From nobody Thu Apr 2 23:54:48 2026 Received: from cornsilk.maple.relay.mailchannels.net (cornsilk.maple.relay.mailchannels.net [23.83.214.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A5E938F25F for ; Wed, 25 Mar 2026 23:52:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=23.83.214.40 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774482736; cv=pass; b=cwXSq6BY4dCwzey2MTYtpG4y8cym1/UuGemWCttz1MLTEHsFjxPIXmNEnXLWK86kdOskB2/27X2TeMI/9xN/BUkRmPnhnu9SEurywUTgK3KHWli9RCMj1cm1vnHHF/tXUvhF+5F3t1Hd8oj+ohwEg47buZCRBEY4HCkAxu1Te5I= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774482736; c=relaxed/simple; bh=lsVIVpskxVSJq0MtrH4AA/0GMFiTLMB3eOiBRzbA1Cw=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=erwLWbTdoqSeUOiP7CnuCyUzsh1ey3gLompqR8hbez4ZslLKV71iBzpNi5C8D9TV9tHau1YVeIWMxaCT98KTOOAqLMRupHyRMGkG5cOFE5RIPHmPv3z1PmRW/PXiOzAPqA2kLFhKAodHId9Ey/yoAr3ZzIKJhALrX++uEApqSas= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=stgolabs.net; spf=fail smtp.mailfrom=stgolabs.net; dkim=pass (2048-bit key) header.d=stgolabs.net header.i=@stgolabs.net header.b=eo21akg8; arc=pass smtp.client-ip=23.83.214.40 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=stgolabs.net Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=stgolabs.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=stgolabs.net header.i=@stgolabs.net header.b="eo21akg8" X-Sender-Id: dreamhost|x-authsender|dave@stgolabs.net Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 9D651801FD1; Wed, 25 Mar 2026 23:52:14 +0000 (UTC) Received: from pdx1-sub0-mail-a222.dreamhost.com (trex-green-5.trex.outbound.svc.cluster.local [100.121.82.175]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 32603801FB6; Wed, 25 Mar 2026 23:52:14 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1774482734; b=ShoCNf0SNiWfXPcSX+90eS9sKuPIayU6OPw07WEbePlH1HOTYhHXFCrmUhwvy3QXoWPnkU TRvZe9ci396aC7t49WHIA01JBijQa3ibe+j9AtdtECluZxC+17kZuM/jdgfDqD+/M+g5J/ 84TL+2Edd2MvtzGsxB1epIZqsxFpaHQwOidIl/ZN+Q5y2a/cOY02LnmTSbhFTSJojTfMem EQfGGa3705Hq9NPmeYLL/yFyX+i6mg5CcKW3LKbmrBAb/fVlfkx2dlBWedh/mQ8HoLsptP OGf0EZaQfMh+Zr4Q/D73btWhUjhErlmxj4uS8fxPNNtpqE+TUZttCUwf8oSCuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1774482734; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=DWewSgywfP9+meep2aPtCOAcVuJGwaO0WWHhvmJxk5I=; b=8OVIFSVsjq2EJGo0V0poE4oEGpJC2GVESAIzznZ99nadiYqAQ4dbFCmKScSlOuOVrZNT2v lf47Wm2mM5OXvNuZBBuXXFjaujnMDfYm0cCvKJVszv+GhIkbUTBSTHf3riaF63bYhNeKmY WC42Hhj8zNY6XHut414mwL/0uHWWpyIKZQEHIle8S4Fwb2Nle69a0rfHRqliq5VSdH3v5M DY4Yqn/XJD0a9twMoIpP5sIDmOeOVRTtewmwyKSabmeEcAxzGQM/ihNNLiFZlEYlaVeitT 4HDTPDen54qcWTAoHbS1VCBtI8dINHIrfFlkbUDUqvsZ09LYdcmXMZxKivjuHQ== ARC-Authentication-Results: i=1; rspamd-6d4cb6745-hczlr; auth=pass smtp.auth=dreamhost smtp.mailfrom=dave@stgolabs.net X-Sender-Id: dreamhost|x-authsender|dave@stgolabs.net X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|dave@stgolabs.net X-MailChannels-Auth-Id: dreamhost X-Arch-Supply: 42950f8228a00147_1774482734459_4120196930 X-MC-Loop-Signature: 1774482734459:2249448926 X-MC-Ingress-Time: 1774482734459 Received: from pdx1-sub0-mail-a222.dreamhost.com (sub3.homie.mail.