tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'locking-urgent-2026-03-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull futex fixes from Ingo Molnar:

- Tighten up the sys_futex_requeue() ABI a bit, to disallow dissimilar
futex flags and potential UaF access (Peter Zijlstra)

- Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
(Hao-Yu Yang)

- Clear stale exiting pointer in futex_lock_pi() retry path, which
triggered a warning (and potential misbehavior) in stress-testing
(Davidlohr Bueso)

* tag 'locking-urgent-2026-03-29' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
futex: Clear stale exiting pointer in futex_lock_pi() retry path
futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
futex: Require sys_futex_requeue() to have identical flags

Linus Torvalds f087b0ba 21047b17

+20 -4
+1
include/linux/mempolicy.h
··· 55 55 nodemask_t cpuset_mems_allowed; /* relative to these nodes */ 56 56 nodemask_t user_nodemask; /* nodemask passed by user */ 57 57 } w; 58 + struct rcu_head rcu; 58 59 }; 59 60 60 61 /*
+1 -1
kernel/futex/core.c
··· 342 342 if (!vma) 343 343 return FUTEX_NO_NODE; 344 344 345 - mpol = vma_policy(vma); 345 + mpol = READ_ONCE(vma->vm_policy); 346 346 if (!mpol) 347 347 return FUTEX_NO_NODE; 348 348
+2 -1
kernel/futex/pi.c
··· 918 918 int futex_lock_pi(u32 __user *uaddr, unsigned int flags, ktime_t *time, int trylock) 919 919 { 920 920 struct hrtimer_sleeper timeout, *to; 921 - struct task_struct *exiting = NULL; 921 + struct task_struct *exiting; 922 922 struct rt_mutex_waiter rt_waiter; 923 923 struct futex_q q = futex_q_init; 924 924 DEFINE_WAKE_Q(wake_q); ··· 933 933 to = futex_setup_timer(time, &timeout, flags, 0); 934 934 935 935 retry: 936 + exiting = NULL; 936 937 ret = get_futex_key(uaddr, flags, &q.key, FUTEX_WRITE); 937 938 if (unlikely(ret != 0)) 938 939 goto out;
+8
kernel/futex/syscalls.c
··· 459 459 if (ret) 460 460 return ret; 461 461 462 + /* 463 + * For now mandate both flags are identical, like the sys_futex() 464 + * interface has. If/when we merge the variable sized futex support, 465 + * that patch can modify this test to allow a difference in size. 466 + */ 467 + if (futexes[0].w.flags != futexes[1].w.flags) 468 + return -EINVAL; 469 + 462 470 cmpval = futexes[0].w.val; 463 471 464 472 return futex_requeue(u64_to_user_ptr(futexes[0].w.uaddr), futexes[0].w.flags,
+8 -2
mm/mempolicy.c
··· 487 487 { 488 488 if (!atomic_dec_and_test(&pol->refcnt)) 489 489 return; 490 - kmem_cache_free(policy_cache, pol); 490 + /* 491 + * Required to allow mmap_lock_speculative*() access, see for example 492 + * futex_key_to_node_opt(). All accesses are serialized by mmap_lock, 493 + * however the speculative lock section unbound by the normal lock 494 + * boundaries, requiring RCU freeing. 495 + */ 496 + kfree_rcu(pol, rcu); 491 497 } 492 498 EXPORT_SYMBOL_FOR_MODULES(__mpol_put, "kvm"); 493 499 ··· 1026 1020 } 1027 1021 1028 1022 old = vma->vm_policy; 1029 - vma->vm_policy = new; /* protected by mmap_lock */ 1023 + WRITE_ONCE(vma->vm_policy, new); /* protected by mmap_lock */ 1030 1024 mpol_put(old); 1031 1025 1032 1026 return 0;