5.5

CVE-2026-31555

futex: Clear stale exiting pointer in futex_lock_pi() retry path

In the Linux kernel, the following vulnerability has been resolved:

futex: Clear stale exiting pointer in futex_lock_pi() retry path

Fuzzying/stressing futexes triggered:

    WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524

When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY
and stores a refcounted task pointer in 'exiting'.

After wait_for_owner_exiting() consumes that reference, the local pointer
is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a
different error, the bogus pointer is passed to wait_for_owner_exiting().

  CPU0			     CPU1		       CPU2
  futex_lock_pi(uaddr)
  // acquires the PI futex
  exit()
    futex_cleanup_begin()
      futex_state = EXITING;
			     futex_lock_pi(uaddr)
			       futex_lock_pi_atomic()
				 attach_to_pi_owner()
				   // observes EXITING
				   *exiting = owner;  // takes ref
				   return -EBUSY
			       wait_for_owner_exiting(-EBUSY, owner)
				 put_task_struct();   // drops ref
			       // exiting still points to owner
			       goto retry;
			       futex_lock_pi_atomic()
				 lock_pi_update_atomic()
				   cmpxchg(uaddr)
					*uaddr ^= WAITERS // whatever
				   // value changed
				 return -EAGAIN;
			       wait_for_owner_exiting(-EAGAIN, exiting) // stale
				 WARN_ON_ONCE(exiting)

Fix this by resetting upon retry, essentially aligning it with requeue_pi.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.4.255 < 4.5
LinuxLinux Kernel Version >= 4.9.255 < 4.10
LinuxLinux Kernel Version >= 4.14.158 < 4.15
LinuxLinux Kernel Version >= 4.19.172 < 4.20
LinuxLinux Kernel Version >= 5.4.1 < 5.5
LinuxLinux Kernel Version >= 5.5.1 < 5.10.253
LinuxLinux Kernel Version >= 5.11 < 5.15.203
LinuxLinux Kernel Version >= 5.16 < 6.1.168
LinuxLinux Kernel Version >= 6.2 < 6.6.131
LinuxLinux Kernel Version >= 6.7 < 6.12.80
LinuxLinux Kernel Version >= 6.13 < 6.18.21
LinuxLinux Kernel Version >= 6.19 < 6.19.11
LinuxLinux Kernel Version5.5 Update-
LinuxLinux Kernel Version7.0 Updaterc1
LinuxLinux Kernel Version7.0 Updaterc2
LinuxLinux Kernel Version7.0 Updaterc3
LinuxLinux Kernel Version7.0 Updaterc4
LinuxLinux Kernel Version7.0 Updaterc5
LinuxLinux Kernel Version7.0 Updaterc6
LinuxLinux Kernel Version7.0 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.024
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/33095ae3bdde5e5c264d7e88a2f3e7703a26c7aa
Patch
https://git.kernel.org/stable/c/e7824ec168d2ac883a213cd1f4d6cc0816002a85
Patch
https://git.kernel.org/stable/c/5e8e06bf8909e79b4acd950cf578cfc2f10bbefa
Patch
https://git.kernel.org/stable/c/de7c0c04ad868f2cee6671b11c0a6d20421af1da
Patch
https://git.kernel.org/stable/c/7475dfad10a05a5bfadebf5f2499bd61b19ed293
Patch
https://git.kernel.org/stable/c/92e47ad03e03dbb5515bdf06444bf6b1e147310d
Patch
https://git.kernel.org/stable/c/71112e62807d1925dc3ae6188b11f8cfc85aec23
Patch
https://git.kernel.org/stable/c/210d36d892de5195e6766c45519dfb1e65f3eb83
Patch