[SRU][N][PATCH 0/1] CVE-2025-38352
Massimiliano Pellizzer
massimiliano.pellizzer at canonical.com
Wed Sep 17 16:38:37 UTC 2025
[ Impact ]
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().
If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.
Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.
[ Fix ]
Plucky: Fixed through upstream stable updates (LP: #2119603)
Noble: Cherry picked the fix commit from upstream
Jammy: Fixed through upstream stable updates (LP: #2116904)
[ Test Plan ]
Compile tested only.
[ Regression Potential ]
A regression here is unlikely due to the very limited scope
of the patch.
Oleg Nesterov (1):
posix-cpu-timers: fix race between handle_posix_cpu_timers() and
posix_cpu_timer_del()
kernel/time/posix-cpu-timers.c | 9 +++++++++
1 file changed, 9 insertions(+)
--
2.48.1
More information about the kernel-team
mailing list