From nobody Tue Apr 7 11:17:12 2026 Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 71F7434216C for ; Fri, 13 Mar 2026 12:48:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773406099; cv=none; b=dDR3I6cG/ZEg3xtjRcQ8rh0a69bAtic9SykxvtMJcLCnASYQv0A14zyuD7CdEx/ZpzCp2+YGN8vsGvnaiflekzftsYvAerQq3NZMJDVvtAcLwoUu7aHgJswd4GQB8VNZ/IXpXQGWP7Yvu7UQERhsKsSIVj0n5LwhHvLAbklEhbc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773406099; c=relaxed/simple; bh=XfKfXzjf7gbxNC6vib8RG4R2P1jsad/9oN/bvop1Wqc=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=nwaVKadFh7ZLtkThXhyBrrGuufrr8P4ylgrAA8n3T43O2T5PKz57GnIEBFEnZoDYjhWQuUmL3l8lFS7GY8088ZI6tLVYa9cS2GDtCsjmkyNCt3Du7/5oGVy0QgJc7TiJkmNOeVBk67JC4uYaS2pfUSS+ubRexd+AeCZwDVWakho= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VgfwfG8a; arc=none smtp.client-ip=209.85.210.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VgfwfG8a" Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-82a07738118so1240426b3a.0 for ; Fri, 13 Mar 2026 05:48:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773406098; x=1774010898; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=JVbq1+5JLiB1PQXQIov/VgYGmmN3xnvNqpwoZJ8TqWI=; b=VgfwfG8a1iKH9C5R8AIlNG+ToqHvtUL75XdgvwkqeMu8XJzMmwShXs/b4zWQpUbjsj fxUs9DeFASFIAOoU9sK6qplHy7j5cv1obMnTeNp80Au5P76Y5+oNIoR2pfUjiHz/J6IF ePozc7YREpWFFNQFfdn1+kXcNvUXh1jxKnJY6UCu0PcxSvEa/XLXWXZ6fIlYFwY9m//u 39m8URxOy8bb8qVlN4trj5idX5T/ksJMe5drWu6luNOPV80gctmsiZ2XkywvUotu+twx OW2zT5PPKmrSFgkpvNZu+NgJFeWRSad/dBA4bkz+/cmr6YTnhTcKCduptMkpsHCVL7kR 7tnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773406098; x=1774010898; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=JVbq1+5JLiB1PQXQIov/VgYGmmN3xnvNqpwoZJ8TqWI=; b=KRXlA/SPsE1oCrLPALBDi+aGedSdxa+WPHVGqhImjB3GfC2VtOO9KyHh9J60U6iN51 bUHwbmiWNeVnUXkxbKJ0Ryfk7XGyWJbqxTUy37NQFOJvPumS5PtjM9jCDUwFp1pCpRTz iuKfBYM0RR/B9Pdo5aaoQqfzOAn6hGwDimP15ivcT5H0DLLDswiAftt7mk3myB4CYWW1 IfLlzaw+1i+fwxf2JiXMOAs1PSuM6K9tkmRS9uRuMzuYpUbnbiXdAVJvs7Iu3HtwZFIl Bfb/bP9N/bNQxp3KesGISeXwq2ikCOv12bGInXpmwl0taE4oYsKNKNKAnFqPjGW60z78 9cDA== X-Forwarded-Encrypted: i=1; AJvYcCWn5MY4VXj3D6Wd6AhXkkzrAowd1ZKXpyDfVqrjMP8cvvkWdNen/s5B2o5LEc/9WF7AEEl2kyIH/JXKwwk=@vger.kernel.org X-Gm-Message-State: AOJu0YygX+3yKR5YIJqq56byqAO3GoQheAmz/RF6VUjhReIApSbiD/4I 1SIzghIFT+g4nsz7nKl7Us/+5Uc3VbIoxuMhWZ/LcsyLwJlbIUt1fOvs X-Gm-Gg: ATEYQzyW+nPjqSJaPx/detOmTi15dEkiFhh1EVb1fZ/kbIviQpPhzSiTDzVpY1qn1Xp 2muaFQgQ1JwVUIdHRcqsuYEG4xXxCnAZIKI5uqoYBLhoL17qaE1cNpX8nEtRlSl67M0JqkFxORt tGRKpg/Co1rVQ94Kd4bftcPPp9bhMbDsZhpG19tq1xbMj/KuluoewmXxDjJGpWzO4ToLYQ9wWdN 41RvRpUqIybVKR9ZdUgZPzexe0lTu9YrK9cKOwt68yT86XkugUJ00sUg10iSSTHE91waA6oMwvZ KkoSFrpGCjOb/bi//veAH16UfZYGcgMJm76MMyhMCXFZrPXhkHkWI6zjRNy7PbV04i881TBrs09 hDp0pvScybMhFyDtebwnc9tfzLHupwcHuLqX8x4gNiWAGWMBMQgCi58jZwIyCk5faJ6dH9KsrnH h2cKzoSXtw9Q1kMWptKOqRD6YI1jPDxQ1AcEYGqqlWgPg3QrVc76P5BGYguQO7qoaztYVxN9x/t /MVHA9rMzR4n+Yck8AfUojykvBx X-Received: by 2002:a05:6a00:2e90:b0:82a:1380:417d with SMTP id d2e1a72fcca58-82a198fcf29mr3024562b3a.52.1773406096636; Fri, 13 Mar 2026 05:48:16 -0700 (PDT) Received: from naup-virtual-machine.localdomain (114-36-226-49.dynamic-ip.hinet.net. [114.36.226.49]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82a07240f25sm6104225b3a.5.2026.03.13.05.48.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 Mar 2026 05:48:13 -0700 (PDT) From: Hao-Yu Yang To: security@kernel.org Cc: tglx@kernel.org, mingo@redhat.