tmakin/tegra-linux-noble
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
rel-38
tegra-linux-noble/kernel
T
History
Oleg Nesterov 6768ecea00 posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() 
If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().

If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.

Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.

This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.

Cc: stable@vger.kernel.org
Reported-by: Benoît Sevens <bsevens@google.com>
Fixes: 0bdd2ed413 ("sched: run_posix_cpu_timers: Don't check ->exit_state, use lock_task_sighand()")
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit f90fff1e152dedf52b932240ebbd670d83330eca)

Bug 5341153

CVE-2025-38352
Change-Id: I2146869cc8f9684d4e4d56eaa247f54ed0225e1e
Signed-off-by: Brad Griffis <bgriffis@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/3rdparty/canonical/linux-noble/+/3435903
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
Reviewed-by: Paritosh Dixit <paritoshd@nvidia.com>
2025-08-20 09:12:13 -07:00
..
bpf
bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT
2025-06-15 10:38:12 +03:00
cgroup
cgroup/cpuset: remove kernfs active break
2025-04-15 19:59:56 +03:00
configs
hardening: Provide Kconfig fragments for basic options
2023-09-22 09:50:55 -07:00
debug
kdb: Use the passed prompt in kdb_position_cursor()
2024-11-09 18:40:10 +03:00
dma
dma-debug: fix a possible deadlock on radix_lock
2025-03-14 14:31:45 +01:00
entry
sched: define TIF_ALLOW_RESCHED
2025-06-25 11:17:16 -04:00
events
perf: Split __perf_pending_irq() out of perf_pending_irq()
2025-06-25 11:17:21 -04:00
futex
futex: Prevent the reuse of stale pi_state
2024-01-19 12:58:17 +01:00
gcov
gcov: add support for GCC 14
2024-08-13 12:12:56 +02:00
irq
genirq: Make handle_enforce_irqctx() unconditionally available
2025-06-15 10:37:24 +03:00
kcsan
kcsan: Turn report_filterlist_lock into a raw_spinlock
2025-03-14 14:31:42 +01:00
livepatch
livepatch: Fix missing newline character in klp_resolve_symbols()
2023-09-20 11:24:18 +02:00
locking
NVIDIA: SAUCE: Revert "NVIDIA: SAUCE: locking/rtmutex: use cmpxchg in mark_rt_mutex_waiters"
2025-07-16 20:14:30 -07:00
module
module: Fix KCOV-ignored file name
2025-01-17 14:43:47 +03:00
power
PM: hibernate: Add error handling for syscore_suspend()
2025-06-15 10:37:55 +03:00
printk
printk: nbcon: Fix illegal RCU usage on thread wakeup
2025-06-25 11:17:24 -04:00
rcu
rcu: Mark emergency sections in rcu stalls
2025-06-25 11:06:07 -04:00
sched
sched: define TIF_ALLOW_RESCHED
2025-06-25 11:17:16 -04:00
time
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
2025-08-20 09:12:13 -07:00
trace
sched: define TIF_ALLOW_RESCHED
2025-06-25 11:17:16 -04:00
.gitignore
acct.c
fs: rename __mnt_{want,drop}_write*() helpers
2023-09-11 15:05:50 +02:00
async.c
Merge tag 'header_cleanup-2024-01-10' of https://evilpiepirate.org/git/bcachefs
2024-01-10 16:43:55 -08:00
audit_fsnotify.c
audit: fix potential double free on error path from fsnotify_add_inode_mark
2022-08-22 18:50:06 -04:00
audit_tree.c
Merge tag 'mm-nonmm-stable-2023-11-02-14-08' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2023-11-02 20:53:31 -10:00
audit_watch.c
audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare()
2023-11-14 17:34:27 -05:00
audit.c
