1. Patchew
  2. linux
  3. View series

[GIT PULL] locking fixes

Ingo Molnar posted 1 patch 4 days, 5 hours ago 
include/linux/mempolicy.h |  1 +
kernel/futex/core.c       |  2 +-
kernel/futex/pi.c         |  3 ++-
kernel/futex/syscalls.c   |  8 ++++++++
mm/mempolicy.c            | 10 ++++++++--
5 files changed, 20 insertions(+), 4 deletions(-)
[GIT PULL] locking fixes
Posted by Ingo Molnar 4 days, 5 hours ago 
Linus,

Please pull the latest locking/urgent Git tree from:

   git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git locking-urgent-2026-03-29

for you to fetch changes up to 210d36d892de5195e6766c45519dfb1e65f3eb83:

  #
  # MERGE NOTE: The 210d36d892de PI-futex fix is relatively fresh,
  #             but it is also simple™ and obviously correct™, so
  #             I took the risk to include it in today's pull request.
  #

Miscellaneous futex fixes:

 - Tighten up the sys_futex_requeue() ABI a bit, to disallow
   dissimilar futex flags and potential UaF access. (Peter Zijlstra)

 - Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
   (Hao-Yu Yang)

 - Clear stale exiting pointer in futex_lock_pi() retry path,
   which bug triggered a warning (and potential misbehavior)
   in stress-testing. (Davidlohr Bueso)

 Thanks,

	Ingo

------------------>
Davidlohr Bueso (1):
      futex: Clear stale exiting pointer in futex_lock_pi() retry path

Hao-Yu Yang (1):
      futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()

Peter Zijlstra (1):
      futex: Require sys_futex_requeue() to have identical flags


 include/linux/mempolicy.h |  1 +
 kernel/futex/core.c       |  2 +-
 kernel/futex/pi.c         |  3 ++-
 kernel/futex/syscalls.c   |  8 ++++++++
 mm/mempolicy.c            | 10 ++++++++--
 5 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
index 0fe96f3ab3ef..65c732d440d2 100644
--- a/include/linux/mempolicy.h
+++ b/include/linux/mempolicy.h
@@ -55,6 +55,7 @@ struct mempolicy {
 		nodemask_t cpuset_mems_allowed;	/* relative to these nodes */
 		nodemask_t user_nodemask;	/* nodemask passed by user */
 	} w;
+	struct rcu_head rcu;
 };
 
 /*
diff --git a/kernel/futex/core.c b/kernel/futex/core.c
index cf7e610eac42..31e83a09789e 100644
--- a/kernel/futex/core.c
+++ b/kernel/futex/core.c
@@ -342,7 +342,7 @@ static int __futex_key_to_node(struct mm_struct *mm, unsigned long addr)
 	if (!vma)
 		return FUTEX_NO_NODE;
 
-	mpol = vma_policy(vma);
+	mpol = READ_ONCE(vma->vm_policy);
 	if (!mpol)
 		return FUTEX_NO_NODE;
 
diff --git a/kernel/futex/pi.c b/kernel/futex/pi.c
index bc1f7e83a37e..7808068fa59e 100644
--- a/kernel/futex/pi.c
+++ b/kernel/futex/pi.c
@@ -918,7 +918,7 @@ int fixup_pi_owner(u32 __user *uaddr, struct futex_q *q, int locked)
 int futex_lock_pi(u32 __user *uaddr, unsigned int flags, ktime_t *time, int trylock)
 {
 	struct hrtimer_sleeper timeout, *to;
-	struct task_struct *exiting = NULL;
+	struct task_struct *exiting;
 	struct rt_mutex_waiter rt_waiter;
 	struct futex_q q = futex_q_init;
 	DEFINE_WAKE_Q(wake_q);
@@ -933,6 +933,7 @@ int futex_lock_pi(u32 __user *uaddr, unsigned int flags, ktime_t *time, int tryl
 	to = futex_setup_timer(time, &timeout, flags, 0);
 
 retry:
+	exiting = NULL;
 	ret = get_futex_key(uaddr, flags, &q.key, FUTEX_WRITE);
 	if (unlikely(ret != 0))
 		goto out;
diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
index 743c7a728237..77ad9691f6a6 100644
--- a/kernel/futex/syscalls.c
+++ b/kernel/futex/syscalls.c
@@ -459,6 +459,14 @@ SYSCALL_DEFINE4(futex_requeue,
 	if (ret)
 		return ret;
 
+	/*
+	 * For now mandate both flags are identical, like the sys_futex()
+	 * interface has. If/when we merge the variable sized futex support,
+	 * that patch can modify this test to allow a difference in size.
+	 */
+	if (futexes[0].w.flags != futexes[1].w.flags)
+		return -EINVAL;
+
 	cmpval = futexes[0].w.val;
 
 	return futex_requeue(u64_to_user_ptr(futexes[0].w.uaddr), futexes[0].w.flags,
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 0e5175f1c767..cf92bd6a8226 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -487,7 +487,13 @@ void __mpol_put(struct mempolicy *pol)
 {
 	if (!atomic_dec_and_test(&pol->refcnt))
 		return;
-	kmem_cache_free(policy_cache, pol);
+	/*
+	 * Required to allow mmap_lock_speculative*() access, see for example
+	 * futex_key_to_node_opt(). All accesses are serialized by mmap_lock,
+	 * however the speculative lock section unbound by the normal lock
+	 * boundaries, requiring RCU freeing.
+	 */
+	kfree_rcu(pol, rcu);
 }
 EXPORT_SYMBOL_FOR_MODULES(__mpol_put, "kvm");
 
@@ -1020,7 +1026,7 @@ static int vma_replace_policy(struct vm_area_struct *vma,
 	}
 
 	old = vma->vm_policy;
-	vma->vm_policy = new; /* protected by mmap_lock */
+	WRITE_ONCE(vma->vm_policy, new); /* protected by mmap_lock */
 	mpol_put(old);
 
 	return 0;
Re: [GIT PULL] locking fixes
Posted by pr-tracker-bot@kernel.org 3 days, 17 hours ago 
The pull request you sent on Sun, 29 Mar 2026 07:20:52 +0200:

> git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git locking-urgent-2026-03-29

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/f087b0bad454a91c7d1615f82954a4752843560d

Thank you!

-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.