CVE-2026-52946— fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-52946
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in send_sigio() and send_sigurg() when a process group receives a signal. When FASYNC is configured for a process group (PIDTYPE_PGID), both functions use read_lock(&tasklist_lock) to traverse the task list. However, they are frequently called from softirq context: - send_sigio() via input_inject_event -> kill_fasync - send_sigurg() via tcp_check_urg -> sk_send_sigurg (NET_RX_SOFTIRQ) The deadlock is caused by the rwlock writer fairness mechanism: 1. CPU 0 (process context) holds read_lock(&tasklist_lock) in do_wait(). 2. CPU 1 (process context) attempts write_lock(&tasklist_lock) in fork() or exit() and spins, which blocks all new readers. 3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception). 4. The softirq calls send_sigurg() and attempts to acquire read_lock(&tasklist_lock), deadlocking because CPU 1 is waiting. Since PID hashing and do_each_pid_task() traversals are already RCU-protected, the read_lock on tasklist_lock is no longer strictly required for safe traversal. Fix this by replacing tasklist_lock with rcu_read_lock(), aligning the process group signaling path with the single-PID path. This also mitigates a potential remote denial of service vector via TCP URG packets. Lockdep splat: ===================================================== WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [...] Chain exists of: &dev->event_lock --> &f_owner->lock --> tasklist_lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklist_lock); local_irq_disable(); lock(&dev->event_lock); lock(&f_owner->lock); <Interrupt> lock(&dev->event_lock); *** DEADLOCK ***
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-52946
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-52946
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-52946 (5)
Other References for CVE-2026-52946 (3)
Same Patch Batch · Linux · 2026-06-24 · 219 CVEs total
| CVE-2026-52979 | net: psp: check for device unregister when creating assoc | |
| CVE-2026-52992 | fs/adfs: validate nzones in adfs_validate_bblk() | |
| CVE-2026-52993 | tipc: fix double-free in tipc_buf_append() | |
| CVE-2026-52991 | sched/psi: fix race between file release and pressure write | |
| CVE-2026-52990 | fsnotify: fix inode reference leak in fsnotify_recalc_mask() | |
| CVE-2026-52988 | netfilter: nf_tables: join hook list via splice_list_rcu() in commit phase | |
| CVE-2026-52989 | nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers | |
| CVE-2026-52987 | drm/amdgpu: avoid double drm_exec_fini() in userq validate | |
| CVE-2026-52986 | netfilter: nf_conntrack_sip: don't use simple_strtoul | |
| CVE-2026-52985 | netdevsim: zero initialize struct iphdr in dummy sk_buff | |
| CVE-2026-52984 | net/sched: netem: fix queue limit check to include reordered packets | |
| CVE-2026-52982 | net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() | |
| CVE-2026-52983 | net: airoha: fix BQL imbalance in TX path | |
| CVE-2026-52981 | neigh: let neigh_xmit take skb ownership | |
| CVE-2026-52969 | KVM: Reject wrapped offset in kvm_reset_dirty_gfn() | |
| CVE-2026-52971 | net: ena: PHC: Fix potential use-after-free in get_timestamp | |
| CVE-2026-52972 | crypto: af_alg - Cap AEAD AD length to 0x80000000 | |
| CVE-2026-52970 | netfilter: nft_ct: fix missing expect put in obj eval | |
| CVE-2026-52973 | futex: Drop CLONE_THREAD requirement for private default hash alloc | |
| CVE-2026-52968 | KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic |
Showing top 20 of 219 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
Same vendor: Linux
- CVE-2026-53277
KVM: arm64: Take the SRCU lock for page table walks in fault - CVE-2026-53276
Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - CVE-2026-53275
ipv6: mcast: Fix use-after-free when processing MLD queries - CVE-2026-53274
net/smc: fix sleep-inside-lock in __smc_setsockopt() causing - CVE-2026-53273
tee: optee: prevent use-after-free when the client exits bef
V. Comments for CVE-2026-52946
No comments yet