From nobody Wed Jun 17 06:26:54 2026
Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D0BE0364939;
	Thu, 23 Apr 2026 08:09:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=193.142.43.55
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776931797; cv=none;
 b=gwog79RyzcTnHoU7jLKBbZnRGF6w1ssLike7W8YyF0h5O1yXMHCHy91IWpHJa+9epasULzUsGD+KQlfby/Mixr377dTI9mNLCVSAmYO9RKkbe/sn0q364uoq+igWjLH2jEyhlRTtmwD/37o14Hv7zw9du4b0KbSN9wPccyZ0Lmk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776931797; c=relaxed/simple;
	bh=WWzhBK6ivnCxaliOtz9qZHOL3RxkwCL/pNHniw2+rys=;
	h=Date:From:To:Subject:Cc:MIME-Version:Message-ID:Content-Type;
 b=uuhlX7dcAyS/S+W6V6GD8RvUz96MOa+v6dN66H5Cjc/nFUxU8iEWApXfxPkwh8QAQjSuTs+MV3CwY0Ry750DtkEQa6J6GaR/zbZQMjPtFSDvowDesI8ONN2gT0Huv9c15kB+rQw/ZxL4jyrzwBweiAtNnzSx8tfdiFPqjiABTEk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linutronix.de;
 spf=pass smtp.mailfrom=linutronix.de;
 dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de
 header.b=1ZcYiTc+;
 dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de
 header.b=JzfNm30T; arc=none smtp.client-ip=193.142.43.55
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linutronix.de
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linutronix.de
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de
 header.b="1ZcYiTc+";
	dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de
 header.b="JzfNm30T"
Date: Thu, 23 Apr 2026 08:09:52 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de;
	s=2020; t=1776931793;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
  content-transfer-encoding:content-transfer-encoding;
	bh=BVrRt88S48wxNDp0rCUGhCG15X4EzW8HTw9F4/dZcWk=;
	b=1ZcYiTc+/iF+lK7TW93wH7krk8EeAbRy8gtiizy4eXLTmWBIGcXbLNHTXK9iEWDE3BnG+p
	A2YGC7VjqDW7y9AesavRoYl5Wmjjnm5CsBxtQKAO7ntc8isOtwX0drDVIswcv6OLw+1/Ar
	M+Qh87uJhuuN79QB6/7PvMQUFuCeQ43M/ViR2AwaAxI2iIyhg2bM4eoAkQ37vQPZbxBEBT
	i1EsQT9XTLF6FhtIdEygODyJ8l/Y+T8TrmW39TMw2Z0E4iRqwHy6lxcxMucJ0K7L33Ggyv
	hfyBQB4dbC2cP5lWQnT9j8LR9HAcz1RJxAgjj7oEaJdzphspI99xhBRPl999Gg==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de;
	s=2020e; t=1776931793;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
  content-transfer-encoding:content-transfer-encoding;
	bh=BVrRt88S48wxNDp0rCUGhCG15X4EzW8HTw9F4/dZcWk=;
	b=JzfNm30TmL3Te7Eq10RyfKZdiINE+d07jk857YM9l2nXwUCODpdzf9JHUQ+8TkU0zpPL1j
	Rz2ouvLL0KbreQDQ==
From: "tip-bot2 for Peter Zijlstra" <tip-bot2@linutronix.de>
Sender: tip-bot2@linutronix.de
Reply-to: linux-kernel@vger.kernel.org
To: linux-tip-commits@vger.kernel.org
Subject: 
 [tip: locking/urgent] locking/mutex: Fix ww_mutex wait_list operations
Cc: "Borah, Chaitanya Kumar" <chaitanya.kumar.borah@intel.com>,
 John Stultz <jstultz@google.com>,
 Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>,
 "Peter Zijlstra (Intel)" <peterz@infradead.org>,
 K Prateek Nayak <kprateek.nayak@amd.com>, x86@kernel.org,
 linux-kernel@vger.kernel.org
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Message-ID: <177693179236.2419917.13590738859905898177.tip-bot2@tip-bot2>
Robot-ID: <tip-bot2@linutronix.de>
Robot-Unsubscribe: 
 Contact <mailto:tglx@kernel.org> to get blacklisted from these emails
Precedence: bulk
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

