In the Linux kernel, the following vulnerability has been resolved:
rcu: Fix rcureadunlock() deadloop due to softirq
Commit 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in __rcureadunlock()") removes the recursion-protection code from __rcureadunlock(). Therefore, we could invoke the deadloop in raisesoftirqirqoff() with ftrace enabled as follows:
WARNING: CPU: 0 PID: 0 at kernel/trace/trace.c:3021 __ftracetracestack.constprop.0+0x172/0x180 Modules linked in: my_irqwork(O) CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.18.0-rc7-dirty #23 PREEMPT(full) Tainted: [O]=OOTMODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__ftracetracestack.constprop.0+0x172/0x180 RSP: 0018:ffffc900000034a8 EFLAGS: 00010002 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000003 RSI: ffffffff826d7b87 RDI: ffffffff826e9329 RBP: 0000000000090009 R08: 0000000000000005 R09: ffffffff82afbc4c R10: 0000000000000008 R11: 0000000000011d7a R12: 0000000000000000 R13: ffff888003874100 R14: 0000000000000003 R15: ffff8880038c1054 FS: 0000000000000000(0000) GS:ffff8880fa8ea000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b31fa7f540 CR3: 00000000078f4005 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <IRQ> tracebufferunlockcommitregs+0x6d/0x220 traceeventbuffercommit+0x5c/0x260 traceeventraweventsoftirq+0x47/0x80 raisesoftirqirqoff+0x6e/0xa0 rcureadunlockspecial+0xb1/0x160 unwindnextframe+0x203/0x9b0 __unwindstart+0x15d/0x1c0 archstackwalk+0x62/0xf0 stacktrace_save+0x48/0x70 __ftracetracestack.constprop.0+0x144/0x180 tracebufferunlockcommitregs+0x6d/0x220 traceeventbuffercommit+0x5c/0x260 traceeventraweventsoftirq+0x47/0x80 raisesoftirqirqoff+0x6e/0xa0 rcureadunlockspecial+0xb1/0x160 unwindnextframe+0x203/0x9b0 __unwindstart+0x15d/0x1c0 archstack_walk+0x62/0xf0 stacktracesave+0x48/0x70 __ftracetracestack.constprop.0+0x144/0x180 tracebufferunlockcommitregs+0x6d/0x220 traceeventbuffercommit+0x5c/0x260 traceeventraweventsoftirq+0x47/0x80 raisesoftirqirqoff+0x6e/0xa0 rcureadunlockspecial+0xb1/0x160 unwindnextframe+0x203/0x9b0 __unwindstart+0x15d/0x1c0 archstackwalk+0x62/0xf0 stacktrace_save+0x48/0x70 __ftracetracestack.constprop.0+0x144/0x180 tracebufferunlockcommitregs+0x6d/0x220 traceeventbuffercommit+0x5c/0x260 traceeventraweventsoftirq+0x47/0x80 raisesoftirqirqoff+0x6e/0xa0 rcureadunlockspecial+0xb1/0x160 __isinsnslot_addr+0x54/0x70 kerneltextaddress+0x48/0xc0 __kerneltextaddress+0xd/0x40 unwind_getreturnaddress+0x1e/0x40 archstackwalk+0x9c/0xf0 stacktracesave+0x48/0x70 __ftracetracestack.constprop.0+0x144/0x180 trace_bufferunlockcommitregs+0x6d/0x220 traceeventbuffercommit+0x5c/0x260 traceeventraweventsoftirq+0x47/0x80 __raisesoftirqirqoff+0x61/0x80 __flushsmpcallfunctionqueue+0x115/0x420 __sysveccallfunctionsingle+0x17/0xb0 sysveccallfunctionsingle+0x8c/0xc0 </IRQ>
Commit b41642c87716 ("rcu: Fix rcureadunlock() deadloop due to IRQ work") fixed the infinite loop in rcureadunlockspecial() for IRQ work by setting a flag before calling irqworkqueueon(). We fix this issue by setting the same flag before calling raisesoftirqirqoff() and rename the flag to deferqspending for more common.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45957.json"
}