diff options
| author | Hao-Yu Yang <naup96721@gmail.com> | 2026-03-13 15:47:56 +0300 |
|---|---|---|
| committer | Peter Zijlstra <peterz@infradead.org> | 2026-03-26 18:13:48 +0300 |
| commit | 190a8c48ff623c3d67cb295b4536a660db2012aa (patch) | |
| tree | 55e7bb267e9b2411ad45b7a6818b54410582389a /samples | |
| parent | 19f94b39058681dec64a10ebeb6f23fe7fc3f77a (diff) | |
| download | linux-190a8c48ff623c3d67cb295b4536a660db2012aa.tar.xz | |
futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
During futex_key_to_node_opt() execution, vma->vm_policy is read under
speculative mmap lock and RCU. Concurrently, mbind() may call
vma_replace_policy() which frees the old mempolicy immediately via
kmem_cache_free().
This creates a race where __futex_key_to_node() dereferences a freed
mempolicy pointer, causing a use-after-free read of mpol->mode.
[ 151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)
[ 151.414046] Read of size 2 at addr ffff888001c49634 by task e/87
[ 151.415969] Call Trace:
[ 151.416732] __asan_load2 (mm/kasan/generic.c:271)
[ 151.416777] __futex_key_to_node (kernel/futex/core.c:349)
[ 151.416822] get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)
Fix by adding rcu to __mpol_put().
Fixes: c042c505210d ("futex: Implement FUTEX2_MPOL")
Reported-by: Hao-Yu Yang <naup96721@gmail.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Hao-Yu Yang <naup96721@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Link: https://patch.msgid.link/20260324174418.GB1850007@noisy.programming.kicks-ass.net
Diffstat (limited to 'samples')
0 files changed, 0 insertions, 0 deletions