Re: [PATCH v2] futex: Use-after-free between futex_key_to_node_opt and vma_replace_policy

Next message: Stefano Radaelli: "Re: [PATCH v7 0/2] Add support for Variscite DART-MX95 and Sonata board"
Previous message: Tycho Andersen: "Re: [PATCH v4 0/7] Move SNP initialization to the CCP driver"
In reply to: Peter Zijlstra: "Re: [PATCH v2] futex: Use-after-free between futex_key_to_node_opt and vma_replace_policy"
Next in thread: Hao-Yu Yang: "Re: [PATCH v2] futex: Use-after-free between futex_key_to_node_opt and vma_replace_policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Dumazet

Date: Wed Mar 25 2026 - 12:07:33 EST

On Wed, Mar 25, 2026 at 8:22 AM Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:

> Fair enough. Like so then..
>
> --- a/kernel/futex/core.c
> +++ b/kernel/futex/core.c
> @@ -342,7 +342,7 @@ static int __futex_key_to_node(struct mm
> if (!vma)
> return FUTEX_NO_NODE;
>
> - mpol = vma_policy(vma);
> + mpol = READ_ONCE(vma->vm_policy);
> if (!mpol)
> return FUTEX_NO_NODE;
>
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1026,7 +1026,7 @@ static int vma_replace_policy(struct vm_
> }
>
> old = vma->vm_policy;
> - vma->vm_policy = new; /* protected by mmap_lock */
> + WRITE_ONCE(vma->vm_policy, new); /* protected by mmap_lock */
> mpol_put(old);
>
> return 0;

LGTM, thanks !

Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>