CVE-2026-23159

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf: sched: Fix perf crash with new is_user_task() helper<br /> <br /> In order to do a user space stacktrace the current task needs to be a user<br /> task that has executed in user space. It use to be possible to test if a<br /> task is a user task or not by simply checking the task_struct mm field. If<br /> it was non NULL, it was a user task and if not it was a kernel task.<br /> <br /> But things have changed over time, and some kernel tasks now have their<br /> own mm field.<br /> <br /> An idea was made to instead test PF_KTHREAD and two functions were used to<br /> wrap this check in case it became more complex to test if a task was a<br /> user task or not[1]. But this was rejected and the C code simply checked<br /> the PF_KTHREAD directly.<br /> <br /> It was later found that not all kernel threads set PF_KTHREAD. The io-uring<br /> helpers instead set PF_USER_WORKER and this needed to be added as well.<br /> <br /> But checking the flags is still not enough. There&amp;#39;s a very small window<br /> when a task exits that it frees its mm field and it is set back to NULL.<br /> If perf were to trigger at this moment, the flags test would say its a<br /> user space task but when perf would read the mm field it would crash with<br /> at NULL pointer dereference.<br /> <br /> Now there are flags that can be used to test if a task is exiting, but<br /> they are set in areas that perf may still want to profile the user space<br /> task (to see where it exited). The only real test is to check both the<br /> flags and the mm field.<br /> <br /> Instead of making this modification in every location, create a new<br /> is_user_task() helper function that does all the tests needed to know if<br /> it is safe to read the user space memory or not.<br /> <br /> [1] https://lore.kernel.org/all/20250425204120.639530125@goodmis.org/