CVE-2026-52946

Summary

In the Linux kernel, the following vulnerability has been resolved:

fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling

A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in send_sigio() and send_sigurg() when a process group receives a signal.

When FASYNC is configured for a process group (PIDTYPE_PGID), both functions use read_lock(&tasklist_lock) to traverse the task list. However, they are frequently called from softirq context:

  • send_sigio() via input_inject_event -> kill_fasync
  • send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ)

The deadlock is caused by the rwlock writer fairness mechanism:

  1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait().
  2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in fork() or exit() and spins, which blocks all new readers.
  3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
  4. The softirq calls send_sigurg() and attempts to acquire read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting.

Since PID hashing and do_each_pid_task() traversals are already RCU-protected, the read_lock on tasklist_lock is no longer strictly required for safe traversal. Fix this by replacing tasklist_lock with rcu_read_lock(), aligning the process group signaling path with the single-PID path. This also mitigates a potential remote denial of service vector via TCP URG packets.

Lockdep splat:

WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected […] Chain exists of: &dev->event_lock –> &f_owner->lock –> tasklist_lock

Possible interrupt unsafe locking scenario: CPU0 CPU1 —- —- lock(tasklist_lock); local_irq_disable(); lock(&dev->event_lock); lock(&f_owner->lock); <Interrupt> lock(&dev->event_lock);

*** DEADLOCK ***

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 54626335ea4174ab2d9a183b511d825f6765e47baffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 897d6a7247739fb1528f98c575df4f2e5de7f994affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 32dbd5ce4be3a3ed7e00f8af18795cc84fc50a33affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < b5fa9e32fb6718f70c986ee14dd5d01b4846f331affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1bee417678f1135e35b25a37734db46aa94258d2affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 20a93e397abe850c49b6fa0e8cc827b5f634a8f5affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < bfcc8e8d8a495bb34cae9e620adfb75fb13a3954affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 36c1b57b2ecf3c61ac93f5f07bd29b6f21e226edaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 00633c4683828acd5256fa8d5163f440d74bbe71affected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux5.10.259 <= 5.10.*unaffected
LinuxLinux5.15.210 <= 5.15.*unaffected
LinuxLinux6.1.176 <= 6.1.*unaffected
LinuxLinux6.6.143 <= 6.6.*unaffected
LinuxLinux6.12.94 <= 6.12.*unaffected
LinuxLinux6.18.36 <= 6.18.*unaffected
LinuxLinux7.0.13 <= 7.0.*unaffected
LinuxLinux7.1.1 <= 7.1.*unaffected
LinuxLinux7.2-rc1 <= *unaffected

Weaknesses

References