From 3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 Mon Sep 17 00:00:00 2001 From: Keenan Dong Date: Wed, 8 Apr 2026 16:46:00 +0800 Subject: [PATCH 1/2] rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue(). In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems: 1) the rbtree dequeue happens without waiter::task::pi_lock being held 2) the waiter task's pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around. 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems. [ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ] Fixes: 8161239a8bcc ("rtmutex: Simplify PI algorithm and make highest prio task get lock") Reported-by: Yuan Tan Reported-by: Yifan Wu Reported-by: Juefei Pu Reported-by: Xin Liu Signed-off-by: Keenan Dong Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org --- kernel/locking/rtmutex.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c index ccaba6148b61..4f386ea6c792 100644 --- a/kernel/locking/rtmutex.c +++ b/kernel/locking/rtmutex.c @@ -1544,6 +1544,8 @@ static bool rtmutex_spin_on_owner(struct rt_mutex_base *lock, * * Must be called with lock->wait_lock held and interrupts disabled. It must * have just failed to try_to_take_rt_mutex(). + * + * When invoked from rt_mutex_start_proxy_lock() waiter::task != current ! */ static void __sched remove_waiter(struct rt_mutex_base *lock, struct rt_mutex_waiter *waiter) @@ -1551,14 +1553,15 @@ static void __sched remove_waiter(struct rt_mutex_base *lock, { bool is_top_waiter = (waiter == rt_mutex_top_waiter(lock)); struct task_struct *owner = rt_mutex_owner(lock); + struct task_struct *waiter_task = waiter->task; struct rt_mutex_base *next_lock; lockdep_assert_held(&lock->wait_lock); - raw_spin_lock(¤t->pi_lock); - rt_mutex_dequeue(lock, waiter); - current->pi_blocked_on = NULL; - raw_spin_unlock(¤t->pi_lock); + scoped_guard(raw_spinlock, &waiter_task->pi_lock) { + rt_mutex_dequeue(lock, waiter); + waiter_task->pi_blocked_on = NULL; + } /* * Only update priority if the waiter was the highest priority @@ -1594,7 +1597,7 @@ static void __sched remove_waiter(struct rt_mutex_base *lock, raw_spin_unlock_irq(&lock->wait_lock); rt_mutex_adjust_prio_chain(owner, RT_MUTEX_MIN_CHAINWALK, lock, - next_lock, NULL, current); + next_lock, NULL, waiter_task); raw_spin_lock_irq(&lock->wait_lock); } From 0adc92b910b3d6bf4913d79869365d553154a070 Mon Sep 17 00:00:00 2001 From: Peter Zijlstra Date: Wed, 22 Apr 2026 10:38:41 +0200 Subject: [PATCH 2/2] locking/mutex: Fix ww_mutex wait_list operations Chaitanya, John and Mikhail reported commit 25500ba7e77c ("locking/mutex: Remove the list_head from struct mutex") wrecked ww_mutex. Specifically there were 2 issues: - __ww_waiter_prev() had the termination condition wrong; it would terminate when the previous entry was the first, which results in a truncated iteration: W3, W2, (no W1). - __mutex_add_waiter(@pos != NULL), as used by __ww_waiter_add() / __ww_mutex_add_waiter(); this inserts @waiter before @pos (which is what list_add_tail() does). But this should then also update lock->first_waiter. Much thanks to Prateek for spotting the __mutex_add_waiter() issue! Fixes: 25500ba7e77c ("locking/mutex: Remove the list_head from struct mutex") Reported-by: "Borah, Chaitanya Kumar" Closes: https://lore.kernel.org/r/af005996-05e9-4336-8450-d14ca652ba5d%40intel.com Reported-by: John Stultz Closes: https://lore.kernel.org/r/CANDhNCq%3Doizzud3hH3oqGzTrcjB8OwGeineJ3mwZuGdDWG8fRQ%40mail.gmail.com Reported-by: Mikhail Gavrilov Closes: https://lore.kernel.org/r/CABXGCsO5fKq2nD9nO8yO1z50ZzgCPWqueNXHANjntaswoOh2Dg@mail.gmail.com Debugged-by: K Prateek Nayak Signed-off-by: Peter Zijlstra (Intel) Tested-by: K Prateek Nayak Tested-by: Mikhail Gavrilov Link: