Description
In the Linux kernel, the following vulnerability has been resolved: futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock When FUTEX_CMP_REQUEUE_PI requeues a non-top waiter that already owns the target PI futex, task_blocks_on_rt_mutex() returns -EDEADLK before setting waiter->task. The subsequent remove_waiter() in rt_mutex_start_proxy_lock() dereferences the NULL waiter->task, causing a kernel crash. Add a self-deadlock check for non-top waiters before calling rt_mutex_start_proxy_lock(), analogous to the top-waiter check in futex_lock_pi_atomic().
Product status
3fb7394a837740770f0d6b4b30567e60786a63f2 (git) before 16f8e17184b31382076f84751db5ac51fc02733e
88614876370aac8ad1050ad785a4c095ba17ac11 (git) before 1f2f3f3eacd6653ab215c5d2ea70811148d433fc
3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 (git) before 74e144274af39935b0f410c0ee4d2b91c3730414
d8cce4773c2b23d819baf5abedc62f7b430e8745 (git)
8a1fc8d698ac5e5916e3082a0f74450d71f9611f (git)
6d52dfcb2a5db86e346cf51f8fcf2071b8085166 (git)
6.1.175 (semver) before 6.2
6.6.140 (semver) before 6.7
6.12.86 (semver) before 6.13
6.18.27 (semver) before 6.18.36
7.0.4 (semver) before 7.0.13
References
git.kernel.org/...c/16f8e17184b31382076f84751db5ac51fc02733e
git.kernel.org/...c/1f2f3f3eacd6653ab215c5d2ea70811148d433fc
git.kernel.org/...c/74e144274af39935b0f410c0ee4d2b91c3730414