CVE-2025-38261

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: save the SR_SUM status over switches<br /> <br /> When threads/tasks are switched we need to ensure the old execution&amp;#39;s<br /> SR_SUM state is saved and the new thread has the old SR_SUM state<br /> restored.<br /> <br /> The issue was seen under heavy load especially with the syz-stress tool<br /> running, with crashes as follows in schedule_tail:<br /> <br /> Unable to handle kernel access to user memory without uaccess routines<br /> at virtual address 000000002749f0d0<br /> Oops [#1]<br /> Modules linked in:<br /> CPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted<br /> 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0<br /> Hardware name: riscv-virtio,qemu (DT)<br /> epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264<br /> ra : task_pid_vnr include/linux/sched.h:1421 [inline]<br /> ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264<br /> epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0<br /> gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000<br /> t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0<br /> s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003<br /> a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00<br /> a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba<br /> s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0<br /> s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850<br /> s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8<br /> s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2<br /> t5 : ffffffc4043cafba t6 : 0000000000040000<br /> status: 0000000000000120 badaddr: 000000002749f0d0 cause:<br /> 000000000000000f<br /> Call Trace:<br /> [] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264<br /> [] ret_from_exception+0x0/0x14<br /> Dumping ftrace buffer:<br /> (ftrace buffer empty)<br /> ---[ end trace b5f8f9231dc87dda ]---<br /> <br /> The issue comes from the put_user() in schedule_tail<br /> (kernel/sched/core.c) doing the following:<br /> <br /> asmlinkage __visible void schedule_tail(struct task_struct *prev)<br /> {<br /> ...<br /> if (current-&gt;set_child_tid)<br /> put_user(task_pid_vnr(current), current-&gt;set_child_tid);<br /> ...<br /> }<br /> <br /> the put_user() macro causes the code sequence to come out as follows:<br /> <br /> 1: __enable_user_access()<br /> 2: reg = task_pid_vnr(current);<br /> 3: *current-&gt;set_child_tid = reg;<br /> 4: __disable_user_access()<br /> <br /> The problem is that we may have a sleeping function as argument which<br /> could clear SR_SUM causing the panic above. This was fixed by<br /> evaluating the argument of the put_user() macro outside the user-enabled<br /> section in commit 285a76bb2cf5 ("riscv: evaluate put_user() arg before<br /> enabling user access")"<br /> <br /> In order for riscv to take advantage of unsafe_get/put_XXX() macros and<br /> to avoid the same issue we had with put_user() and sleeping functions we<br /> must ensure code flow can go through switch_to() from within a region of<br /> code with SR_SUM enabled and come back with SR_SUM still enabled. This<br /> patch addresses the problem allowing future work to enable full use of<br /> unsafe_get/put_XXX() macros without needing to take a CSR bit flip cost<br /> on every access. Make switch_to() save and restore SR_SUM.