UBUNTU: SAUCE: apparmor4.0.0 [26/90]: LSM stacking v39: Audit: Add record for multiple object contexts
2024-04-12 10:15:32 +02:00
audit.h
UBUNTU: SAUCE: apparmor4.0.0 [22/90]: LSM stacking v39: Audit: Create audit_stamp structure
2024-04-12 10:15:31 +02:00
auditfilter.c
ima: Avoid blocking in RCU read-side critical section
2024-08-13 12:13:03 +02:00
auditsc.c
UBUNTU: SAUCE: apparmor4.0.0 [26/90]: LSM stacking v39: Audit: Add record for multiple object contexts
2024-04-12 10:15:32 +02:00
backtracetest.c
bounds.c
bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS
2024-07-05 10:11:43 +02:00
capability.c
lsm: constify the 'target' parameter in security_capget()
2023-08-08 16:48:47 -04:00
cfi.c
cfi: Switch to -fsanitize=kcfi
2022-09-26 10:13:13 -07:00
compat.c
sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
2023-03-14 19:32:38 -07:00
configs.c
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
context_tracking.c
locking/atomic: treewide: use raw_atomic*_<op>()
2023-06-05 09:57:20 +02:00
cpu_pm.c
cpuidle, cpu_pm: Remove RCU fiddling from cpu_pm_{enter,exit}()
2023-01-13 11:48:15 +01:00
cpu.c
hrtimers: Handle CPU state correctly on hotplug
2025-05-19 12:48:13 +02:00
crash_core.c
kallsyms: get rid of code for absolute kallsyms
2024-11-09 18:45:22 +03:00
crash_dump.c
crash_dump: Remove no longer used saved_max_pfn
2020-04-15 11:21:54 +02:00
cred.c
cred: get rid of CONFIG_DEBUG_CREDENTIALS
2023-12-15 14:19:48 -08:00
delayacct.c
delayacct: track delays from IRQ/SOFTIRQ
2023-04-18 16:39:34 -07:00
dma.c
proc: introduce proc_create_single{,_data}
2018-05-16 07:23:35 +02:00
exec_domain.c
proc: introduce proc_create_single{,_data}
2018-05-16 07:23:35 +02:00
exit.c
seccomp: release task filters when the task exits
2024-11-09 18:45:57 +03:00
exit.h
exit: add internal include file with helpers
2023-09-21 12:03:50 -06:00
extable.c
context_tracking: Take NMI eqs entrypoints over RCU
2022-07-05 13:32:59 -07:00
fail_function.c
kernel/fail_function: fix memory leak with using debugfs_lookup()
2023-02-08 13:36:22 +01:00
fork.c
fork: avoid inappropriate uprobe access to invalid mm
2025-04-15 19:58:57 +03:00
freezer.c
Merge tag 'v6.7-rc6' into sched/core, to pick up fixes
2023-12-23 15:52:13 +01:00
gen_kheaders.sh
kheaders: Ignore silly-rename files
2025-05-19 12:48:11 +02:00
groups.c
groups: Convert group_info.usage to refcount_t
2023-09-29 11:28:39 -07:00
hung_task.c
kernel/hung_task.c: set some hung_task.c variables storage-class-specifier to static
2023-04-08 13:45:37 -07:00
iomem.c
kernel/iomem.c: remove __weak ioremap_cache helper
2023-08-21 13:37:28 -07:00
irq_work.c
trace: Add trace_ipi_send_cpu()
2023-03-24 11:01:29 +01:00
jump_label.c
jump_label: Fix static_key_slow_dec() yet again
2025-01-17 14:44:03 +03:00
kallsyms_internal.h
kallsyms: get rid of code for absolute kallsyms
2024-11-09 18:45:22 +03:00
kallsyms_selftest.c
kallsyms: Match symbols exactly with CONFIG_LTO_CLANG
2024-11-09 18:45:22 +03:00
kallsyms_selftest.h
kallsyms: Add self-test facility
2022-11-15 00:42:02 -08:00
kallsyms.c
kallsyms: Match symbols exactly with CONFIG_LTO_CLANG
2024-11-09 18:45:22 +03:00
kcmp.c
file: convert to SLAB_TYPESAFE_BY_RCU
2023-10-19 11:02:48 +02:00
Kconfig.freezer
Kconfig.hz
Kconfig.kexec
kexec: select CRYPTO from KEXEC_FILE instead of depending on it
2023-12-20 13:46:19 -08:00
Kconfig.locks
Kconfig.preempt
sched: define TIF_ALLOW_RESCHED
