{
  "public_date" : "2025-07-09T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: riscv: save the SR_SUM status over switches",
    "id" : "2378994",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2378994"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nriscv: save the SR_SUM status over switches\nWhen threads/tasks are switched we need to ensure the old execution's\nSR_SUM state is saved and the new thread has the old SR_SUM state\nrestored.\nThe issue was seen under heavy load especially with the syz-stress tool\nrunning, with crashes as follows in schedule_tail:\nUnable to handle kernel access to user memory without uaccess routines\nat virtual address 000000002749f0d0\nOops [#1]\nModules linked in:\nCPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted\n5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0\nHardware name: riscv-virtio,qemu (DT)\nepc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\nra : task_pid_vnr include/linux/sched.h:1421 [inline]\nra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264\nepc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0\ngp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000\nt1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0\ns1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003\na2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00\na5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba\ns2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0\ns5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850\ns8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8\ns11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2\nt5 : ffffffc4043cafba t6 : 0000000000040000\nstatus: 0000000000000120 badaddr: 000000002749f0d0 cause:\n000000000000000f\nCall Trace:\n[<ffffffe00008c8b0>] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264\n[<ffffffe000005570>] ret_from_exception+0x0/0x14\nDumping ftrace buffer:\n(ftrace buffer empty)\n---[ end trace b5f8f9231dc87dda ]---\nThe issue comes from the put_user() in schedule_tail\n(kernel/sched/core.c) doing the following:\nasmlinkage __visible void schedule_tail(struct task_struct *prev)\n{\n...\nif (current->set_child_tid)\nput_user(task_pid_vnr(current), current->set_child_tid);\n...\n}\nthe put_user() macro causes the code sequence to come out as follows:\n1:__enable_user_access()\n2:reg = task_pid_vnr(current);\n3:*current->set_child_tid = reg;\n4:__disable_user_access()\nThe problem is that we may have a sleeping function as argument which\ncould clear SR_SUM causing the panic above. This was fixed by\nevaluating the argument of the put_user() macro outside the user-enabled\nsection in commit 285a76bb2cf5 (\"riscv: evaluate put_user() arg before\nenabling user access\")\"\nIn order for riscv to take advantage of unsafe_get/put_XXX() macros and\nto avoid the same issue we had with put_user() and sleeping functions we\nmust ensure code flow can go through switch_to() from within a region of\ncode with SR_SUM enabled and come back with SR_SUM still enabled. This\npatch addresses the problem allowing future work to enable full use of\nunsafe_get/put_XXX() macros without needing to take a CSR bit flip cost\non every access. Make switch_to() save and restore SR_SUM." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38261\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38261\nhttps://lore.kernel.org/linux-cve-announce/2025070936-CVE-2025-38261-54c0@gregkh/T" ],
  "name" : "CVE-2025-38261",
  "csaw" : false
}