Skip to content

[fips-8-compliant] posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() #562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 9, 2025
Merged

[fips-8-compliant] posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() #562

merged 1 commit into from
Sep 9, 2025

Conversation

PlaidCat
Copy link
Collaborator

@PlaidCat PlaidCat commented Sep 9, 2025
edited
Loading 

jira VULN-136690
jira VULN-136689
cve CVE-2025-38352
commit-author Oleg Nesterov <oleg@redhat.com>
commit f90fff1e152dedf52b932240ebbd670d83330eca
upstream-diff There where massive merge conflicts due several commits
	      missing from upstream.  Had to manually place and correct
	      do to cherry-pick being extremely greedy with trying to
	      pull changes from this LKML change set:
	      https://lore.kernel.org/all/20200730101404.956367860@linutronix.de/

If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand().

If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail.

Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.

This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case.

BUILD

[jmaple@devbox code]$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
/mnt/code/kernel-src-tree-build
Running make mrproper...
[TIMER]{MRPROPER}: 6s
x86_64 architecture detected, copying config
'configs/kernel-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-jmaple_fips-8-compliant_4.18.0-553.16.1-438fc40f44a5"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf  --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf  --syncconfig Kconfig
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
--
  LD [M]  sound/usb/usx2y/snd-usb-usx2y.ko
  LD [M]  sound/virtio/virtio_snd.ko
  LD [M]  sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1880s
Making Modules
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx2.ko
  INSTALL arch/x86/crypto/camellia-x86_64.ko
--
  INSTALL sound/virtio/virtio_snd.ko
  INSTALL sound/xen/snd_xen_front.ko
  INSTALL sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL virt/lib/irqbypass.ko
  DEPMOD  4.18.0-jmaple_fips-8-compliant_4.18.0-553.16.1-438fc40f44a5+
[TIMER]{MODULES}: 15s
Making Install
sh ./arch/x86/boot/install.sh 4.18.0-jmaple_fips-8-compliant_4.18.0-553.16.1-438fc40f44a5+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 19s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-4.18.0-jmaple_fips-8-compliant_4.18.0-553.16.1-438fc40f44a5+ and Index to 2
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 6s
[TIMER]{BUILD}: 1880s
[TIMER]{MODULES}: 15s
[TIMER]{INSTALL}: 19s
[TIMER]{TOTAL} 1926s
Rebooting in 10 seconds

KselfTest

[jmaple@devbox code]$ ls -rt kselftest.* | tail -n4 | while read line; do echo $line; grep '^ok ' $line | wc -l ; done

kselftest.4.18.0-553.16.1.el8_10.ciqfips.0.12.1.x86_64.log
204
kselftest.4.18.0-jmaple_fips-8-compliant_4.18.0-553.16.1-438fc40f44a5+.log
204

@PlaidCat PlaidCat self-assigned this Sep 9, 2025
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-8-compliant/4.18.0-553.16.1 branch from 438fc40 to 136daa9 Compare September 9, 2025 20:16
@PlaidCat
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posi…
ef9d669 
…x_cpu_timer_del()

jira VULN-136690
jira VULN-136689
cve CVE-2025-38352
commit-author Oleg Nesterov <oleg@redhat.com>
commit f90fff1
upstream-diff There where massive merge conflicts due several commits
	      missing from upstream.  Had to manually place and correct
	      do to cherry-pick being extremely greedy with trying to
	      pull changes from this LKML change set:
	      https://lore.kernel.org/all/20200730101404.956367860@linutronix.de/

If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().

If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.

Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.

This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.

        Cc: stable@vger.kernel.org
        Reported-by: Benoît Sevens <bsevens@google.com>
Fixes: 0bdd2ed ("sched: run_posix_cpu_timers: Don't check ->exit_state, use lock_task_sighand()")
        Signed-off-by: Oleg Nesterov <oleg@redhat.com>
        Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit f90fff1)
        Signed-off-by: Jonathan Maple <jmaple@ciq.com>
@PlaidCat PlaidCat force-pushed the {jmaple}_fips-8-compliant/4.18.0-553.16.1 branch from 136daa9 to ef9d669 Compare September 9, 2025 20:17
@PlaidCat
Copy link
Collaborator Author

PlaidCat commented Sep 9, 2025

Additional fixes where to fix comments as pointed out here: #560 (comment)

I did not retest so the SHA's are off in the text above.

bmastbergen
bmastbergen approved these changes Sep 9, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

kerneltoast
kerneltoast approved these changes Sep 9, 2025
View reviewed changes
Copy link
Collaborator

@kerneltoast kerneltoast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢

@PlaidCat PlaidCat merged commit e0d3c4e into fips-8-compliant/4.18.0-553.16.1 Sep 9, 2025
4 checks passed
@PlaidCat PlaidCat deleted the {jmaple}_fips-8-compliant/4.18.0-553.16.1 branch September 9, 2025 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kerneltoast kerneltoast kerneltoast approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

@shreeya-patel98 shreeya-patel98 Awaiting requested review from shreeya-patel98

Assignees

@PlaidCat PlaidCat

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@PlaidCat @kerneltoast @bmastbergen