2025-06-25 11:17:16 -04:00
kcov.c
kcov: mark in_softirq_really() as __always_inline
2025-04-15 19:59:18 +03:00
kexec_core.c
kexec: do syscore_shutdown() in kernel_kexec
2024-01-12 15:20:47 -08:00
kexec_elf.c
kexec_elf: support 32 bit ELF files
2019-09-06 23:58:44 +02:00
kexec_file.c
kexec_file: fix elfcorehdr digest exclusion when CONFIG_CRASH_HOTPLUG=y
2024-11-09 18:45:44 +03:00
kexec_internal.h
panic, kexec: make __crash_kexec() NMI safe
2022-09-11 21:55:06 -07:00
kexec.c
kernel: kexec: copy user-array safely
2023-10-09 16:59:47 +10:00
kheaders.c
kheaders: Use array declaration instead of char
2023-03-24 20:10:59 -07:00
kprobes.c
kprobes: Fix to check symbol prefixes correctly
2024-11-09 18:44:57 +03:00
ksyms_common.c
kallsyms: make kallsyms_show_value() as generic function
2023-06-08 12:27:20 -07:00
ksysfs.c
sysfs: Add /sys/kernel/realtime entry
2025-06-25 11:17:17 -04:00
kthread.c
kthread: unpark only parked kthread
2025-02-14 15:50:39 +03:00
latencytop.c
latencytop: use the last element of latency_record of system
2022-09-11 21:55:12 -07:00
Makefile
kernel/numa.c: Move logging out of numa.h
2023-12-20 19:26:30 -05:00
module_signature.c
module: harden ELF info handling
2021-01-19 10:24:45 +01:00
notifier.c
notifiers: add tracepoints to the notifiers infrastructure
2023-04-08 13:45:38 -07:00
nsproxy.c
nsproxy: Convert nsproxy.count to refcount_t
2023-08-21 11:29:12 -07:00
numa.c
kernel/numa.c: Move logging out of numa.h
2023-12-20 19:26:30 -05:00
padata.c
padata: avoid UAF for reorder_work
2025-06-15 10:37:35 +03:00
panic.c
panic: Mark emergency section in oops
2025-06-25 11:06:07 -04:00
params.c
params: Fix multi-line comment style
2023-12-01 09:51:44 -08:00
pid_namespace.c
zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING
2024-08-13 12:12:38 +02:00
pid_sysctl.h
memfd: replace ratcheting feature from vm.memfd_noexec with hierarchy
2023-08-21 13:37:59 -07:00
pid.c
file: remove __receive_fd()
2023-12-12 14:24:14 +01:00
profile.c
profiling: remove profile=sleep support
2024-11-09 18:44:55 +03:00
ptrace.c
Merge tag 'mm-nonmm-stable-2024-01-09-10-33' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2024-01-09 11:46:20 -08:00
range.c
kernel.h: split out min()/max() et al. helpers
2020-10-16 11:11:19 -07:00
reboot.c
Merge tag 'thermal-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
2024-01-09 16:20:17 -08:00
regset.c
regset: kill ->get()
2020-07-27 14:31:12 -04:00
relay.c
kernel: relay: remove relay_file_splice_read dead code, doesn't work
2023-12-29 12:22:27 -08:00
resource_kunit.c
resource.c
resource,kexec: walk_system_ram_res_rev must retain resource flags
2025-03-14 14:30:17 +01:00
rseq.c
rseq: Extend struct rseq with per-memory-map concurrency ID
2022-12-27 12:52:12 +01:00
scftorture.c
scftorture: Pause testing after memory-allocation failure
2023-07-14 15:02:57 -07:00
scs.c
scs: add support for dynamic shadow call stacks
2022-11-09 18:06:35 +00:00
seccomp.c
seccomp: release task filters when the task exits
2024-11-09 18:45:57 +03:00
signal.c
posix-timers: Target group sigqueue to current task only if not exiting
2025-03-14 14:31:20 +01:00
smp.c
smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
2024-11-09 18:45:50 +03:00
smpboot.c
kthread: add kthread_stop_put
2023-10-04 10:41:57 -07:00
smpboot.h
softirq.c
softirq: Add function to preempt serving softirqs.