The following commit has been merged into the locking/urgent branch of tip:

Commit-ID:     0adc92b910b3d6bf4913d79869365d553154a070
Gitweb:        https://git.kernel.org/tip/0adc92b910b3d6bf4913d79869365d553=
154a070
Author:        Peter Zijlstra <peterz@infradead.org>
AuthorDate:    Wed, 22 Apr 2026 10:38:41 +02:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Thu, 23 Apr 2026 10:05:49 +02:00

locking/mutex: Fix ww_mutex wait_list operations

Chaitanya, John and Mikhail reported commit 25500ba7e77c ("locking/mutex:
Remove the list_head from struct mutex") wrecked ww_mutex.

Specifically there were 2 issues:

 - __ww_waiter_prev() had the termination condition wrong; it would termina=
te
   when the previous entry was the first, which results in a truncated
   iteration: W3, W2, (no W1).

 - __mutex_add_waiter(@pos !=3D NULL), as used by __ww_waiter_add() /
   __ww_mutex_add_waiter(); this inserts @waiter before @pos (which is what
   list_add_tail() does). But this should then also update lock->first_wait=
er.

Much thanks to Prateek for spotting the __mutex_add_waiter() issue!

Fixes: 25500ba7e77c ("locking/mutex: Remove the list_head from struct mutex=
")
Reported-by: "Borah, Chaitanya Kumar" <chaitanya.kumar.borah@intel.com>
Closes: https://lore.kernel.org/r/af005996-05e9-4336-8450-d14ca652ba5d%40in=
tel.com
Reported-by: John Stultz <jstultz@google.com>
Closes: https://lore.kernel.org/r/CANDhNCq%3Doizzud3hH3oqGzTrcjB8OwGeineJ3m=
wZuGdDWG8fRQ%40mail.gmail.com
Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Closes: https://lore.kernel.org/r/CABXGCsO5fKq2nD9nO8yO1z50ZzgCPWqueNXHANjn=
taswoOh2Dg@mail.gmail.com
Debugged-by: K Prateek Nayak <kprateek.nayak@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: K Prateek Nayak <kprateek.nayak@amd.com>
Tested-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Link: https://patch.msgid.link/20260422092335.GH3102924%40noisy.programming=
.kicks-ass.net
---
 kernel/locking/mutex.c    | 40 +++++++++++++++++++++++++-------------
 kernel/locking/ww_mutex.h | 34 ++++++++++++++++++++++++++++++--
 2 files changed, 59 insertions(+), 15 deletions(-)

diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c
index 186b463..0953462 100644
--- a/kernel/locking/mutex.c
+++ b/kernel/locking/mutex.c
@@ -198,27 +198,43 @@ static inline void __mutex_clear_flag(struct mutex *l=
ock, unsigned long flag)
 }
=20
 /*
- * Add @waiter to a given location in the lock wait_list and set the
- * FLAG_WAITERS flag if it's the first waiter.
+ * Add @waiter to the @lock wait_list and set the FLAG_WAITERS flag if it's
+ * the first waiter.
+ *
+ * When @pos, @waiter is added before the waiter indicated by @pos. Otherw=
ise
+ * @waiter will be added to the tail of the list.
  */
 static void
 __mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
-		   struct mutex_waiter *first)
+		   struct mutex_waiter *pos)
 	__must_hold(&lock->wait_lock)
 {
+	struct mutex_waiter *first =3D lock->first_waiter;
+
 	hung_task_set_blocker(lock, BLOCKER_TYPE_MUTEX);
 	debug_mutex_add_waiter(lock, waiter, current);
=20
-	if (!first)
-		first =3D lock->first_waiter;
+	if (pos) {
+		/*
+		 * Insert @waiter before @pos.
+		 */
+		list_add_tail(&waiter->list, &pos->list);
+		/*
+		 * If @pos =3D=3D @first, then @waiter will be the new first.
+		 */
+		if (pos =3D=3D first)
+			lock->first_waiter =3D waiter;
+		return;
+	}
=20
 	if (first) {
 		list_add_tail(&waiter->list, &first->list);
-	} else {
-		INIT_LIST_HEAD(&waiter->list);
-		lock->first_waiter =3D waiter;
-		__mutex_set_flag(lock, MUTEX_FLAG_WAITERS);
+		return;
 	}
+
+	INIT_LIST_HEAD(&waiter->list);
+	lock->first_waiter =3D waiter;
+	__mutex_set_flag(lock, MUTEX_FLAG_WAITERS);
 }
=20
 static void
@@ -229,10 +245,8 @@ __mutex_remove_waiter(struct mutex *lock, struct mutex=
_waiter *waiter)
 		__mutex_clear_flag(lock, MUTEX_FLAGS);
 		lock->first_waiter =3D NULL;
 	} else {
-		if (lock->first_waiter =3D=3D waiter) {
-			lock->first_waiter =3D list_first_entry(&waiter->list,
-							      struct mutex_waiter, list);
-		}
+		if (lock->first_waiter =3D=3D waiter)
+			lock->first_waiter =3D list_next_entry(waiter, list);
 		list_del(&waiter->list);
 	}
=20
diff --git a/kernel/locking/ww_mutex.h b/kernel/locking/ww_mutex.h
index 016f0db..6c12452 100644
--- a/kernel/locking/ww_mutex.h
+++ b/kernel/locking/ww_mutex.h
@@ -6,6 +6,19 @@
 #define MUTEX_WAITER	mutex_waiter
 #define WAIT_LOCK	wait_lock
=20
+/*
+ *           +--------+
+ *           | first  |
+ *           +--------+
+ *                |
+ *                v
+ *  +----+     +----+     +----+
+ *  | W3 | <-> | W1 | <-> | W2 |
+ *  +----+     +----+     +----+
+ *    ^                     ^
+ *    +---------------------+
+ */
+
 static inline struct mutex_waiter *
 __ww_waiter_first(struct mutex *lock)
 	__must_hold(&lock->wait_lock)
@@ -13,26 +26,43 @@ __ww_waiter_first(struct mutex *lock)
 	return lock->first_waiter;
 }
=20
+/*
+ * for (cur =3D __ww_waiter_first(); cur; cur =3D __ww_waiter_next())
+ *
+ * Should iterate like: W1, W2, W3
+ */
 static inline struct mutex_waiter *
 __ww_waiter_next(struct mutex *lock, struct mutex_waiter *w)
 	__must_hold(&lock->wait_lock)
 {
 	w =3D list_next_entry(w, list);
+	/*
+	 * Terminate if the next entry is the first again, that has already
+	 * been observed.
+	 */
 	if (lock->first_waiter =3D=3D w)
 		return NULL;
=20
 	return w;
 }
=20
+/*
+ * for (cur =3D __ww_waiter_last(); cur; cur =3D __ww_waiter_prev())
+ *
+ * Should iterate like: W3, W2, W1
+ */
 static inline struct mutex_waiter *
 __ww_waiter_prev(struct mutex *lock, struct mutex_waiter *w)
 	__must_hold(&lock->wait_lock)
 {
-	w =3D list_prev_entry(w, list);
+	/*
+	 * Terminate at the first entry, the previous entry of first is the
+	 * last and that has already been observed.
+	 */
 	if (lock->first_waiter =3D=3D w)
 		return NULL;
=20
-	return w;
+	return list_prev_entry(w, list);
 }
=20
 static inline struct mutex_waiter *