From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C61BD40DFD1
	for <linux-kernel@vger.kernel.org>; Sun, 29 Mar 2026 05:20:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774761658; cv=none; b=FCWjjre51ZEd3qeXvMDSdsLVHBwhUFw/HaR6Nl6ne51Ghzy04qRgQkRkTerkp+R7bVKBJKtp7nY88JZgJ+PvtrhY40uMxG3bJXHmqh1G5QnWZZIV8aP1BhH7b70YqYTWSl8+KrCydH+Jp7txBQnsupQN9wv1hFx8w5+j4tNJrAk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774761658; c=relaxed/simple;
	bh=fQMOqBN2GF4ownI5ru8E1FBUMLBmAyBS1W8689FzYM8=;
	h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:
	 Content-Disposition; b=mpKeJektTWIi/aSl6vA/Oah/RaSK2I/1vfSPgjHhSBNruijjdUB6kaWoipxIXuUMbQuNYQo9s7PvW/5autj+mRINfAGxP2dUo6iF/hdpIjwLYPKOdTUKjVkutUirhapY6op7OjC9odxkQLOILZASaeroR8MP8f0RSx1BDFuGmUM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=XHoS8QHW; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="XHoS8QHW"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8C099C116C6;
	Sun, 29 Mar 2026 05:20:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1774761658;
	bh=fQMOqBN2GF4ownI5ru8E1FBUMLBmAyBS1W8689FzYM8=;
	h=Date:From:To:Cc:Subject:From;
	b=XHoS8QHWH3ws7ITpaH8x3CY7eWD+x1OTd0M1hKqdQux0FB+sIsbaYeaxGsHqNR2bC
	 kaoZc6Gaha///ubPUmak/zzOdRQmEjFeApMt1HJLvmL4JDGd0B+SZ39DcgGqPzF7Xr
	 qp3hL3p+gH+a64m12bSRa5j0xi/fAjdeG4k+NayPfCjeY1mLUWQaSwsbzge37r/fqS
	 eTQ3AU95yuh0BFbTIfpPW/XJ5xB68UgZT/5yxmGaIJ0u56v2V7LYOO9zTeBeUMKWuJ
	 wTw0fOQhpp17VfAWH4vDI6JZRtKRtz4NOpUpApqH30qjNPK52NREZpdg4laO1Mk2zR
	 yG7rrrp1kPvAw==
Date: Sun, 29 Mar 2026 07:20:52 +0200
From: Ingo Molnar <mingo@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, Peter Zijlstra <peterz@infradead.org>,
	Thomas Gleixner <tglx@linutronix.de>, Will Deacon <will@kernel.org>,
	Waiman Long <longman@redhat.com>, Boqun Feng <boqun.feng@gmail.com>,
	Borislav Petkov <bp@alien8.de>, Uros Bizjak <ubizjak@gmail.com>,
	Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
	Gary Guo <gary@garyguo.net>, Oleg Nesterov <oleg@redhat.com>
Subject: [GIT PULL] locking fixes
Message-ID: <aci2tLb9zGUecWPJ@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Linus,

Please pull the latest locking/urgent Git tree from:

   git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git locking-urgent-2026-03-29

for you to fetch changes up to 210d36d892de5195e6766c45519dfb1e65f3eb83:

  #
  # MERGE NOTE: The 210d36d892de PI-futex fix is relatively fresh,
  #             but it is also simple™ and obviously correct™, so
  #             I took the risk to include it in today's pull request.
  #

Miscellaneous futex fixes:

 - Tighten up the sys_futex_requeue() ABI a bit, to disallow
   dissimilar futex flags and potential UaF access. (Peter Zijlstra)

 - Fix UaF between futex_key_to_node_opt() and vma_replace_policy()
   (Hao-Yu Yang)

 - Clear stale exiting pointer in futex_lock_pi() retry path,
   which bug triggered a warning (and potential misbehavior)
   in stress-testing. (Davidlohr Bueso)

 Thanks,

	Ingo

------------------>
Davidlohr Bueso (1):
      futex: Clear stale exiting pointer in futex_lock_pi() retry path

Hao-Yu Yang (1):
      futex: Fix UaF between futex_key_to_node_opt() and vma_replace_policy()