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Hao-Yu Yang Subject: [PATCH v2] futex: Use-after-free between futex_key_to_node_opt and vma_replace_policy Date: Fri, 13 Mar 2026 20:47:56 +0800 Message-Id: <20260313124756.52461-1-naup96721@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" During futex_key_to_node_opt() execution, vma->vm_policy is read under speculative mmap lock and RCU. Concurrently, mbind() may call vma_replace_policy() which frees the old mempolicy immediately via kmem_cache_free(). This creates a race where __futex_key_to_node() dereferences a freed mempolicy pointer, causing a use-after-free read of mpol->mode. [ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kern= el/futex/core.c:349) [ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87 [ 151.414476] [ 151.415431] CPU: 1 UID: 1000 PID: 87 Comm: e Not tainted 7.0.0-rc3-g0257= f64bdac7 #1 PREEMPT(lazy) [ 151.415758] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS = 1.15.0-1 04/01/2014 [ 151.415969] Call Trace: [ 151.416059] [ 151.416161] dump_stack_lvl (lib/dump_stack.c:123) [ 151.416299] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) [ 151.416359] ? __virt_addr_valid (./include/linux/mmzone.h:2046 ./includ= e/linux/mmzone.h:2198 arch/x86/mm/physaddr.c:54) [ 151.416412] ? __futex_key_to_node (kernel/futex/core.c:349) [ 151.416517] ? kasan_complete_mode_report_info (mm/kasan/report_generic.= c:182) [ 151.416583] ? __futex_key_to_node (kernel/futex/core.c:349) [ 151.416631] kasan_report (mm/kasan/report.c:597) [ 151.416677] ? __futex_key_to_node (kernel/futex/core.c:349) [ 151.416732] __asan_load2 (mm/kasan/generic.c:271) [ 151.416777] __futex_key_to_node (kernel/futex/core.c:349) [ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:= 386 kernel/futex/core.c:593) [ 151.416871] ? __pfx_get_futex_key (kernel/futex/core.c:550) [ 151.416927] futex_wake (kernel/futex/waitwake.c:165) [ 151.416976] ? __pfx_futex_wake (kernel/futex/waitwake.c:156) [ 151.417022] ? __pfx___x64_sys_futex_wait (kernel/futex/syscalls.c:398) [ 151.417081] __x64_sys_futex_wake (kernel/futex/syscalls.c:382 kernel/fu= tex/syscalls.c:366 kernel/futex/syscalls.c:366) [ 151.417129] x64_sys_call (arch/x86/entry/syscall_64.c:41) [ 151.417236] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entr= y/syscall_64.c:94) [ 151.417342] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:1= 30) [ 151.418312] Fix by adding rcu to __mpol_put(). change-log: v2-v1: add rcu to __mpol_put Fixes: c042c505210d ("futex: Implement FUTEX2_MPOL") Reported-by: Hao-Yu Yang Signed-off-by: Hao-Yu Yang Acked-by: David Hildenbrand (Arm) Reviewed-by: Eric Dumazet Reviewed-by: Thomas Gleixner Suggested-by: Eric Dumazet --- include/linux/mempolicy.h | 1 + mm/mempolicy.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h index 0fe96f3ab3ef..65c732d440d2 100644 --- a/include/linux/mempolicy.h +++ b/include/linux/mempolicy.h @@ -55,6 +55,7 @@ struct mempolicy { nodemask_t cpuset_mems_allowed; /* relative to these nodes */ nodemask_t user_nodemask; /* nodemask passed by user */ } w; + struct rcu_head rcu; }; =20 /* diff --git a/mm/mempolicy.c b/mm/mempolicy.c index 0e5175f1c767..6dc61a3d4a32 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -487,7 +487,7 @@ void __mpol_put(struct mempolicy *pol) { if (!atomic_dec_and_test(&pol->refcnt)) return; - kmem_cache_free(policy_cache, pol); + kfree_rcu(pol, rcu); } EXPORT_SYMBOL_FOR_MODULES(__mpol_put, "kvm"); =20 --=20 2.34.1