CVE-2025-21825 (GCVE-0-2025-21825)
Vulnerability from cvelistv5
Published
2025-03-06 16:04
Modified
2025-05-04 07:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT During the update procedure, when overwrite element in a pre-allocated htab, the freeing of old_element is protected by the bucket lock. The reason why the bucket lock is necessary is that the old_element has already been stashed in htab->extra_elems after alloc_htab_elem() returns. If freeing the old_element after the bucket lock is unlocked, the stashed element may be reused by concurrent update procedure and the freeing of old_element will run concurrently with the reuse of the old_element. However, the invocation of check_and_free_fields() may acquire a spin-lock which violates the lockdep rule because its caller has already held a raw-spin-lock (bucket lock). The following warning will be reported when such race happens: BUG: scheduling while atomic: test_progs/676/0x00000003 3 locks held by test_progs/676: #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830 #1: ffff88810e961188 (&htab->lockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500 #2: ffff8881f4eac1b8 (&base->softirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0 Modules linked in: bpf_testmod(O) Preemption disabled at: [<ffffffff817837a3>] htab_map_update_elem+0x293/0x1500 CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11 Tainted: [W]=WARN, [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)... Call Trace: <TASK> dump_stack_lvl+0x57/0x70 dump_stack+0x10/0x20 __schedule_bug+0x120/0x170 __schedule+0x300c/0x4800 schedule_rtlock+0x37/0x60 rtlock_slowlock_locked+0x6d9/0x54c0 rt_spin_lock+0x168/0x230 hrtimer_cancel_wait_running+0xe9/0x1b0 hrtimer_cancel+0x24/0x30 bpf_timer_delete_work+0x1d/0x40 bpf_timer_cancel_and_free+0x5e/0x80 bpf_obj_free_fields+0x262/0x4a0 check_and_free_fields+0x1d0/0x280 htab_map_update_elem+0x7fc/0x1500 bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43 bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e bpf_prog_test_run_syscall+0x322/0x830 __sys_bpf+0x135d/0x3ca0 __x64_sys_bpf+0x75/0xb0 x64_sys_call+0x1b5/0xa10 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ... </TASK> It seems feasible to break the reuse and refill of per-cpu extra_elems into two independent parts: reuse the per-cpu extra_elems with bucket lock being held and refill the old_element as per-cpu extra_elems after the bucket lock is unlocked. However, it will make the concurrent overwrite procedures on the same CPU return unexpected -E2BIG error when the map is full. Therefore, the patch fixes the lock problem by breaking the cancelling of bpf_timer into two steps for PREEMPT_RT: 1) use hrtimer_try_to_cancel() and check its return value 2) if the timer is running, use hrtimer_cancel() through a kworker to cancel it again Considering that the current implementation of hrtimer_cancel() will try to acquire a being held softirq_expiry_lock when the current timer is running, these steps above are reasonable. However, it also has downside. When the timer is running, the cancelling of the timer is delayed when releasing the last map uref. The delay is also fixable (e.g., break the cancelling of bpf timer into two parts: one part in locked scope, another one in unlocked scope), it can be revised later if necessary. It is a bit hard to decide the right fix tag. One reason is that the problem depends on PREEMPT_RT which is enabled in v6.12. Considering the softirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced in v5.15, the bpf_timer commit is used in the fixes tag and an extra depends-on tag is added to state the dependency on PREEMPT_RT. Depends-on: v6.12+ with PREEMPT_RT enabled
References
Impacted products
Vendor Product Version
Linux Linux Version: b00628b1c7d595ae5b544e059c27b1f5828314b4
Version: b00628b1c7d595ae5b544e059c27b1f5828314b4
Version: b00628b1c7d595ae5b544e059c27b1f5828314b4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/helpers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "33e47d9573075342a41783a55c8c67bc71246fc1",
              "status": "affected",
              "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
              "versionType": "git"
            },
            {
              "lessThan": "fbeda3d939ca10063aafa7a77cc0f409d82cda88",
              "status": "affected",
              "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
              "versionType": "git"
            },
            {
              "lessThan": "58f038e6d209d2dd862fcf5de55407855856794d",
              "status": "affected",
