futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

During futex_key_to_node_opt() execution, vma->vm_policy is read under
speculative mmap lock and RCU. Concurrently, mbind() may call
vma_replace_policy() which frees the old mempolicy immediately via
kmem_cache_free().

This creates a race where __futex_key_to_node() dereferences a freed
mempolicy pointer, causing a use-after-free read of mpol->mode.

[ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)
[ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87

[ 151.415969] Call Trace:

[ 151.416732] __asan_load2 (mm/kasan/generic.c:271)
[ 151.416777] __futex_key_to_node (kernel/futex/core.c:349)
[ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)

Fix by adding rcu to __mpol_put().

Fixes: c042c505210d ("futex: Implement FUTEX2_MPOL")
Reported-by: Hao-Yu Yang <naup96721@gmail.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Hao-Yu Yang <naup96721@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Link: https://patch.msgid.link/20260324174418.GB1850007@noisy.programming.kicks-ass.net

authored by

Hao-Yu Yang and committed by

Peter Zijlstra 1 month ago 190a8c48 19f94b39

+10 -3

3 changed files

expand all

include

linux

mempolicy.h

kernel

futex

core.c

mempolicy.c

include/linux/mempolicy.h

··· 55 55 nodemask_t cpuset_mems_allowed; /* relative to these nodes */ 56 56 nodemask_t user_nodemask; /* nodemask passed by user */ 57 57 } w; 58 + struct rcu_head rcu; 58 59 }; 59 60 60 61 /*

+1 -1

kernel/futex/core.c

··· 342 342 if (!vma) 343 343 return FUTEX_NO_NODE; 344 344 345 - mpol = vma_policy(vma); 345 + mpol = READ_ONCE(vma->vm_policy); 346 346 if (!mpol) 347 347 return FUTEX_NO_NODE; 348 348

+8 -2

mm/mempolicy.c

··· 487 487 { 488 488 if (!atomic_dec_and_test(&pol->refcnt)) 489 489 return; 490 - kmem_cache_free(policy_cache, pol); 490 + /* 491 + * Required to allow mmap_lock_speculative*() access, see for example 492 + * futex_key_to_node_opt(). All accesses are serialized by mmap_lock, 493 + * however the speculative lock section unbound by the normal lock 494 + * boundaries, requiring RCU freeing. 495 + */ 496 + kfree_rcu(pol, rcu); 491 497 } 492 498 EXPORT_SYMBOL_FOR_MODULES(__mpol_put, "kvm"); 493 499 ··· 1026 1020 } 1027 1021 1028 1022 old = vma->vm_policy; 1029 - vma->vm_policy = new; /* protected by mmap_lock */ 1023 + WRITE_ONCE(vma->vm_policy, new); /* protected by mmap_lock */ 1030 1024 mpol_put(old); 1031 1025 1032 1026 return 0;

Configure Feed

Configure Feed