--- /dev/null
+From 210d36d892de5195e6766c45519dfb1e65f3eb83 Mon Sep 17 00:00:00 2001
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Wed, 25 Mar 2026 17:17:59 -0700
+Subject: futex: Clear stale exiting pointer in futex_lock_pi() retry path
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+commit 210d36d892de5195e6766c45519dfb1e65f3eb83 upstream.
+
+Fuzzying/stressing futexes triggered:
+
+ WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524
+
+When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY
+and stores a refcounted task pointer in 'exiting'.
+
+After wait_for_owner_exiting() consumes that reference, the local pointer
+is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a
+different error, the bogus pointer is passed to wait_for_owner_exiting().
+
+ CPU0 CPU1 CPU2
+ futex_lock_pi(uaddr)
+ // acquires the PI futex
+ exit()
+ futex_cleanup_begin()
+ futex_state = EXITING;
+ futex_lock_pi(uaddr)
+ futex_lock_pi_atomic()
+ attach_to_pi_owner()
+ // observes EXITING
+ *exiting = owner; // takes ref
+ return -EBUSY
+ wait_for_owner_exiting(-EBUSY, owner)
+ put_task_struct(); // drops ref
+ // exiting still points to owner
+ goto retry;
+ futex_lock_pi_atomic()
+ lock_pi_update_atomic()
+ cmpxchg(uaddr)
+ *uaddr ^= WAITERS // whatever
+ // value changed
+ return -EAGAIN;
+ wait_for_owner_exiting(-EAGAIN, exiting) // stale
+ WARN_ON_ONCE(exiting)
+
+Fix this by resetting upon retry, essentially aligning it with requeue_pi.
+
+Fixes: 3ef240eaff36 ("futex: Prevent exit livelock")
+Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260326001759.4129680-1-dave@stgolabs.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/futex/core.c
++++ b/kernel/futex/core.c
+@@ -2785,9 +2785,9 @@ static int futex_lock_pi(u32 __user *uad
+ ktime_t *time, int trylock)
+ {
+ struct hrtimer_sleeper timeout, *to;
+- struct task_struct *exiting = NULL;
+ struct rt_mutex_waiter rt_waiter;
+ struct futex_hash_bucket *hb;
++ struct task_struct *exiting;
+ struct futex_q q = futex_q_init;
+ int res, ret;
+
+@@ -2800,6 +2800,7 @@ static int futex_lock_pi(u32 __user *uad
+ to = futex_setup_timer(time, &timeout, FLAGS_CLOCKRT, 0);
+
+ retry:
++ exiting = NULL;
+ ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, FUTEX_WRITE);
+ if (unlikely(ret != 0))
+ goto out;
projects / thirdparty / kernel / stable-queue.git / commitdiff