              "version": "b00628b1c7d595ae5b544e059c27b1f5828314b4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/helpers.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Cancel the running bpf_timer through kworker for PREEMPT_RT\n\nDuring the update procedure, when overwrite element in a pre-allocated\nhtab, the freeing of old_element is protected by the bucket lock. The\nreason why the bucket lock is necessary is that the old_element has\nalready been stashed in htab-\u003eextra_elems after alloc_htab_elem()\nreturns. If freeing the old_element after the bucket lock is unlocked,\nthe stashed element may be reused by concurrent update procedure and the\nfreeing of old_element will run concurrently with the reuse of the\nold_element. However, the invocation of check_and_free_fields() may\nacquire a spin-lock which violates the lockdep rule because its caller\nhas already held a raw-spin-lock (bucket lock). The following warning\nwill be reported when such race happens:\n\n  BUG: scheduling while atomic: test_progs/676/0x00000003\n  3 locks held by test_progs/676:\n  #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830\n  #1: ffff88810e961188 (\u0026htab-\u003elockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500\n  #2: ffff8881f4eac1b8 (\u0026base-\u003esoftirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0\n  Modules linked in: bpf_testmod(O)\n  Preemption disabled at:\n  [\u003cffffffff817837a3\u003e] htab_map_update_elem+0x293/0x1500\n  CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11\n  Tainted: [W]=WARN, [O]=OOT_MODULE\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)...\n  Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x57/0x70\n  dump_stack+0x10/0x20\n  __schedule_bug+0x120/0x170\n  __schedule+0x300c/0x4800\n  schedule_rtlock+0x37/0x60\n  rtlock_slowlock_locked+0x6d9/0x54c0\n  rt_spin_lock+0x168/0x230\n  hrtimer_cancel_wait_running+0xe9/0x1b0\n  hrtimer_cancel+0x24/0x30\n  bpf_timer_delete_work+0x1d/0x40\n  bpf_timer_cancel_and_free+0x5e/0x80\n  bpf_obj_free_fields+0x262/0x4a0\n  check_and_free_fields+0x1d0/0x280\n  htab_map_update_elem+0x7fc/0x1500\n  bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43\n  bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e\n  bpf_prog_test_run_syscall+0x322/0x830\n  __sys_bpf+0x135d/0x3ca0\n  __x64_sys_bpf+0x75/0xb0\n  x64_sys_call+0x1b5/0xa10\n  do_syscall_64+0x3b/0xc0\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53\n  ...\n  \u003c/TASK\u003e\n\nIt seems feasible to break the reuse and refill of per-cpu extra_elems\ninto two independent parts: reuse the per-cpu extra_elems with bucket\nlock being held and refill the old_element as per-cpu extra_elems after\nthe bucket lock is unlocked. However, it will make the concurrent\noverwrite procedures on the same CPU return unexpected -E2BIG error when\nthe map is full.\n\nTherefore, the patch fixes the lock problem by breaking the cancelling\nof bpf_timer into two steps for PREEMPT_RT:\n1) use hrtimer_try_to_cancel() and check its return value\n2) if the timer is running, use hrtimer_cancel() through a kworker to\n   cancel it again\nConsidering that the current implementation of hrtimer_cancel() will try\nto acquire a being held softirq_expiry_lock when the current timer is\nrunning, these steps above are reasonable. However, it also has\ndownside. When the timer is running, the cancelling of the timer is\ndelayed when releasing the last map uref. The delay is also fixable\n(e.g., break the cancelling of bpf timer into two parts: one part in\nlocked scope, another one in unlocked scope), it can be revised later if\nnecessary.\n\nIt is a bit hard to decide the right fix tag. One reason is that the\nproblem depends on PREEMPT_RT which is enabled in v6.12. Considering the\nsoftirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced\nin v5.15, the bpf_timer commit is used in the fixes tag and an extra\ndepends-on tag is added to state the dependency on PREEMPT_RT.\n\nDepends-on: v6.12+ with PREEMPT_RT enabled"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:57.238Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/33e47d9573075342a41783a55c8c67bc71246fc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbeda3d939ca10063aafa7a77cc0f409d82cda88"
        },
        {
          "url": "https://git.kernel.org/stable/c/58f038e6d209d2dd862fcf5de55407855856794d"
        }
      ],
      "title": "bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21825",
    "datePublished": "2025-03-06T16:04:31.576Z",
    "dateReserved": "2024-12-29T08:45:45.775Z",
