ACK: [SRU][N][PATCH 0/1] CVE-2025-38352
Jacob Martin
jacob.martin at canonical.com
Thu Sep 18 14:36:38 UTC 2025
On 9/17/25 11:38 AM, Massimiliano Pellizzer wrote:
> [ Impact ]
>
> posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
> If an exiting non-autoreaping task has already passed exit_notify() and
> calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
> or debugger right after unlock_task_sighand().
>
> If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
> able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
> lock_task_sighand() will fail.
>
> Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.
>
> [ Fix ]
>
> Plucky: Fixed through upstream stable updates (LP: #2119603)
> Noble: Cherry picked the fix commit from upstream
> Jammy: Fixed through upstream stable updates (LP: #2116904)
>
> [ Test Plan ]
>
> Compile tested only.
>
> [ Regression Potential ]
>
> A regression here is unlikely due to the very limited scope
> of the patch.
>
>
> Oleg Nesterov (1):
> posix-cpu-timers: fix race between handle_posix_cpu_timers() and
> posix_cpu_timer_del()
>
> kernel/time/posix-cpu-timers.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
Acked-by: Jacob Martin <jacob.martin at canonical.com>
More information about the kernel-team
mailing list