sieni
/
linux
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/include
History
Hao-Yu Yang 190a8c48ff futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() 
During futex_key_to_node_opt() execution, vma->vm_policy is read under
speculative mmap lock and RCU. Concurrently, mbind() may call
vma_replace_policy() which frees the old mempolicy immediately via
kmem_cache_free().

This creates a race where __futex_key_to_node() dereferences a freed
mempolicy pointer, causing a use-after-free read of mpol->mode.

[  151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)
[  151.414046] Read of size 2 at addr ffff888001c49634 by task e/87

[  151.415969] Call Trace:

[  151.416732]  __asan_load2 (mm/kasan/generic.c:271)
[  151.416777]  __futex_key_to_node (kernel/futex/core.c:349)
[  151.416822]  get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)

Fix by adding rcu to __mpol_put().

Fixes: c042c50521 ("futex: Implement FUTEX2_MPOL")
Reported-by: Hao-Yu Yang <naup96721@gmail.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Hao-Yu Yang <naup96721@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Link: https://patch.msgid.link/20260324174418.GB1850007@noisy.programming.kicks-ass.net
 		2026-03-26 16:13:48 +01:00
..
acpi mailbox: platform and core updates 2026-02-14 11:13:32 -08:00
asm-generic kbuild: Split .modinfo out from ELF_DETAILS 2026-02-26 11:50:19 -07:00
clocksource
crypto Networking changes for 7.0 2026-02-11 19:31:52 -08:00
cxl
drm drm/dp: Add definition for Panel Replay full-line granularity 2026-03-04 15:26:08 +02:00
dt-bindings phy-for-7.0 2026-02-17 11:40:04 -08:00
hyperv Revert "mshv: expose the scrub partition hypercall" 2026-03-11 16:54:24 +00:00
keys
kunit kunit: irq: Ensure timer doesn't fire too frequently 2026-02-24 14:44:21 -08:00
kvm
linux futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy() 2026-03-26 16:13:48 +01:00
math-emu
media [GIT PULL for v7.0] media updates 2026-02-11 12:20:25 -08:00
memory
misc
net Just a few updates: 2026-03-18 19:25:41 -07:00
pcmcia
ras
rdma RDMA/core: Check id_priv->restricted_node_type in cma_listen_on_dev() 2026-02-25 07:50:10 -05:00
rv rv: Fix multiple definition of __pcpu_unique_da_mon_this 2026-02-20 13:12:00 +01:00
scsi SCSI misc on 20260212 2026-02-12 15:43:02 -08:00
soc
sound ASoC: Fixes for v7.0 2026-03-05 17:22:14 +01:00
target
trace tracing: Revert "tracing: Remove pid in task_rename tracing output" 2026-03-21 16:41:18 -04:00
uapi ARM: 2026-03-15 12:22:10 -07:00
ufs
vdso
video
xen xen/xenbus: better handle backend crash 2026-03-04 15:31:40 +01:00
Kbuild