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.121.82.175 (trex/7.1.5); Wed, 25 Mar 2026 23:52:14 +0000 Received: from offworld.lan (unknown [76.167.199.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: dave@stgolabs.net) by pdx1-sub0-mail-a222.dreamhost.com (Postfix) with ESMTPSA id 4fh3bx4HdJz35; Wed, 25 Mar 2026 16:52:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stgolabs.net; s=dreamhost; t=1774482734; bh=DWewSgywfP9+meep2aPtCOAcVuJGwaO0WWHhvmJxk5I=; h=From:To:Cc:Subject:Date:Content-Transfer-Encoding; b=eo21akg8vEVgWnQy3x4w9929EumlxEh7CvKX01PyOjqa1oSfDfTYbzTHXnI8ocITH mUHK8SqpUPIi5vQ79F9mbvsO80NgfMXMfoocfUqt7NHvsjePYPuOCjQwWxL3iHRQqg jA+ubmu4flfI/xfOPlnjuJDngsIqTja7sPc8arU/Gt2Llp4a1Gn6NxRp9Qdcq8hSyS B2QHFbmtaNGYgO6+xb//Qwmz4j8zwDTkYrmVBU2o+YaI6qEyN6my9LSyhMjTrEdttz qp094BT1CD8GcCQLwN6O7I2CVIixfFAjFH0oK2zCF88Ac7xCwOhpy9TsCO1Jk9U/bv PUOUX2w4NIMww== From: Davidlohr Bueso To: tglx@kernel.org, mingo@redhat.com Cc: peterz@infradead.org, dvhart@infradead.org, andrealmeid@igalia.com, linux-kernel@vger.kernel.org, Davidlohr Bueso Subject: [PATCH -tip] futex: Clear stale exiting pointer when pi-locking Date: Wed, 25 Mar 2026 16:51:47 -0700 Message-Id: <20260325235147.4125545-1-dave@stgolabs.net> X-Mailer: git-send-email 2.39.5 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at oh_my_futex+0x7a/0x80, CPU#11: fute= x_lock_pi_s/524 When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'. After wait_for_owner_exiting= () consumes that reference, the local pointer is never reset to nil. Upon a re= try, if futex_lock_pi_atomic() returns a different error, the bogus pointer is p= assed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state =3D EXITING futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // sees EXITING *exiting =3D owner // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct() // drops ref // exiting still points to owner goto retry futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^=3D WAITERS // whatever // value changed return -EAGAIN wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting) Fix this by resetting upon retry, essentially aligning with requeue_pi. Fixes: 3ef240eaff36 ("futex: Prevent exit livelock") Signed-off-by: Davidlohr Bueso --- kernel/futex/pi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/futex/pi.c b/kernel/futex/pi.c index 49ab5f40e86c..643199fdbe62 100644 --- a/kernel/futex/pi.c +++ b/kernel/futex/pi.c @@ -923,7 +923,7 @@ int fixup_pi_owner(u32 __user *uaddr, struct futex_q *q= , int locked) int futex_lock_pi(u32 __user *uaddr, unsigned int flags, ktime_t *time, in= t trylock) { struct hrtimer_sleeper timeout, *to; - struct task_struct *exiting =3D NULL; + struct task_struct *exiting; struct rt_mutex_waiter rt_waiter; struct futex_q q =3D futex_q_init; DEFINE_WAKE_Q(wake_q); @@ -938,6 +938,7 @@ int futex_lock_pi(u32 __user *uaddr, unsigned int flags= , ktime_t *time, int tryl to =3D futex_setup_timer(time, &timeout, flags, 0); =20 retry: + exiting =3D NULL; ret =3D get_futex_key(uaddr, flags, &q.key, FUTEX_WRITE); if (unlikely(ret !=3D 0)) goto out; --=20 2.39.5