CVE-2026-43402: kthread: consolidate kthread exit paths to prevent use-after-free

CVE-2026-43402: kthread: consolidate kthread exit paths to prevent use-after-free

[Greg Kroah-Hartman]

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

kthread: consolidate kthread exit paths to prevent use-after-free

Guillaume reported crashes via corrupted RCU callback function pointers
during KUnit testing. The crash was traced back to the pidfs rhashtable
conversion which replaced the 24-byte rb_node with an 8-byte rhash_head
in struct pid, shrinking it from 160 to 144 bytes.

struct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. With
CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to
192 bytes and share the same slab cache. struct pid.rcu.func and
struct kthread.affinity_node both sit at offset 0x78.

When a kthread exits via make_task_dead() it bypasses kthread_exit() and
misses the affinity_node cleanup. free_kthread_struct() frees the memory
while the node is still linked into the global kthread_affinity_list. A
subsequent list_del() by another kthread writes through dangling list
pointers into the freed and reused memory, corrupting the pid's
rcu.func pointer.

Instead of patching free_kthread_struct() to handle the missed cleanup,
consolidate all kthread exit paths. Turn kthread_exit() into a macro
that calls do_exit() and add kthread_do_exit() which is called from
do_exit() for any task with PF_KTHREAD set. This guarantees that
kthread-specific cleanup always happens regardless of the exit path -
make_task_dead(), direct do_exit(), or kthread_exit().

Replace __to_kthread() with a new tsk_is_kthread() accessor in the
public header. Export do_exit() since module code using the
kthread_exit() macro now needs it directly.

The Linux kernel CVE team has assigned CVE-2026-43402 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.14 with commit 4d13f4304fa43471bfea101658a11feec7b28ac0 and fixed in 6.18.19 with commit 4729c7b00a347fd37d0cbc265b85f2884c3e06b6
	Issue introduced in 6.14 with commit 4d13f4304fa43471bfea101658a11feec7b28ac0 and fixed in 6.19.9 with commit 5a591d7a5e48d30100943940a30a6ab41b15c672
	Issue introduced in 6.14 with commit 4d13f4304fa43471bfea101658a11feec7b28ac0 and fixed in 7.0 with commit 28aaa9c39945b7925a1cc1d513c8f21ed38f5e4f

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43402
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	include/linux/kthread.h
	kernel/exit.c
	kernel/kthread.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/4729c7b00a347fd37d0cbc265b85f2884c3e06b6
	https://git.kernel.org/stable/c/5a591d7a5e48d30100943940a30a6ab41b15c672
	https://git.kernel.org/stable/c/28aaa9c39945b7925a1cc1d513c8f21ed38f5e4f