Commit 190a8c48 authored Mar 13, 2026 by Hao-Yu Yang Committed by Peter Zijlstra Mar 26, 2026

futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()



During futex_key_to_node_opt() execution, vma->vm_policy is read under
speculative mmap lock and RCU. Concurrently, mbind() may call
vma_replace_policy() which frees the old mempolicy immediately via
kmem_cache_free().

This creates a race where __futex_key_to_node() dereferences a freed
mempolicy pointer, causing a use-after-free read of mpol->mode.

[  151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)
[  151.414046] Read of size 2 at addr ffff888001c49634 by task e/87

[  151.415969] Call Trace:

[  151.416732]  __asan_load2 (mm/kasan/generic.c:271)
[  151.416777]  __futex_key_to_node (kernel/futex/core.c:349)
[  151.416822]  get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)

Fix by adding rcu to __mpol_put().

Fixes: c042c505 ("futex: Implement FUTEX2_MPOL")
Reported-by: Hao-Yu Yang <naup96721@gmail.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Hao-Yu Yang <naup96721@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Link: https://patch.msgid.link/20260324174418.GB1850007@noisy.programming.kicks-ass.net

parent 19f94b39

include/linux/mempolicy.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -55,6 +55,7 @@ struct mempolicy {
		nodemask_t cpuset_mems_allowed; /* relative to these nodes */
		nodemask_t user_nodemask; /* nodemask passed by user */
		} w;
		struct rcu_head rcu;
		};

		/*

kernel/futex/core.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -342,7 +342,7 @@ static int __futex_key_to_node(struct mm_struct *mm, unsigned long addr)
		if (!vma)
		return FUTEX_NO_NODE;

		mpol = vma_policy(vma);
		mpol = READ_ONCE(vma->vm_policy);
		if (!mpol)
		return FUTEX_NO_NODE;

mm/mempolicy.c

+8 −2

Original line number	Diff line number	Diff line
		@@ -487,7 +487,13 @@ void __mpol_put(struct mempolicy *pol)
		{
		if (!atomic_dec_and_test(&pol->refcnt))
		return;
		kmem_cache_free(policy_cache, pol);
		/*
		* Required to allow mmap_lock_speculative*() access, see for example
		* futex_key_to_node_opt(). All accesses are serialized by mmap_lock,
		* however the speculative lock section unbound by the normal lock
		* boundaries, requiring RCU freeing.
		*/
		kfree_rcu(pol, rcu);
		}
		EXPORT_SYMBOL_FOR_MODULES(__mpol_put, "kvm");

		@@ -1020,7 +1026,7 @@ static int vma_replace_policy(struct vm_area_struct *vma,
		}

		old = vma->vm_policy;
		vma->vm_policy = new; /* protected by mmap_lock */
		WRITE_ONCE(vma->vm_policy, new); /* protected by mmap_lock */
		mpol_put(old);

		return 0;