From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F2433DB636 for ; Fri, 8 May 2026 14:24:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250246; cv=none; b=D4/JXAudyKgeBpMnYiHKZchuzG+Hwdgd+8TtwktephTbzQHCToW0zSgrHghRgG9jBcT5PdtJgj1af0rmsPBLd/a+O2+wfcmvnf3eaoHijV/RHV4ntxVY+H3aV8eoEfOZB23Y19SEXfiUjShlgiBwM0h+dOlU12n34y5CuXes7Oc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250246; c=relaxed/simple; bh=6E3NYXKkz02kx0SJW1iswX07ca2CbGoldUFmtng4Dr8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=nU2xY9GvLwxPR7e4HJiVOhZZAizGBAF3t4+uaf5gJIUx2smF4cfEzvG7Lhqdkx4hg1Jr3ZMB9wCyy5ttlyi1LgInNnfbVcdJxoRr9ub9DCL+6Kx27OnTw2zOfVfxxKOK+KHbPWQqJgt0bQ9o1xLU1h3jCZXn+BQsO+PpLzV/lNg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=AiNI9ZJK; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="AiNI9ZJK" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EA0E4C2BCB0; Fri, 8 May 2026 14:24:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250246; bh=6E3NYXKkz02kx0SJW1iswX07ca2CbGoldUFmtng4Dr8=; h=From:To:Cc:Subject:Date:Reply-To:From; b=AiNI9ZJKh7a3E7Tocy/iVXTknHggP/IZSoTRboSq1jY0f7tSzZRbmrqu9M/FYJfil Lp4S5JT7wATvIW4HfijT4HK2N2q6vpQxLoFlssO2B1c6MIUBceG4NZjKAmC9xOWC/s AiCU01sKnfu8PlA8G+hKFAuGFq2bMXU8FosuF8gs= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43402: kthread: consolidate kthread exit paths to prevent use-after-free Date: Fri, 8 May 2026 16:22:11 +0200 Message-ID: <2026050840-CVE-2026-43402-28f0@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3523; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=8VF/Dk7qDP1qq5+rqNm6AHTedWK0Lanb3DEIETfbAUg=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P5bw/dSaef+KR6h0Y9CB36oLc1Wz5v9lscoxiv8S+ t3o5KQPHbEsDIJMDLJiiixftvEc3V9xSNHL0PY0zBxWJpAhDFycAjCRl34Ms5j9dcPv3eG3KvO7 eZutepG+SkhqN8OCNrbpOR8XyM6R3pq/6rvEPUemqHOaAA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: kthread: consolidate kthread exit paths to prevent use-after-free Guillaume reported crashes via corrupted RCU callback function pointers during KUnit testing. The crash was traced back to the pidfs rhashtable conversion which replaced the 24-byte rb_node with an 8-byte rhash_head in struct pid, shrinking it from 160 to 144 bytes. struct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. With CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to 192 bytes and share the same slab cache. struct pid.rcu.func and struct kthread.affinity_node both sit at offset 0x78. When a kthread exits via make_task_dead() it bypasses kthread_exit() and misses the affinity_node cleanup. free_kthread_struct() frees the memory while the node is still linked into the global kthread_affinity_list. A subsequent list_del() by another kthread writes through dangling list pointers into the freed and reused memory, corrupting the pid's rcu.func pointer. Instead of patching free_kthread_struct() to handle the missed cleanup, consolidate all kthread exit paths. Turn kthread_exit() into a macro that calls do_exit() and add kthread_do_exit() which is called from do_exit() for any task with PF_KTHREAD set. This guarantees that kthread-specific cleanup always happens regardless of the exit path - make_task_dead(), direct do_exit(), or kthread_exit(). Replace __to_kthread() with a new tsk_is_kthread() accessor in the public header. Export do_exit() since module code using the kthread_exit() macro now needs it directly. The Linux kernel CVE team has assigned CVE-2026-43402 to this issue. Affected and fixed versions =========================== Issue introduced in 6.14 with commit 4d13f4304fa43471bfea101658a11feec7b28ac0 and fixed in 6.18.19 with commit 4729c7b00a347fd37d0cbc265b85f2884c3e06b6 Issue introduced in 6.14 with commit 4d13f4304fa43471bfea101658a11feec7b28ac0 and fixed in 6.19.9 with commit 5a591d7a5e48d30100943940a30a6ab41b15c672 Issue introduced in 6.14 with commit 4d13f4304fa43471bfea101658a11feec7b28ac0 and fixed in 7.0 with commit 28aaa9c39945b7925a1cc1d513c8f21ed38f5e4f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43402 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/linux/kthread.h kernel/exit.c kernel/kthread.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/4729c7b00a347fd37d0cbc265b85f2884c3e06b6 https://git.kernel.org/stable/c/5a591d7a5e48d30100943940a30a6ab41b15c672 https://git.kernel.org/stable/c/28aaa9c39945b7925a1cc1d513c8f21ed38f5e4f