From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 15 Jun 2026 16:45:25 +0000 (+0200)
Subject: 6.18-stable patches
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0e66f64e8564d5a29f70066db26e7050f382921a;p=thirdparty%2Fkernel%2Fstable-queue.git

6.18-stable patches

added patches:
	fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch
---

diff --git a/queue-6.18/fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch b/queue-6.18/fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch
new file mode 100644
index 0000000000..4df5b5afc7
--- /dev/null
+++ b/queue-6.18/fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch
@@ -0,0 +1,91 @@
+From 00633c4683828acd5256fa8d5163f440d74bbe71 Mon Sep 17 00:00:00 2001
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+Date: Sat, 23 May 2026 21:52:10 +0800
+Subject: fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+commit 00633c4683828acd5256fa8d5163f440d74bbe71 upstream.
+
+A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in
+send_sigio() and send_sigurg() when a process group receives a signal.
+
+When FASYNC is configured for a process group (PIDTYPE_PGID), both
+functions use read_lock(&tasklist_lock) to traverse the task list.
+However, they are frequently called from softirq context:
+- send_sigio() via input_inject_event -> kill_fasync
+- send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ)
+
+The deadlock is caused by the rwlock writer fairness mechanism:
+1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait().
+2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in
+   fork() or exit() and spins, which blocks all new readers.
+3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
+4. The softirq calls send_sigurg() and attempts to acquire
+   read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting.
+
+Since PID hashing and do_each_pid_task() traversals are already
+RCU-protected, the read_lock on tasklist_lock is no longer strictly
+required for safe traversal. Fix this by replacing tasklist_lock with
+rcu_read_lock(), aligning the process group signaling path with the
+single-PID path. This also mitigates a potential remote denial of
+service vector via TCP URG packets.
+
+Lockdep splat:
+=====================================================
+WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
+[...]
+Chain exists of:
+  &dev->event_lock --> &f_owner->lock --> tasklist_lock
+
+Possible interrupt unsafe locking scenario:
+       CPU0                    CPU1
+       ----                    ----
+  lock(tasklist_lock);
+                           local_irq_disable();
+                           lock(&dev->event_lock);
+                           lock(&f_owner->lock);
+  <Interrupt>
+    lock(&dev->event_lock);
+
+*** DEADLOCK ***
+
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+Link: https://patch.msgid.link/20260523135210.590928-1-w15303746062@163.com
+Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fcntl.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -916,11 +916,11 @@ void send_sigio(struct fown_struct *fown
+ 			send_sigio_to_task(p, fown, fd, band, type);
+ 		rcu_read_unlock();
+ 	} else {
+-		read_lock(&tasklist_lock);
++		rcu_read_lock();
+ 		do_each_pid_task(pid, type, p) {
+ 			send_sigio_to_task(p, fown, fd, band, type);
+ 		} while_each_pid_task(pid, type, p);
+-		read_unlock(&tasklist_lock);
++		rcu_read_unlock();
+ 	}
+  out_unlock_fown:
+ 	read_unlock_irqrestore(&fown->lock, flags);
+@@ -962,11 +962,11 @@ int send_sigurg(struct file *file)
+ 			send_sigurg_to_task(p, fown, type);
+ 		rcu_read_unlock();
+ 	} else {
+-		read_lock(&tasklist_lock);
++		rcu_read_lock();
+ 		do_each_pid_task(pid, type, p) {
+ 			send_sigurg_to_task(p, fown, type);
+ 		} while_each_pid_task(pid, type, p);
+-		read_unlock(&tasklist_lock);
++		rcu_read_unlock();
+ 	}
+  out_unlock_fown:
+ 	read_unlock_irqrestore(&fown->lock, flags);
diff --git a/queue-6.18/series b/queue-6.18/series
index d3f00d1662..d9b5e709fc 100644
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -301,3 +301,4 @@ drm-amd-display-add-missing-csc-entries-for-bt.2020-for-dce-ips.patch
 drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch
 drm-amd-display-fix-out-of-bounds-read-in-dp_get_eq_aux_rd_interval.patch
 drm-amd-display-use-krealloc_array-in-dal_vector_reserve.patch
+fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch