From: Greg Kroah-Hartman Date: Tue, 17 Jun 2025 14:12:55 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v6.6.94~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7d52eee2182c3a7a2f3fddf82d7977138e2cc99d;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: posix-cpu-timers-fix-race-between-handle_posix_cpu_timers-and-posix_cpu_timer_del.patch --- diff --git a/queue-6.12/posix-cpu-timers-fix-race-between-handle_posix_cpu_timers-and-posix_cpu_timer_del.patch b/queue-6.12/posix-cpu-timers-fix-race-between-handle_posix_cpu_timers-and-posix_cpu_timer_del.patch new file mode 100644 index 0000000000..e49fc98712 --- /dev/null +++ b/queue-6.12/posix-cpu-timers-fix-race-between-handle_posix_cpu_timers-and-posix_cpu_timer_del.patch @@ -0,0 +1,55 @@ +From f90fff1e152dedf52b932240ebbd670d83330eca Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Fri, 13 Jun 2025 19:26:50 +0200 +Subject: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oleg Nesterov + +commit f90fff1e152dedf52b932240ebbd670d83330eca upstream. + +If an exiting non-autoreaping task has already passed exit_notify() and +calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent +or debugger right after unlock_task_sighand(). + +If a concurrent posix_cpu_timer_del() runs at that moment, it won't be +able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or +lock_task_sighand() will fail. + +Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. + +This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because +exit_task_work() is called before exit_notify(). But the check still +makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail +anyway in this case. + +Cc: stable@vger.kernel.org +Reported-by: Benoît Sevens +Fixes: 0bdd2ed4138e ("sched: run_posix_cpu_timers: Don't check ->exit_state, use lock_task_sighand()") +Signed-off-by: Oleg Nesterov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/posix-cpu-timers.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/kernel/time/posix-cpu-timers.c ++++ b/kernel/time/posix-cpu-timers.c +@@ -1401,6 +1401,15 @@ void run_posix_cpu_timers(void) + lockdep_assert_irqs_disabled(); + + /* ++ * Ensure that release_task(tsk) can't happen while ++ * handle_posix_cpu_timers() is running. Otherwise, a concurrent ++ * posix_cpu_timer_del() may fail to lock_task_sighand(tsk) and ++ * miss timer->it.cpu.firing != 0. ++ */ ++ if (tsk->exit_state) ++ return; ++ ++ /* + * If the actual expiry is deferred to task work context and the + * work is already scheduled there is no point to do anything here. + */ diff --git a/queue-6.12/series b/queue-6.12/series index 0039841661..9e648bd205 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -487,3 +487,4 @@ tools-resolve_btfids-fix-build-when-cross-compiling-kernel-with-clang.patch revert-wifi-mwifiex-fix-ht40-bandwidth-issue.patch alsa-usb-audio-add-implicit-feedback-quirk-for-rode-ai-1.patch hid-usbhid-eliminate-recurrent-out-of-bounds-bug-in-usbhid_parse.patch +posix-cpu-timers-fix-race-between-handle_posix_cpu_timers-and-posix_cpu_timer_del.patch