https://patch.msgid.link/20260422092335.GH3102924%40noisy.programming.kicks-ass.net --- kernel/locking/mutex.c | 40 ++++++++++++++++++++++++++------------- kernel/locking/ww_mutex.h | 34 +++++++++++++++++++++++++++++++-- 2 files changed, 59 insertions(+), 15 deletions(-) diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c index 186b463fe326..09534628dc01 100644 --- a/kernel/locking/mutex.c +++ b/kernel/locking/mutex.c @@ -198,27 +198,43 @@ static inline void __mutex_clear_flag(struct mutex *lock, unsigned long flag) } /* - * Add @waiter to a given location in the lock wait_list and set the - * FLAG_WAITERS flag if it's the first waiter. + * Add @waiter to the @lock wait_list and set the FLAG_WAITERS flag if it's + * the first waiter. + * + * When @pos, @waiter is added before the waiter indicated by @pos. Otherwise + * @waiter will be added to the tail of the list. */ static void __mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter, - struct mutex_waiter *first) + struct mutex_waiter *pos) __must_hold(&lock->wait_lock) { + struct mutex_waiter *first = lock->first_waiter; + hung_task_set_blocker(lock, BLOCKER_TYPE_MUTEX); debug_mutex_add_waiter(lock, waiter, current); - if (!first) - first = lock->first_waiter; + if (pos) { + /* + * Insert @waiter before @pos. + */ + list_add_tail(&waiter->list, &pos->list); + /* + * If @pos == @first, then @waiter will be the new first. + */ + if (pos == first) + lock->first_waiter = waiter; + return; + } if (first) { list_add_tail(&waiter->list, &first->list); - } else { - INIT_LIST_HEAD(&waiter->list); - lock->first_waiter = waiter; - __mutex_set_flag(lock, MUTEX_FLAG_WAITERS); + return; } + + INIT_LIST_HEAD(&waiter->list); + lock->first_waiter = waiter; + __mutex_set_flag(lock, MUTEX_FLAG_WAITERS); } static void @@ -229,10 +245,8 @@ __mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter) __mutex_clear_flag(lock, MUTEX_FLAGS); lock->first_waiter = NULL; } else { - if (lock->first_waiter == waiter) { - lock->first_waiter = list_first_entry(&waiter->list, - struct mutex_waiter, list); - } + if (lock->first_waiter == waiter) + lock->first_waiter = list_next_entry(waiter, list); list_del(&waiter->list); } diff --git a/kernel/locking/ww_mutex.h b/kernel/locking/ww_mutex.h index 016f0db892a5..6c12452097e1 100644 --- a/kernel/locking/ww_mutex.h +++ b/kernel/locking/ww_mutex.h @@ -6,6 +6,19 @@ #define MUTEX_WAITER mutex_waiter #define WAIT_LOCK wait_lock +/* + * +--------+ + * | first | + * +--------+ + * | + * v + * +----+ +----+ +----+ + * | W3 | <-> | W1 | <-> | W2 | + * +----+ +----+ +----+ + * ^ ^ + * +---------------------+ + */ + static inline struct mutex_waiter * __ww_waiter_first(struct mutex *lock) __must_hold(&lock->wait_lock) @@ -13,26 +26,43 @@ __ww_waiter_first(struct mutex *lock) return lock->first_waiter; } +/* + * for (cur = __ww_waiter_first(); cur; cur = __ww_waiter_next()) + * + * Should iterate like: W1, W2, W3 + */ static inline struct mutex_waiter * __ww_waiter_next(struct mutex *lock, struct mutex_waiter *w) __must_hold(&lock->wait_lock) { w = list_next_entry(w, list); + /* + * Terminate if the next entry is the first again, that has already + * been observed. + */ if (lock->first_waiter == w) return NULL; return w; } +/* + * for (cur = __ww_waiter_last(); cur; cur = __ww_waiter_prev()) + * + * Should iterate like: W3, W2, W1 + */ static inline struct mutex_waiter * __ww_waiter_prev(struct mutex *lock, struct mutex_waiter *w) __must_hold(&lock->wait_lock) { - w = list_prev_entry(w, list); + /* + * Terminate at the first entry, the previous entry of first is the + * last and that has already been observed. + */ if (lock->first_waiter == w) return NULL; - return w; + return list_prev_entry(w, list); } static inline struct mutex_waiter *