CVE-2025-68214 (GCVE-0-2025-68214)
Vulnerability from cvelistv5
Published
2025-12-16 13:57
Modified
2025-12-16 13:57
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: timers: Fix NULL function pointer race in timer_shutdown_sync() There is a race condition between timer_shutdown_sync() and timer expiration that can lead to hitting a WARN_ON in expire_timers(). The issue occurs when timer_shutdown_sync() clears the timer function to NULL while the timer is still running on another CPU. The race scenario looks like this: CPU0 CPU1 <SOFTIRQ> lock_timer_base() expire_timers() base->running_timer = timer; unlock_timer_base() [call_timer_fn enter] mod_timer() ... timer_shutdown_sync() lock_timer_base() // For now, will not detach the timer but only clear its function to NULL if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() [call_timer_fn exit] lock_timer_base() base->running_timer = NULL; unlock_timer_base() ... // Now timer is pending while its function set to NULL. // next timer trigger <SOFTIRQ> expire_timers() WARN_ON_ONCE(!fn) // hit ... lock_timer_base() // Now timer will detach if (base->running_timer != timer) ret = detach_if_pending(timer, base, true); if (shutdown) timer->function = NULL; unlock_timer_base() The problem is that timer_shutdown_sync() clears the timer function regardless of whether the timer is currently running. This can leave a pending timer with a NULL function pointer, which triggers the WARN_ON_ONCE(!fn) check in expire_timers(). Fix this by only clearing the timer function when actually detaching the timer. If the timer is running, leave the function pointer intact, which is safe because the timer will be properly detached when it finishes running.
References
Impacted products
Vendor Product Version
Linux Linux Version: 334c33aa487be406a149c8b87c38c8399d2dba8d
Version: 0cc04e80458a822300b93f82ed861a513edde194
Version: 0cc04e80458a822300b93f82ed861a513edde194
Version: 0cc04e80458a822300b93f82ed861a513edde194
Version: 0cc04e80458a822300b93f82ed861a513edde194
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/time/timer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1a975716cc8977f461e45e28e3e5977d46ad7a6a",
              "status": "affected",
              "version": "334c33aa487be406a149c8b87c38c8399d2dba8d",
              "versionType": "git"
            },
            {
              "lessThan": "6665fbd7730b26d770c232b20d1b907e6a67a914",
              "status": "affected",
              "version": "0cc04e80458a822300b93f82ed861a513edde194",
              "versionType": "git"
            },
            {
              "lessThan": "176725f4848376530a0f0da9023f956afcc33585",
              "status": "affected",
              "version": "0cc04e80458a822300b93f82ed861a513edde194",
              "versionType": "git"
            },
            {
              "lessThan": "a01efa7a780c42ac5170a949bd95c9786ffcc60a",
              "status": "affected",
              "version": "0cc04e80458a822300b93f82ed861a513edde194",
              "versionType": "git"
            },
            {
              "lessThan": "20739af07383e6eb1ec59dcd70b72ebfa9ac362c",
              "status": "affected",
              "version": "0cc04e80458a822300b93f82ed861a513edde194",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/time/timer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1.158",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimers: Fix NULL function pointer race in timer_shutdown_sync()\n\nThere is a race condition between timer_shutdown_sync() and timer\nexpiration that can lead to hitting a WARN_ON in expire_timers().\n\nThe issue occurs when timer_shutdown_sync() clears the timer function\nto NULL while the timer is still running on another CPU. The race\nscenario looks like this:\n\nCPU0\t\t\t\t\tCPU1\n\t\t\t\t\t\u003cSOFTIRQ\u003e\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tbase-\u003erunning_timer = timer;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t[call_timer_fn enter]\n\t\t\t\t\tmod_timer()\n\t\t\t\t\t...