Description
In the Linux kernel, the following vulnerability has been resolved: fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in send_sigio() and send_sigurg() when a process group receives a signal. When FASYNC is configured for a process group (PIDTYPE_PGID), both functions use read_lock(&tasklist_lock) to traverse the task list. However, they are frequently called from softirq context: - send_sigio() via input_inject_event -> kill_fasync - send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ) The deadlock is caused by the rwlock writer fairness mechanism: 1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait(). 2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in fork() or exit() and spins, which blocks all new readers. 3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception). 4. The softirq calls send_sigurg() and attempts to acquire read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting. Since PID hashing and do_each_pid_task() traversals are already RCU-protected, the read_lock on tasklist_lock is no longer strictly required for safe traversal. Fix this by replacing tasklist_lock with rcu_read_lock(), aligning the process group signaling path with the single-PID path. This also mitigates a potential remote denial of service vector via TCP URG packets. Lockdep splat: ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [...] Chain exists of: &dev->event_lock --> &f_owner->lock --> tasklist_lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklist_lock); local_irq_disable(); lock(&dev->event_lock); lock(&f_owner->lock); <Interrupt> lock(&dev->event_lock); *** DEADLOCK ***
CVSS breakdown
Affected products
- Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – 54626335ea4174ab2d9a183b511d825f6765e47b
- Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – 897d6a7247739fb1528f98c575df4f2e5de7f994
- Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – 32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33
- Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – b5fa9e32fb6718f70c986ee14dd5d01b4846f331
- Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – 1bee417678f1135e35b25a37734db46aa94258d2
- Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – 20a93e397abe850c49b6fa0e8cc827b5f634a8f5
- Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – bfcc8e8d8a495bb34cae9e620adfb75fb13a3954
- Linux / Linux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 – 36c1b57b2ecf3c61ac93f5f07bd29b6f21e226ed
- Linux / Linux0 – 5.10.259
- Linux / Linux0 – 5.15.210
- Linux / Linux0 – 6.1.176
- Linux / Linux0 – 6.6.143
- Linux / Linux0 – 6.12.94
- Linux / Linux0 – 6.18.36
- Linux / Linux0 – 7.0.13
- Linux / Linux0 – 7.1.1
- Linux / Linux5.10.259 – 5.10.*
- Linux / Linux5.15.210 – 5.15.*
- Linux / Linux6.1.176 – 6.1.*
- Linux / Linux6.6.143 – 6.6.*
- Linux / Linux6.12.94 – 6.12.*
- Linux / Linux6.18.36 – 6.18.*
- Linux / Linux7.0.13 – 7.0.*
- Linux / Linux7.1.1 – 7.1.*
References
- MISChttps://git.kernel.org/stable/c/54626335ea4174ab2d9a183b511d825f6765e47b
- MISChttps://git.kernel.org/stable/c/897d6a7247739fb1528f98c575df4f2e5de7f994
- MISChttps://git.kernel.org/stable/c/32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33
- MISChttps://git.kernel.org/stable/c/b5fa9e32fb6718f70c986ee14dd5d01b4846f331
- MISChttps://git.kernel.org/stable/c/1bee417678f1135e35b25a37734db46aa94258d2
- MISChttps://git.kernel.org/stable/c/20a93e397abe850c49b6fa0e8cc827b5f634a8f5
- MISChttps://git.kernel.org/stable/c/bfcc8e8d8a495bb34cae9e620adfb75fb13a3954
- MISChttps://git.kernel.org/stable/c/36c1b57b2ecf3c61ac93f5f07bd29b6f21e226ed