Peter Zijlstra (1):
      futex: Require sys_futex_requeue() to have identical flags


 include/linux/mempolicy.h |  1 +
 kernel/futex/core.c       |  2 +-
 kernel/futex/pi.c         |  3 ++-
 kernel/futex/syscalls.c   |  8 ++++++++
 mm/mempolicy.c            | 10 ++++++++--
 5 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
index 0fe96f3ab3ef..65c732d440d2 100644
--- a/include/linux/mempolicy.h
+++ b/include/linux/mempolicy.h
@@ -55,6 +55,7 @@ struct mempolicy {
 		nodemask_t cpuset_mems_allowed;	/* relative to these nodes */
 		nodemask_t user_nodemask;	/* nodemask passed by user */
 	} w;
+	struct rcu_head rcu;
 };
 
 /*
diff --git a/kernel/futex/core.c b/kernel/futex/core.c
index cf7e610eac42..31e83a09789e 100644
--- a/kernel/futex/core.c
+++ b/kernel/futex/core.c
@@ -342,7 +342,7 @@ static int __futex_key_to_node(struct mm_struct *mm, unsigned long addr)
 	if (!vma)
 		return FUTEX_NO_NODE;
 
-	mpol = vma_policy(vma);
+	mpol = READ_ONCE(vma->vm_policy);
 	if (!mpol)
 		return FUTEX_NO_NODE;
 
diff --git a/kernel/futex/pi.c b/kernel/futex/pi.c
index bc1f7e83a37e..7808068fa59e 100644
--- a/kernel/futex/pi.c
+++ b/kernel/futex/pi.c
@@ -918,7 +918,7 @@ int fixup_pi_owner(u32 __user *uaddr, struct futex_q *q, int locked)
 int futex_lock_pi(u32 __user *uaddr, unsigned int flags, ktime_t *time, int trylock)
 {
 	struct hrtimer_sleeper timeout, *to;
-	struct task_struct *exiting = NULL;
+	struct task_struct *exiting;
 	struct rt_mutex_waiter rt_waiter;
 	struct futex_q q = futex_q_init;
 	DEFINE_WAKE_Q(wake_q);
@@ -933,6 +933,7 @@ int futex_lock_pi(u32 __user *uaddr, unsigned int flags, ktime_t *time, int tryl
 	to = futex_setup_timer(time, &timeout, flags, 0);
 
 retry:
+	exiting = NULL;
 	ret = get_futex_key(uaddr, flags, &q.key, FUTEX_WRITE);
 	if (unlikely(ret != 0))
 		goto out;
diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
index 743c7a728237..77ad9691f6a6 100644
--- a/kernel/futex/syscalls.c
+++ b/kernel/futex/syscalls.c
@@ -459,6 +459,14 @@ SYSCALL_DEFINE4(futex_requeue,
 	if (ret)
 		return ret;
 
+	/*
+	 * For now mandate both flags are identical, like the sys_futex()
+	 * interface has. If/when we merge the variable sized futex support,
+	 * that patch can modify this test to allow a difference in size.
+	 */
+	if (futexes[0].w.flags != futexes[1].w.flags)
+		return -EINVAL;
+
 	cmpval = futexes[0].w.val;
 
 	return futex_requeue(u64_to_user_ptr(futexes[0].w.uaddr), futexes[0].w.flags,
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 0e5175f1c767..cf92bd6a8226 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -487,7 +487,13 @@ void __mpol_put(struct mempolicy *pol)
 {
 	if (!atomic_dec_and_test(&pol->refcnt))
 		return;
-	kmem_cache_free(policy_cache, pol);
+	/*
+	 * Required to allow mmap_lock_speculative*() access, see for example
+	 * futex_key_to_node_opt(). All accesses are serialized by mmap_lock,
+	 * however the speculative lock section unbound by the normal lock
+	 * boundaries, requiring RCU freeing.
+	 */
+	kfree_rcu(pol, rcu);
 }
 EXPORT_SYMBOL_FOR_MODULES(__mpol_put, "kvm");
 
@@ -1020,7 +1026,7 @@ static int vma_replace_policy(struct vm_area_struct *vma,
 	}
 
 	old = vma->vm_policy;
-	vma->vm_policy = new; /* protected by mmap_lock */
+	WRITE_ONCE(vma->vm_policy, new); /* protected by mmap_lock */
 	mpol_put(old);
 
 	return 0;