2025-06-25 11:06:05 -04:00
stackleak.c
stackleak: allow to specify arch specific stackleak poison function
2023-04-20 11:36:35 +02:00
stacktrace.c
stacktrace: fix kernel-doc typo
2023-12-29 12:22:29 -08:00
static_call_inline.c
x86/static-call: provide a way to do very early static-call updates
2025-04-15 19:58:38 +03:00
static_call.c
stop_machine.c
Merge tag 'sched-core-2022-05-23' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2022-05-24 11:11:13 -07:00
sys_ni.c
syscalls: fix compat_sys_io_pgetevents_time64 usage
2024-09-27 11:14:30 +02:00
sys.c
prctl: generalize PR_SET_MDWE support check to be per-arch
2024-05-01 15:55:31 +02:00
sysctl-test.c
kernel/sysctl-test: use SYSCTL_{ZERO/ONE_HUNDRED} instead of i_{zero/one_hundred}
2022-09-08 16:56:45 -07:00
sysctl.c
UBUNTU: SAUCE: add a sysctl to disable unprivileged user namespace unsharing
2024-03-11 09:39:16 +01:00
task_work.c
task_work: make TWA_NMI_CURRENT handling conditional on IRQ_WORK
2025-03-14 14:30:04 +01:00
taskstats.c
taskstats: fill_stats_for_tgid: use for_each_thread()
2023-10-04 10:41:57 -07:00
torture.c
torture: Print out torture module parameters
2023-09-24 17:24:01 +02:00
tracepoint.c
tracepoint: Allow livepatch module add trace event
2023-02-18 14:34:36 -05:00
tsacct.c
taskstats: version 12 with thread group and exe info
2022-04-29 14:38:03 -07:00
ucount.c
ucounts: fix counter leak in inc_rlimit_get_ucounts()
2025-03-14 14:30:26 +01:00
uid16.c
uid16.h
kernel: provide ksys_*() wrappers for syscalls called by kernel/uid16.c
2018-04-02 20:15:30 +02:00
umh.c
sysctl: fix unused proc_cap_handler() function warning
2023-06-29 15:19:43 -07:00
up.c
smp: Change function signatures to use call_single_data_t
2023-09-13 14:59:24 +02:00
user_namespace.c
UBUNTU: SAUCE: add a sysctl to disable unprivileged user namespace unsharing
2024-03-11 09:39:16 +01:00
user-return-notifier.c
user.c
binfmt_misc: enable sandboxed mounts
2023-10-11 08:46:01 -07:00
usermode_driver.c
blob_to_mnt(): kern_unmount() is needed to undo kern_mount()
2022-05-19 23:25:47 -04:00
utsname_sysctl.c
utsname: simplify one-level sysctl registration for uts_kern_table
2023-04-13 11:49:35 -07:00
utsname.c
uts: Use generic ns_common::count
2020-08-19 14:13:20 +02:00
vhost_task.c
vhost: return task creation error instead of NULL
2025-05-19 12:48:19 +02:00
watch_queue.c
watch_queue: fix kcalloc() arguments order
2023-12-21 13:17:54 +01:00
watchdog_buddy.c
watchdog/hardlockup: move SMP barriers from common code to buddy code
2023-06-19 16:25:28 -07:00
watchdog_perf.c
watchdog/perf: properly initialize the turbo mode timestamp and rearm counter
2024-11-09 18:40:09 +03:00
watchdog.c
watchdog: if panicking and we dumped everything, don't re-enable dumping
2023-12-29 12:22:30 -08:00
workqueue_internal.h
workqueue: Drop the special locking rule for worker->flags and worker_pool->flags
2023-08-07 15:57:22 -10:00
workqueue.c
workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from !WQ_MEM_RECLAIM worker
2025-04-15 19:59:51 +03:00