From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 16:45:27 +0000 (+0200) Subject: 7.1-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=70d0297c12d16446022041e6ca4a1963fb6379b1;p=thirdparty%2Fkernel%2Fstable-queue.git 7.1-stable patches added patches: fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch series --- diff --git a/queue-7.1/fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch b/queue-7.1/fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch new file mode 100644 index 0000000000..625c8e6d72 --- /dev/null +++ b/queue-7.1/fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch @@ -0,0 +1,91 @@ +From 00633c4683828acd5256fa8d5163f440d74bbe71 Mon Sep 17 00:00:00 2001 +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> +Date: Sat, 23 May 2026 21:52:10 +0800 +Subject: fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling + +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> + +commit 00633c4683828acd5256fa8d5163f440d74bbe71 upstream. + +A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in +send_sigio() and send_sigurg() when a process group receives a signal. + +When FASYNC is configured for a process group (PIDTYPE_PGID), both +functions use read_lock(&tasklist_lock) to traverse the task list. +However, they are frequently called from softirq context: +- send_sigio() via input_inject_event -> kill_fasync +- send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ) + +The deadlock is caused by the rwlock writer fairness mechanism: +1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait(). +2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in + fork() or exit() and spins, which blocks all new readers. +3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception). +4. The softirq calls send_sigurg() and attempts to acquire + read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting. + +Since PID hashing and do_each_pid_task() traversals are already +RCU-protected, the read_lock on tasklist_lock is no longer strictly +required for safe traversal. Fix this by replacing tasklist_lock with +rcu_read_lock(), aligning the process group signaling path with the +single-PID path. This also mitigates a potential remote denial of +service vector via TCP URG packets. + +Lockdep splat: +===================================================== +WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected +[...] +Chain exists of: + &dev->event_lock --> &f_owner->lock --> tasklist_lock + +Possible interrupt unsafe locking scenario: + CPU0 CPU1 + ---- ---- + lock(tasklist_lock); + local_irq_disable(); + lock(&dev->event_lock); + lock(&f_owner->lock); + + lock(&dev->event_lock); + +*** DEADLOCK *** + +Reviewed-by: Jeff Layton +Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> +Link: https://patch.msgid.link/20260523135210.590928-1-w15303746062@163.com +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Greg Kroah-Hartman +--- + fs/fcntl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -929,11 +929,11 @@ void send_sigio(struct fown_struct *fown + send_sigio_to_task(p, fown, fd, band, type); + rcu_read_unlock(); + } else { +- read_lock(&tasklist_lock); ++ rcu_read_lock(); + do_each_pid_task(pid, type, p) { + send_sigio_to_task(p, fown, fd, band, type); + } while_each_pid_task(pid, type, p); +- read_unlock(&tasklist_lock); ++ rcu_read_unlock(); + } + out_unlock_fown: + read_unlock_irqrestore(&fown->lock, flags); +@@ -975,11 +975,11 @@ int send_sigurg(struct file *file) + send_sigurg_to_task(p, fown, type); + rcu_read_unlock(); + } else { +- read_lock(&tasklist_lock); ++ rcu_read_lock(); + do_each_pid_task(pid, type, p) { + send_sigurg_to_task(p, fown, type); + } while_each_pid_task(pid, type, p); +- read_unlock(&tasklist_lock); ++ rcu_read_unlock(); + } + out_unlock_fown: + read_unlock_irqrestore(&fown->lock, flags); diff --git a/queue-7.1/series b/queue-7.1/series new file mode 100644 index 0000000000..a9e2d904a7 --- /dev/null +++ b/queue-7.1/series @@ -0,0 +1 @@ +fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch