Re: [PATCH v2] futex: Use-after-free between futex_key_to_node_opt and vma_replace_policy

Next message: Geert Uytterhoeven: "Re: [PATCH 3/3] soc: renesas: r9a09g056-sys: Mark rzv2n_sys_init_data as __initconst"
Previous message: Geert Uytterhoeven: "Re: [PATCH 2/3] soc: renesas: r9a09g047-sys: Mark rzg3e_sys_init_data as __initconst"
In reply to: Peter Zijlstra: "Re: [PATCH v2] futex: Use-after-free between futex_key_to_node_opt and vma_replace_policy"
Next in thread: Hao-Yu Yang: "Re: [PATCH v2] futex: Use-after-free between futex_key_to_node_opt and vma_replace_policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Fri Mar 13 2026 - 08:55:26 EST

On Fri, Mar 13, 2026 at 1:53 PM Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
>
> On Fri, Mar 13, 2026 at 08:39:40PM +0800, Hao-Yu Yang wrote:
> > During futex_key_to_node_opt() execution, vma->vm_policy is read under
> > speculative mmap lock and RCU. Concurrently, mbind() may call
> > vma_replace_policy() which frees the old mempolicy immediately via
> > kmem_cache_free().
> >
> > This creates a race where __futex_key_to_node() dereferences a freed
> > mempolicy pointer, causing a use-after-free read of mpol->mode.
> >

>
> I would try and trim that trace, there is a lot of stuff that isn't
> really relevant.
>
> > Fix by adding rcu to __mpol_put().
> >
> > Fixes: c042c505210d ("futex: Implement FUTEX2_MPOL")
> > Reported-by: Hao-Yu Yang <naup96721@xxxxxxxxx>
> > Signed-off-by: Hao-Yu Yang <naup96721@xxxxxxxxx>
>
> I would further suggest:
>
> Suggested-by: Eric Dumazet <edumazet@xxxxxxxxxx>

Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>

>
> But yeah, other than that:
>
> Acked-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>

Thanks