futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()

During futex_key_to_node_opt() execution, vma->vm_policy is read under
speculative mmap lock and RCU. Concurrently, mbind() may call
vma_replace_policy() which frees the old mempolicy immediately via
kmem_cache_free().

This creates a race where __futex_key_to_node() dereferences a freed
mempolicy pointer, causing a use-after-free read of mpol->mode.

[  151.412631] BUG: KASAN: slab-use-after-free in __futex_key_to_node (kernel/futex/core.c:349)
[  151.414046] Read of size 2 at addr ffff888001c49634 by task e/87

[  151.415969] Call Trace:

[  151.416732]  __asan_load2 (mm/kasan/generic.c:271)
[  151.416777]  __futex_key_to_node (kernel/futex/core.c:349)
[  151.416822]  get_futex_key (kernel/futex/core.c:374 kernel/futex/core.c:386 kernel/futex/core.c:593)

Fix by adding rcu to __mpol_put().

Fixes: c042c505210d ("futex: Implement FUTEX2_MPOL")
Reported-by: Hao-Yu Yang <naup96721@gmail.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Hao-Yu Yang <naup96721@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: David Hildenbrand (Arm) <david@kernel.org>
Link: https://patch.msgid.link/20260324174418.GB1850007@noisy.programming.kicks-ass.net

diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
index 0fe96f3ab3ef02e902e1676e750c2006ecd6147f..65c732d440d2f4e4566204429f1e5e7487ab8f91 100644 (file)
--- a/include/linux/mempolicy.h
+++ b/include/linux/mempolicy.h
@@ -55,6 +55,7 @@ struct mempolicy {
                nodemask_t cpuset_mems_allowed; /* relative to these nodes */
                nodemask_t user_nodemask;       /* nodemask passed by user */
        } w;
+       struct rcu_head rcu;
 };
 
 /*

diff --git a/kernel/futex/core.c b/kernel/futex/core.c
index cf7e610eac429751d413379582a7e3445b429dcc..31e83a09789e00416f1cb07f86f0873d8baecaf5 100644 (file)
--- a/kernel/futex/core.c
+++ b/kernel/futex/core.c
@@ -342,7 +342,7 @@ static int __futex_key_to_node(struct mm_struct *mm, unsigned long addr)
        if (!vma)
                return FUTEX_NO_NODE;
 
-       mpol = vma_policy(vma);
+       mpol = READ_ONCE(vma->vm_policy);
        if (!mpol)
                return FUTEX_NO_NODE;
 

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 0e5175f1c767d81394276559b9610c24d854f5bc..cf92bd6a8226ee6f85a76007bbb10d91fb05367d 100644 (file)
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -487,7 +487,13 @@ void __mpol_put(struct mempolicy *pol)
 {
        if (!atomic_dec_and_test(&pol->refcnt))
                return;
-       kmem_cache_free(policy_cache, pol);
+       /*
+        * Required to allow mmap_lock_speculative*() access, see for example
+        * futex_key_to_node_opt(). All accesses are serialized by mmap_lock,
+        * however the speculative lock section unbound by the normal lock
+        * boundaries, requiring RCU freeing.
+        */
+       kfree_rcu(pol, rcu);
 }
 EXPORT_SYMBOL_FOR_MODULES(__mpol_put, "kvm");
 
@@ -1020,7 +1026,7 @@ static int vma_replace_policy(struct vm_area_struct *vma,
        }
 
        old = vma->vm_policy;
-       vma->vm_policy = new; /* protected by mmap_lock */
+       WRITE_ONCE(vma->vm_policy, new); /* protected by mmap_lock */
        mpol_put(old);
 
        return 0;