ghsa-29x3-q6jr-jf4j
Vulnerability from github
Published
2025-10-18 09:30
Modified
2025-10-19 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work

The origin code calls cancel_delayed_work() in ocelot_stats_deinit() to cancel the cyclic delayed work item ocelot->stats_work. However, cancel_delayed_work() may fail to cancel the work item if it is already executing. While destroy_workqueue() does wait for all pending work items in the work queue to complete before destroying the work queue, it cannot prevent the delayed work item from being rescheduled within the ocelot_check_stats_work() function. This limitation exists because the delayed work item is only enqueued into the work queue after its timer expires. Before the timer expiration, destroy_workqueue() has no visibility of this pending work item. Once the work queue appears empty, destroy_workqueue() proceeds with destruction. When the timer eventually expires, the delayed work item gets queued again, leading to the following warning:

workqueue: cannot queue ocelot_check_stats_work on wq ocelot-switch-stats WARNING: CPU: 2 PID: 0 at kernel/workqueue.c:2255 __queue_work+0x875/0xaf0 ... RIP: 0010:__queue_work+0x875/0xaf0 ... RSP: 0018:ffff88806d108b10 EFLAGS: 00010086 RAX: 0000000000000000 RBX: 0000000000000101 RCX: 0000000000000027 RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffff88806d123e88 RBP: ffffffff813c3170 R08: 0000000000000000 R09: ffffed100da247d2 R10: ffffed100da247d1 R11: ffff88806d123e8b R12: ffff88800c00f000 R13: ffff88800d7285c0 R14: ffff88806d0a5580 R15: ffff88800d7285a0 FS: 0000000000000000(0000) GS:ffff8880e5725000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe18e45ea10 CR3: 0000000005e6c000 CR4: 00000000000006f0 Call Trace: ? kasan_report+0xc6/0xf0 ? __pfx_delayed_work_timer_fn+0x10/0x10 ? __pfx_delayed_work_timer_fn+0x10/0x10 call_timer_fn+0x25/0x1c0 __run_timer_base.part.0+0x3be/0x8c0 ? __pfx_delayed_work_timer_fn+0x10/0x10 ? rcu_sched_clock_irq+0xb06/0x27d0 ? __pfxruntimer_base.part.0+0x10/0x10 ? try_to_wake_up+0xb15/0x1960 ? _raw_spin_lock_irq+0x80/0xe0 ? pfx__raw_spin_lock_irq+0x10/0x10 tmigr_handle_remote_up+0x603/0x7e0 ? __pfx_tmigr_handle_remote_up+0x10/0x10 ? sched_balance_trigger+0x1c0/0x9f0 ? sched_tick+0x221/0x5a0 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? tick_nohz_handler+0x339/0x440 ? __pfx_tmigr_handle_remote_up+0x10/0x10 __walk_groups.isra.0+0x42/0x150 tmigr_handle_remote+0x1f4/0x2e0 ? __pfx_tmigr_handle_remote+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 ? hrtimer_interrupt+0x322/0x780 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ...

The following diagram reveals the cause of the above warning:

CPU 0 (remove) | CPU 1 (delayed work callback) mscc_ocelot_remove() | ocelot_deinit() | ocelot_check_stats_work() ocelot_stats_deinit() | cancel_delayed_work()| ... | queue_delayed_work() destroy_workqueue() | (wait a time) | __queue_work() //UAF

The above scenario actually constitutes a UAF vulnerability.

The ocelot_stats_deinit() is only invoked when initialization failure or resource destruction, so we must ensure that any delayed work items cannot be rescheduled.

Replace cancel_delayed_work() with disable_delayed_work_sync() to guarantee proper cancellation of the delayed work item and ensure completion of any currently executing work before the workqueue is deallocated.

A deadlock concern was considered: ocelot_stats_deinit() is called in a process context and is not holding any locks that the delayed work item might also need. Therefore, the use of the _sync() variant is safe here.

