CVE-2026-31555

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> futex: Clear stale exiting pointer in futex_lock_pi() retry path<br /> <br /> Fuzzying/stressing futexes triggered:<br /> <br /> WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524<br /> <br /> When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY<br /> and stores a refcounted task pointer in &amp;#39;exiting&amp;#39;.<br /> <br /> After wait_for_owner_exiting() consumes that reference, the local pointer<br /> is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a<br /> different error, the bogus pointer is passed to wait_for_owner_exiting().<br /> <br /> CPU0 CPU1 CPU2<br /> futex_lock_pi(uaddr)<br /> // acquires the PI futex<br /> exit()<br /> futex_cleanup_begin()<br /> futex_state = EXITING;<br /> futex_lock_pi(uaddr)<br /> futex_lock_pi_atomic()<br /> attach_to_pi_owner()<br /> // observes EXITING<br /> *exiting = owner; // takes ref<br /> return -EBUSY<br /> wait_for_owner_exiting(-EBUSY, owner)<br /> put_task_struct(); // drops ref<br /> // exiting still points to owner<br /> goto retry;<br /> futex_lock_pi_atomic()<br /> lock_pi_update_atomic()<br /> cmpxchg(uaddr)<br /> *uaddr ^= WAITERS // whatever<br /> // value changed<br /> return -EAGAIN;<br /> wait_for_owner_exiting(-EAGAIN, exiting) // stale<br /> WARN_ON_ONCE(exiting)<br /> <br /> Fix this by resetting upon retry, essentially aligning it with requeue_pi.