gm-Gg: ATEYQzwX0QEUbpCbVWimXQTiL0/j9AC09e4WeVEy4ziuxyrmlVpmGxFo8egDX4FpM7U rcAQ/7vOmNS7bumUii32bM3F3hHIoSqdL6pfllnJif9e/L2QAnibwph/NqZ9wczvNfVjsufnNKi iw0imSDxd2nhqvJ9CO9zRyPCLfDOZee4WOdO0fDZWVE7KcUgb4xeNE3B138lHBP8E2nCNtD++gE YID2RuNacUzPuwf2+RSIvq7cJjxSMWFiXC8HzBGJbVo8DsVF7TEfK3OWrTDTFN19A0+i4f+UOjp g+orkOS6N0y8SnbqUgv9DFO0oCB56f7qUYp+MOJIoy+Q1WGLpQLYMk2ChQ+6O/ynVVSrZIR7mZF e2+FQiNdPuQFdqv9Hv2jEBdC+RnmJSu1QYiz/6b4RwHunOAFUiGNnOzwcfbFtG07bLKkUeDtE9I 0bMk1NxDzc+EQqOscYHuA+Ord5ImSJt86Z06BlzWTFqIGTnI+l5ErU2M7GhFndFuZ1sTi32tEjB cHJ2rOABTjlaa8CllpwfNN9speL X-Received: by 2002:a17:903:1d2:b0:2ae:7efa:af93 with SMTP id d9443c01a7336-2aeca793facmr33075515ad.0.1773405595113; Fri, 13 Mar 2026 05:39:55 -0700 (PDT) Received: from naup-virtual-machine.localdomain (114-36-226-49.dynamic-ip.hinet.net. [114.36.226.49]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2aece62bc32sm22135375ad.36.2026.03.13.05.39.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Mar 2026 05:39:54 -0700 (PDT) From: Hao-Yu Yang To: security@kernel.org Cc: tglx@kernel.org, mingo@redhat.com, linux-kernel@vger.kernel.org, Hao-Yu Yang Subject: [PATCH v2] futex: Use-after-free between futex_key_to_node_opt and vma_replace_policy Date: Fri, 13 Mar 2026 20:39:40 +0800 Message-Id: <20260313123940.51301-1-naup96721@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vma_replace_policy() which frees the old mempolicy immediately via kmem_cache_free(). This creates a race where __futex_key_to_node() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode. [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kern= el/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87 [ 151.414476] [ 151.415431] CPU: 1 UID: 1000 PID: 87 Comm: e Not tainted 7.0.0-rc3-g0257= f64bdac7 #1 PREEMPT(lazy) [ 151.415758] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS = 1.15.0-1 04/01/2014 [ 151.415969] Call Trace: [ 151.416059] [ 151.416161] dump_stack_lvl (lib/dump_stack.c:123) [ 151.416299] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 151.416359] ? __virt_addr_valid (./include/linux/mmzone.h:2046 ./includ= e/linux/mmzone.h:2198 arch/x86/mm/physaddr.c:54) [ 151.416412] ? __futex_key_to_node (kernel/futex/core.c:349) [ 151.416517] ? kasan_complete_mode_report_info (mm/kasan/report_generic.= c:182) [ 151.416583] ? __futex_key_to_node (kernel/futex/core.c:349) [ 151.416631] kasan_report (mm/kasan/report.c:597) [ 151.416677] ? __futex_key_to_node (kernel/futex/core.c:349) [ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349) [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:= 386 kernel/futex/core.c:593) [ 151.416871] ? __pfx_get_futex_key (kernel/futex/core.c:550) [ 151.416927] futex_wake (kernel/futex/waitwake.c:165) [ 151.416976] ? __pfx_futex_wake (kernel/futex/waitwake.c:156) [ 151.417022] ? __pfx___x64_sys_futex_wait (kernel/futex/syscalls.c:398) [ 151.417081] __x64_sys_futex_wake (kernel/futex/syscalls.c:382 kernel/fu= tex/syscalls.c:366 kernel/futex/syscalls.c:366) [ 151.417129] x64_sys_call (arch/x86/entry/syscall_64.c:41) [ 151.417236] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entr= y/syscall_64.c:94) [ 151.417342] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:1= 30) [ 151.418312] Fix by adding rcu to __mpol_put(). change-log: v2-v1: add rcu to __mpol_put Fixes: c042c505210d ("futex: Implement FUTEX2_MPOL") Reported-by: Hao-Yu Yang Signed-off-by: Hao-Yu Yang Acked-by: Peter Zijlstra (Intel) Reviewed-by: Eric Dumazet Suggested-by: Eric Dumazet --- include/linux/mempolicy.h | 1 + mm/mempolicy.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h index 0fe96f3ab3ef..65c732d440d2 100644 --- a/include/linux/mempolicy.h +++ b/include/linux/mempolicy.h @@ -55,6 +55,7 @@ struct mempolicy { nodemask_t cpuset_mems_allowed; /* relative to these nodes */ nodemask_t user_nodemask; /* nodemask passed by user */ } w; + struct rcu_head rcu; }; =20 /* diff --git a/mm/mempolicy.c b/mm/mempolicy.c index 0e5175f1c767..6dc61a3d4a32 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -487,7 +487,7 @@ void __mpol_put(struct mempolicy *pol) { if (!atomic_dec_and_test(&pol->refcnt)) return; - kmem_cache_free(policy_cache, pol); + kfree_rcu(pol, rcu); } EXPORT_SYMBOL_FOR_MODULES(__mpol_put, "kvm"); =20 --=20 2.34.1