From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 31 Mar 2026 15:43:29 +0000 (+0200)
Subject: 6.6-stable patches
X-Git-Tag: v6.6.131~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f4a619bf5bf82675fd08f73ca3b75125021fde7e;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	futex-clear-stale-exiting-pointer-in-futex_lock_pi-retry-path.patch
---

diff --git a/queue-6.6/futex-clear-stale-exiting-pointer-in-futex_lock_pi-retry-path.patch b/queue-6.6/futex-clear-stale-exiting-pointer-in-futex_lock_pi-retry-path.patch
new file mode 100644
index 0000000000..94a46ac1e6
--- /dev/null
+++ b/queue-6.6/futex-clear-stale-exiting-pointer-in-futex_lock_pi-retry-path.patch
@@ -0,0 +1,77 @@
+From 210d36d892de5195e6766c45519dfb1e65f3eb83 Mon Sep 17 00:00:00 2001
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Wed, 25 Mar 2026 17:17:59 -0700
+Subject: futex: Clear stale exiting pointer in futex_lock_pi() retry path
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+commit 210d36d892de5195e6766c45519dfb1e65f3eb83 upstream.
+
+Fuzzying/stressing futexes triggered:
+
+    WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524
+
+When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY
+and stores a refcounted task pointer in 'exiting'.
+
+After wait_for_owner_exiting() consumes that reference, the local pointer
+is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a
+different error, the bogus pointer is passed to wait_for_owner_exiting().
+
+  CPU0			     CPU1		       CPU2
+  futex_lock_pi(uaddr)
+  // acquires the PI futex
+  exit()
+    futex_cleanup_begin()
+      futex_state = EXITING;
+			     futex_lock_pi(uaddr)
+			       futex_lock_pi_atomic()
+				 attach_to_pi_owner()
+				   // observes EXITING
+				   *exiting = owner;  // takes ref
+				   return -EBUSY
+			       wait_for_owner_exiting(-EBUSY, owner)
+				 put_task_struct();   // drops ref
+			       // exiting still points to owner
+			       goto retry;
+			       futex_lock_pi_atomic()
+				 lock_pi_update_atomic()
+				   cmpxchg(uaddr)
+					*uaddr ^= WAITERS // whatever
+				   // value changed
+				 return -EAGAIN;
+			       wait_for_owner_exiting(-EAGAIN, exiting) // stale
+				 WARN_ON_ONCE(exiting)
+
+Fix this by resetting upon retry, essentially aligning it with requeue_pi.
+
+Fixes: 3ef240eaff36 ("futex: Prevent exit livelock")
+Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260326001759.4129680-1-dave@stgolabs.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/futex/pi.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+--- a/kernel/futex/pi.c
++++ b/kernel/futex/pi.c
+@@ -930,9 +930,9 @@ int fixup_pi_owner(u32 __user *uaddr, st
+ int futex_lock_pi(u32 __user *uaddr, unsigned int flags, ktime_t *time, int trylock)
+ {
+ 	struct hrtimer_sleeper timeout, *to;
+-	struct task_struct *exiting = NULL;
+ 	struct rt_mutex_waiter rt_waiter;
+ 	struct futex_hash_bucket *hb;
++	struct task_struct *exiting;
+ 	struct futex_q q = futex_q_init;
+ 	int res, ret;
+ 
+@@ -945,6 +945,7 @@ int futex_lock_pi(u32 __user *uaddr, uns
+ 	to = futex_setup_timer(time, &timeout, flags, 0);
+ 
+ retry:
++	exiting = NULL;
+ 	ret = get_futex_key(uaddr, flags & FLAGS_SHARED, &q.key, FUTEX_WRITE);
+ 	if (unlikely(ret != 0))
+ 		goto out;
diff --git a/queue-6.6/series b/queue-6.6/series
index 4f61c7b954..743e2bf288 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -171,3 +171,4 @@ btrfs-fix-leak-of-kobject-name-for-sub-group-space_i.patch
 btrfs-fix-lost-error-when-running-device-stats-on-mu.patch
 dmaengine-idxd-remove-usage-of-the-deprecated-ida_si.patch
 dmaengine-idxd-fix-freeing-the-allocated-ida-too-lat.patch
+futex-clear-stale-exiting-pointer-in-futex_lock_pi-retry-path.patch