futex: Clear stale exiting pointer in futex_lock_pi() retry path - kernel/linux.git

diff options

author	Davidlohr Bueso <dave@stgolabs.net>	2026-03-26 03:17:59 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2026-04-02 14:07:33 +0300
commit	de7c0c04ad868f2cee6671b11c0a6d20421af1da (patch)
tree	06a5aca96e56a23dfd420e44698af0b29c78f64a /include/linux/linux_logo.h
parent	37cf97e37498ae1ca7b873e53e3f225a92ecee2d (diff)
download	linux-de7c0c04ad868f2cee6671b11c0a6d20421af1da.tar.xz

futex: Clear stale exiting pointer in futex_lock_pi() retry path

commit 210d36d892de5195e6766c45519dfb1e65f3eb83 upstream. Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524 When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'. After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a different error, the bogus pointer is passed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting) Fix this by resetting upon retry, essentially aligning it with requeue_pi. Fixes: 3ef240eaff36 ("futex: Prevent exit livelock") Signed-off-by: Davidlohr Bueso <dave@stgolabs.net> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260326001759.4129680-1-dave@stgolabs.net Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'include/linux/linux_logo.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: