PT-2026-51840 · Linux · Linux

Published

2026-06-24

·

Updated

2026-06-24

·

CVE-2026-52946

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
A SOFTIRQ-safe to SOFTIRQ-unsafe lock order deadlock can occur in send sigio() and send sigurg() when a process group receives a signal.
When FASYNC is configured for a process group (PIDTYPE PGID), both functions use read lock(&tasklist lock) to traverse the task list. However, they are frequently called from softirq context:
  • send sigio() via input inject event -> kill fasync
  • send sigurg() via tcp check urg -> sk send sigurg (NET RX SOFTIRQ)
The deadlock is caused by the rwlock writer fairness mechanism:
  1. CPU 0 (process context) holds read lock(&tasklist lock) in do wait().
  2. CPU 1 (process context) attempts write lock(&tasklist lock) in fork() or exit() and spins, which blocks all new readers.
  3. CPU 0 is interrupted by a softirq (e.g., TCP URG packet reception).
  4. The softirq calls send sigurg() and attempts to acquire read lock(&tasklist lock), deadlocking because CPU 1 is waiting.
Since PID hashing and do each pid task() traversals are already RCU-protected, the read lock on tasklist lock is no longer strictly required for safe traversal. Fix this by replacing tasklist lock with rcu read lock(), aligning the process group signaling path with the single-PID path. This also mitigates a potential remote denial of service vector via TCP URG packets.

Lockdep splat:

WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [...] Chain exists of: &dev->event lock --> &f owner->lock --> tasklist lock
Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklist lock); local irq disable(); lock(&dev->event lock); lock(&f owner->lock); lock(&dev->event lock);
*** DEADLOCK ***
Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Related Identifiers

CVE-2026-52946

Affected Products

Linux