Re: [PATCH v2] futex: Use-after-free between futex_key_to_node_opt and vma_replace_policy

Next message: Slava Imameev: "[PATCH bpf-next v5 0/2] bpf: Add multi-level pointer parameter support for trampolines"
Previous message: Mark Brown: "linux-next: build failure after merge of the vfs-brauner tree"
In reply to: Eric Dumazet: "Re: [PATCH v2] futex: Use-after-free between futex_key_to_node_opt and vma_replace_policy"
Next in thread: Hao-Yu Yang: "[PATCH v2] futex: Use-after-free between futex_key_to_node_opt and vma_replace_policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hao-Yu Yang

Date: Fri Mar 13 2026 - 09:01:27 EST

On Fri, Mar 13, 2026 at 01:55:07PM +0100, Eric Dumazet wrote:
> On Fri, Mar 13, 2026 at 1:53 PM Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
> >
> > On Fri, Mar 13, 2026 at 08:39:40PM +0800, Hao-Yu Yang wrote:
> > > During futex_key_to_node_opt() execution, vma->vm_policy is read under
> > > speculative mmap lock and RCU. Concurrently, mbind() may call
> > > vma_replace_policy() which frees the old mempolicy immediately via
> > > kmem_cache_free().
> > >
> > > This creates a race where __futex_key_to_node() dereferences a freed
> > > mempolicy pointer, causing a use-after-free read of mpol->mode.
> > >
>
> >
> > I would try and trim that trace, there is a lot of stuff that isn't
> > really relevant.
> >
> > > Fix by adding rcu to __mpol_put().
> > >
> > > Fixes: c042c505210d ("futex: Implement FUTEX2_MPOL")
> > > Reported-by: Hao-Yu Yang <naup96721@xxxxxxxxx>
> > > Signed-off-by: Hao-Yu Yang <naup96721@xxxxxxxxx>
> >
> > I would further suggest:
> >
> > Suggested-by: Eric Dumazet <edumazet@xxxxxxxxxx>
>
> Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
>
> >
> > But yeah, other than that:
> >
> > Acked-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
>
> Thanks

Sorry, should I not have resent the entire patch? I just cc stable when I resent the entire patch.