\ntimer_shutdown_sync()\nlock_timer_base()\n// For now, will not detach the timer but only clear its function to NULL\nif (base-\u003erunning_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer-\u003efunction = NULL;\nunlock_timer_base()\n\t\t\t\t\t[call_timer_fn exit]\n\t\t\t\t\tlock_timer_base()\n\t\t\t\t\tbase-\u003erunning_timer = NULL;\n\t\t\t\t\tunlock_timer_base()\n\t\t\t\t\t...\n\t\t\t\t\t// Now timer is pending while its function set to NULL.\n\t\t\t\t\t// next timer trigger\n\t\t\t\t\t\u003cSOFTIRQ\u003e\n\t\t\t\t\texpire_timers()\n\t\t\t\t\tWARN_ON_ONCE(!fn) // hit\n\t\t\t\t\t...\nlock_timer_base()\n// Now timer will detach\nif (base-\u003erunning_timer != timer)\n\tret = detach_if_pending(timer, base, true);\nif (shutdown)\n\ttimer-\u003efunction = NULL;\nunlock_timer_base()\n\nThe problem is that timer_shutdown_sync() clears the timer function\nregardless of whether the timer is currently running. This can leave a\npending timer with a NULL function pointer, which triggers the\nWARN_ON_ONCE(!fn) check in expire_timers().\n\nFix this by only clearing the timer function when actually detaching the\ntimer. If the timer is running, leave the function pointer intact, which is\nsafe because the timer will be properly detached when it finishes running."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:57:09.728Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914"
        },
        {
          "url": "https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585"
        },
        {
          "url": "https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a"
        },
        {
          "url": "https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c"
        }
      ],
      "title": "timers: Fix NULL function pointer race in timer_shutdown_sync()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68214",
    "datePublished": "2025-12-16T13:57:09.728Z",
    "dateReserved": "2025-12-16T13:41:40.256Z",
    "dateUpdated": "2025-12-16T13:57:09.728Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68214\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-16T14:15:54.363\",\"lastModified\":\"2025-12-18T15:08:06.237\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntimers: Fix NULL function pointer race in timer_shutdown_sync()\\n\\nThere is a race condition between timer_shutdown_sync() and timer\\nexpiration that can lead to hitting a WARN_ON in expire_timers().\\n\\nThe issue occurs when timer_shutdown_sync() clears the timer function\\nto NULL while the timer is still running on another CPU. The race\\nscenario looks like this:\\n\\nCPU0\\t\\t\\t\\t\\tCPU1\\n\\t\\t\\t\\t\\t\u003cSOFTIRQ\u003e\\n\\t\\t\\t\\t\\tlock_timer_base()\\n\\t\\t\\t\\t\\texpire_timers()\\n\\t\\t\\t\\t\\tbase-\u003erunning_timer = timer;\\n\\t\\t\\t\\t\\tunlock_timer_base()\\n\\t\\t\\t\\t\\t[call_timer_fn enter]\\n\\t\\t\\t\\t\\tmod_timer()\\n\\t\\t\\t\\t\\t...\\ntimer_shutdown_sync()\\nlock_timer_base()\\n// For now, will not detach the timer but only clear its function to NULL\\nif (base-\u003erunning_timer != timer)\\n\\tret = detach_if_pending(timer, base, true);\\nif (shutdown)\\n\\ttimer-\u003efunction = NULL;\\nunlock_timer_base()\\n\\t\\t\\t\\t\\t[call_timer_fn exit]\\n\\t\\t\\t\\t\\tlock_timer_base()\\n\\t\\t\\t\\t\\tbase-\u003erunning_timer = NULL;\\n\\t\\t\\t\\t\\tunlock_timer_base()\\n\\t\\t\\t\\t\\t...\\n\\t\\t\\t\\t\\t// Now timer is pending while its function set to NULL.\\n\\t\\t\\t\\t\\t// next timer trigger\\n\\t\\t\\t\\t\\t\u003cSOFTIRQ\u003e\\n\\t\\t\\t\\t\\texpire_timers()\\n\\t\\t\\t\\t\\tWARN_ON_ONCE(!fn) // hit\\n\\t\\t\\t\\t\\t...\\nlock_timer_base()\\n// Now timer will detach\\nif (base-\u003erunning_timer != timer)\\n\\tret = detach_if_pending(timer, base, true);\\nif (shutdown)\\n\\ttimer-\u003efunction = NULL;\\nunlock_timer_base()\\n\\nThe problem is that timer_shutdown_sync() clears the timer function\\nregardless of whether the timer is currently running. This can leave a\\npending timer with a NULL function pointer, which triggers the\\nWARN_ON_ONCE(!fn) check in expire_timers().\\n\\nFix this by only clearing the timer function when actually detaching the\\ntimer. If the timer is running, leave the function pointer intact, which is\\nsafe because the timer will be properly detached when it finishes running.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.