CVE-2026-53163

In the Linux kernel, the following vulnerability has been resolved:

locking/rtmutex: Skip remove waiter() when waiter is not enqueued

syzbot triggered the following splat in remove waiter() via FUTEX CMP REQUEUE PI:

KASAN: null-ptr-deref in range [0x0000000000000a88-0x0000000000000a8f] class raw spinlock constructor remove waiter+0x159/0x1200 kernel/locking/rtmutex.c:1561 rt mutex start proxy lock+0x103/0x120 futex requeue+0x10e4/0x20d0 x64 sys futex+0x34f/0x4d0

task blocks on rt mutex() does not arm the waiter upon deadlock detection, leaving waiter->task nil, where 3bfdc63936dd ("rtmutex: Use waiter::task instead of current in remove waiter()") made this fatal.

Furthermore, rt mutex start proxy lock() should not be calling into remove waiter() upon a successfully grabbing the rtmutex. 1a1fb985f2e2 ("futex: Handle early deadlock return correctly"), moved the remove waiter() out of rt mutex start proxy lock() (where 'ret' was only ever 0 or < 0) into the wrapper. Tighten this check to account for try to take rt mutex().