This bug was identified through static analysis. To reproduce the issue and validate the fix, I simulated ocelot-swit ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40003"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-18T08:15:34Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: Fix use-after-free caused by cyclic delayed work\n\nThe origin code calls cancel_delayed_work() in ocelot_stats_deinit()\nto cancel the cyclic delayed work item ocelot-\u003estats_work. However,\ncancel_delayed_work() may fail to cancel the work item if it is already\nexecuting. While destroy_workqueue() does wait for all pending work items\nin the work queue to complete before destroying the work queue, it cannot\nprevent the delayed work item from being rescheduled within the\nocelot_check_stats_work() function. This limitation exists because the\ndelayed work item is only enqueued into the work queue after its timer\nexpires. Before the timer expiration, destroy_workqueue() has no visibility\nof this pending work item. Once the work queue appears empty,\ndestroy_workqueue() proceeds with destruction. When the timer eventually\nexpires, the delayed work item gets queued again, leading to the following\nwarning:\n\nworkqueue: cannot queue ocelot_check_stats_work on wq ocelot-switch-stats\nWARNING: CPU: 2 PID: 0 at kernel/workqueue.c:2255 __queue_work+0x875/0xaf0\n...\nRIP: 0010:__queue_work+0x875/0xaf0\n...\nRSP: 0018:ffff88806d108b10 EFLAGS: 00010086\nRAX: 0000000000000000 RBX: 0000000000000101 RCX: 0000000000000027\nRDX: 0000000000000027 RSI: 0000000000000004 RDI: ffff88806d123e88\nRBP: ffffffff813c3170 R08: 0000000000000000 R09: ffffed100da247d2\nR10: ffffed100da247d1 R11: ffff88806d123e8b R12: ffff88800c00f000\nR13: ffff88800d7285c0 R14: ffff88806d0a5580 R15: ffff88800d7285a0\nFS:  0000000000000000(0000) GS:ffff8880e5725000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe18e45ea10 CR3: 0000000005e6c000 CR4: 00000000000006f0\nCall Trace:\n \u003cIRQ\u003e\n ? kasan_report+0xc6/0xf0\n ? __pfx_delayed_work_timer_fn+0x10/0x10\n ? __pfx_delayed_work_timer_fn+0x10/0x10\n call_timer_fn+0x25/0x1c0\n __run_timer_base.part.0+0x3be/0x8c0\n ? __pfx_delayed_work_timer_fn+0x10/0x10\n ? rcu_sched_clock_irq+0xb06/0x27d0\n ? __pfx___run_timer_base.part.0+0x10/0x10\n ? try_to_wake_up+0xb15/0x1960\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n tmigr_handle_remote_up+0x603/0x7e0\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n ? sched_balance_trigger+0x1c0/0x9f0\n ? sched_tick+0x221/0x5a0\n ? _raw_spin_lock_irq+0x80/0xe0\n ? __pfx__raw_spin_lock_irq+0x10/0x10\n ? tick_nohz_handler+0x339/0x440\n ? __pfx_tmigr_handle_remote_up+0x10/0x10\n __walk_groups.isra.0+0x42/0x150\n tmigr_handle_remote+0x1f4/0x2e0\n ? __pfx_tmigr_handle_remote+0x10/0x10\n ? ktime_get+0x60/0x140\n ? lapic_next_event+0x11/0x20\n ? clockevents_program_event+0x1d4/0x2a0\n ? hrtimer_interrupt+0x322/0x780\n handle_softirqs+0x16a/0x550\n irq_exit_rcu+0xaf/0xe0\n sysvec_apic_timer_interrupt+0x70/0x80\n \u003c/IRQ\u003e\n...\n\nThe following diagram reveals the cause of the above warning:\n\nCPU 0 (remove)             | CPU 1 (delayed work callback)\nmscc_ocelot_remove()       |\n  ocelot_deinit()          | ocelot_check_stats_work()\n    ocelot_stats_deinit()  |\n      cancel_delayed_work()|   ...\n                           |   queue_delayed_work()\n      destroy_workqueue()  | (wait a time)\n                           | __queue_work() //UAF\n\nThe above scenario actually constitutes a UAF vulnerability.\n\nThe ocelot_stats_deinit() is only invoked when initialization\nfailure or resource destruction, so we must ensure that any\ndelayed work items cannot be rescheduled.\n\nReplace cancel_delayed_work() with disable_delayed_work_sync()\nto guarantee proper cancellation of the delayed work item and\nensure completion of any currently executing work before the\nworkqueue is deallocated.\n\nA deadlock concern was considered: ocelot_stats_deinit() is called\nin a process context and is not holding any locks that the delayed\nwork item might also need. Therefore, the use of the _sync() variant\nis safe here.\n\nThis bug was identified through static analysis. To reproduce the\nissue and validate the fix, I simulated ocelot-swit\n---truncated---",
  "id": "GHSA-29x3-q6jr-jf4j",
  "modified": "2025-10-19T15:30:15Z",
  "published": "2025-10-18T09:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40003"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70acdd1eb35ffb3afdcb59e4c3bbb178da411d0f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bc9ea787079671cb19a8b25ff9f02be5ef6bfcf5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c3363db5d0685a8d077ade706051bbccc75f7e14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.