7.5

CVE-2026-52946

fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling

In the Linux kernel, the following vulnerability has been resolved:

fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling

A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in
send_sigio() and send_sigurg() when a process group receives a signal.

When FASYNC is configured for a process group (PIDTYPE_PGID), both
functions use read_lock(&tasklist_lock) to traverse the task list.
However, they are frequently called from softirq context:
- send_sigio() via input_inject_event -> kill_fasync
- send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ)

The deadlock is caused by the rwlock writer fairness mechanism:
1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait().
2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in
   fork() or exit() and spins, which blocks all new readers.
3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
4. The softirq calls send_sigurg() and attempts to acquire
   read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting.

Since PID hashing and do_each_pid_task() traversals are already
RCU-protected, the read_lock on tasklist_lock is no longer strictly
required for safe traversal. Fix this by replacing tasklist_lock with
rcu_read_lock(), aligning the process group signaling path with the
single-PID path. This also mitigates a potential remote denial of
service vector via TCP URG packets.

Lockdep splat:
=====================================================
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
[...]
Chain exists of:
  &dev->event_lock --> &f_owner->lock --> tasklist_lock

Possible interrupt unsafe locking scenario:
       CPU0                    CPU1
       ----                    ----
  lock(tasklist_lock);
                           local_irq_disable();
                           lock(&dev->event_lock);
                           lock(&f_owner->lock);
  <Interrupt>
    lock(&dev->event_lock);

*** DEADLOCK ***
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 54626335ea4174ab2d9a183b511d825f6765e47b
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 897d6a7247739fb1528f98c575df4f2e5de7f994
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < b5fa9e32fb6718f70c986ee14dd5d01b4846f331
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 1bee417678f1135e35b25a37734db46aa94258d2
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 20a93e397abe850c49b6fa0e8cc827b5f634a8f5
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < bfcc8e8d8a495bb34cae9e620adfb75fb13a3954
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 36c1b57b2ecf3c61ac93f5f07bd29b6f21e226ed
Status affected
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version < 00633c4683828acd5256fa8d5163f440d74bbe71
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 2.6.12
Status affected
Version 0
Version < 2.6.12
Status unaffected
Version <= 5.10.*
Version 5.10.259
Status unaffected
Version <= 5.15.*
Version 5.15.210
Status unaffected
Version <= 6.1.*
Version 6.1.176
Status unaffected
Version <= 6.6.*
Version 6.6.143
Status unaffected
Version <= 6.12.*
Version 6.12.94
Status unaffected
Version <= 6.18.*
Version 6.18.36
Status unaffected
Version <= 7.0.*
Version 7.0.13
Status unaffected
Version <= 7.1.*
Version 7.1.1
Status unaffected
Version <= *
Version 7.2-rc1
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.61% 0.448
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/54626335ea4174ab2d9a183b511d825f6765e47b
https://git.kernel.org/stable/c/897d6a7247739fb1528f98c575df4f2e5de7f994
https://git.kernel.org/stable/c/32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33
https://git.kernel.org/stable/c/b5fa9e32fb6718f70c986ee14dd5d01b4846f331
https://git.kernel.org/stable/c/1bee417678f1135e35b25a37734db46aa94258d2
https://git.kernel.org/stable/c/20a93e397abe850c49b6fa0e8cc827b5f634a8f5
https://git.kernel.org/stable/c/bfcc8e8d8a495bb34cae9e620adfb75fb13a3954
https://git.kernel.org/stable/c/36c1b57b2ecf3c61ac93f5f07bd29b6f21e226ed
https://git.kernel.org/stable/c/00633c4683828acd5256fa8d5163f440d74bbe71