    "dateUpdated": "2025-05-04T07:21:57.238Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21825\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-03-06T16:15:54.753\",\"lastModified\":\"2025-03-06T16:15:54.753\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbpf: Cancel the running bpf_timer through kworker for PREEMPT_RT\\n\\nDuring the update procedure, when overwrite element in a pre-allocated\\nhtab, the freeing of old_element is protected by the bucket lock. The\\nreason why the bucket lock is necessary is that the old_element has\\nalready been stashed in htab-\u003eextra_elems after alloc_htab_elem()\\nreturns. If freeing the old_element after the bucket lock is unlocked,\\nthe stashed element may be reused by concurrent update procedure and the\\nfreeing of old_element will run concurrently with the reuse of the\\nold_element. However, the invocation of check_and_free_fields() may\\nacquire a spin-lock which violates the lockdep rule because its caller\\nhas already held a raw-spin-lock (bucket lock). The following warning\\nwill be reported when such race happens:\\n\\n  BUG: scheduling while atomic: test_progs/676/0x00000003\\n  3 locks held by test_progs/676:\\n  #0: ffffffff864b0240 (rcu_read_lock_trace){....}-{0:0}, at: bpf_prog_test_run_syscall+0x2c0/0x830\\n  #1: ffff88810e961188 (\u0026htab-\u003elockdep_key){....}-{2:2}, at: htab_map_update_elem+0x306/0x1500\\n  #2: ffff8881f4eac1b8 (\u0026base-\u003esoftirq_expiry_lock){....}-{2:2}, at: hrtimer_cancel_wait_running+0xe9/0x1b0\\n  Modules linked in: bpf_testmod(O)\\n  Preemption disabled at:\\n  [\u003cffffffff817837a3\u003e] htab_map_update_elem+0x293/0x1500\\n  CPU: 0 UID: 0 PID: 676 Comm: test_progs Tainted: G ... 6.12.0+ #11\\n  Tainted: [W]=WARN, [O]=OOT_MODULE\\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)...\\n  Call Trace:\\n  \u003cTASK\u003e\\n  dump_stack_lvl+0x57/0x70\\n  dump_stack+0x10/0x20\\n  __schedule_bug+0x120/0x170\\n  __schedule+0x300c/0x4800\\n  schedule_rtlock+0x37/0x60\\n  rtlock_slowlock_locked+0x6d9/0x54c0\\n  rt_spin_lock+0x168/0x230\\n  hrtimer_cancel_wait_running+0xe9/0x1b0\\n  hrtimer_cancel+0x24/0x30\\n  bpf_timer_delete_work+0x1d/0x40\\n  bpf_timer_cancel_and_free+0x5e/0x80\\n  bpf_obj_free_fields+0x262/0x4a0\\n  check_and_free_fields+0x1d0/0x280\\n  htab_map_update_elem+0x7fc/0x1500\\n  bpf_prog_9f90bc20768e0cb9_overwrite_cb+0x3f/0x43\\n  bpf_prog_ea601c4649694dbd_overwrite_timer+0x5d/0x7e\\n  bpf_prog_test_run_syscall+0x322/0x830\\n  __sys_bpf+0x135d/0x3ca0\\n  __x64_sys_bpf+0x75/0xb0\\n  x64_sys_call+0x1b5/0xa10\\n  do_syscall_64+0x3b/0xc0\\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53\\n  ...\\n  \u003c/TASK\u003e\\n\\nIt seems feasible to break the reuse and refill of per-cpu extra_elems\\ninto two independent parts: reuse the per-cpu extra_elems with bucket\\nlock being held and refill the old_element as per-cpu extra_elems after\\nthe bucket lock is unlocked. However, it will make the concurrent\\noverwrite procedures on the same CPU return unexpected -E2BIG error when\\nthe map is full.\\n\\nTherefore, the patch fixes the lock problem by breaking the cancelling\\nof bpf_timer into two steps for PREEMPT_RT:\\n1) use hrtimer_try_to_cancel() and check its return value\\n2) if the timer is running, use hrtimer_cancel() through a kworker to\\n   cancel it again\\nConsidering that the current implementation of hrtimer_cancel() will try\\nto acquire a being held softirq_expiry_lock when the current timer is\\nrunning, these steps above are reasonable. However, it also has\\ndownside. When the timer is running, the cancelling of the timer is\\ndelayed when releasing the last map uref. The delay is also fixable\\n(e.g., break the cancelling of bpf timer into two parts: one part in\\nlocked scope, another one in unlocked scope), it can be revised later if\\nnecessary.\\n\\nIt is a bit hard to decide the right fix tag. One reason is that the\\nproblem depends on PREEMPT_RT which is enabled in v6.12. Considering the\\nsoftirq_expiry_lock lock exists since v5.4 and bpf_timer is introduced\\nin v5.15, the bpf_timer commit is used in the fixes tag and an extra\\ndepends-on tag is added to state the dependency on PREEMPT_RT.\\n\\nDepends-on: v6.12+ with PREEMPT_RT enabled\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/33e47d9573075342a41783a55c8c67bc71246fc1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/58f038e6d209d2dd862fcf5de55407855856794d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fbeda3d939ca10063aafa7a77cc0f409d82cda88\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.