ghsa-6wfv-64f3-9h2q
Vulnerability from github
Published
2025-09-23 06:30
Modified
2025-09-23 06:30
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()

Currently, calling bpf_map_kmalloc_node() from __bpf_async_init() can cause various locking issues; see the following stack trace (edited for style) as one example:

... [10.011566] do_raw_spin_lock.cold [10.011570] try_to_wake_up (5) double-acquiring the same [10.011575] kick_pool rq_lock, causing a hardlockup [10.011579] __queue_work [10.011582] queue_work_on [10.011585] kernfs_notify [10.011589] cgroup_file_notify [10.011593] try_charge_memcg (4) memcg accounting raises an [10.011597] obj_cgroup_charge_pages MEMCG_MAX event [10.011599] obj_cgroup_charge_account [10.011600] __memcg_slab_post_alloc_hook [10.011603] __kmalloc_node_noprof ... [10.011611] bpf_map_kmalloc_node [10.011612] __bpf_async_init [10.011615] bpf_timer_init (3) BPF calls bpf_timer_init() [10.011617] bpf_prog_xxxxxxxxxxxxxxxx_fcg_runnable [10.011619] bpf__sched_ext_ops_runnable [10.011620] enqueue_task_scx (2) BPF runs with rq_lock held [10.011622] enqueue_task [10.011626] ttwu_do_activate [10.011629] sched_ttwu_pending (1) grabs rq_lock ...

The above was reproduced on bpf-next (b338cf849ec8) by modifying ./tools/sched_ext/scx_flatcg.bpf.c to call bpf_timer_init() during ops.runnable(), and hacking the memcg accounting code a bit to make a bpf_timer_init() call more likely to raise an MEMCG_MAX event.

We have also run into other similar variants (both internally and on bpf-next), including double-acquiring cgroup_file_kn_lock, the same worker_pool::lock, etc.

As suggested by Shakeel, fix this by using __GFP_HIGH instead of GFP_ATOMIC in __bpf_async_init(), so that e.g. if try_charge_memcg() raises an MEMCG_MAX event, we call __memcg_memory_event() with @allow_spinning=false and avoid calling cgroup_file_notify() there.

Depends on mm patch "memcg: skip cgroup_file_notify if spinning is not allowed": https://lore.kernel.org/bpf/20250905201606.66198-1-shakeel.butt@linux.dev/

v0 approach s/bpf_map_kmalloc_node/bpf_mem_alloc/ https://lore.kernel.org/bpf/20250905061919.439648-1-yepeilin@google.com/ v1 approach: https://lore.kernel.org/bpf/20250905234547.862249-1-yepeilin@google.com/

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39886"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-23T06:15:48Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()\n\nCurrently, calling bpf_map_kmalloc_node() from __bpf_async_init() can\ncause various locking issues; see the following stack trace (edited for\nstyle) as one example:\n\n...\n [10.011566]  do_raw_spin_lock.cold\n [10.011570]  try_to_wake_up             (5) double-acquiring the same\n [10.011575]  kick_pool                      rq_lock, causing a hardlockup\n [10.011579]  __queue_work\n [10.011582]  queue_work_on\n [10.011585]  kernfs_notify\n [10.011589]  cgroup_file_notify\n [10.011593]  try_charge_memcg           (4) memcg accounting raises an\n [10.011597]  obj_cgroup_charge_pages        MEMCG_MAX event\n [10.011599]  obj_cgroup_charge_account\n [10.011600]  __memcg_slab_post_alloc_hook\n [10.011603]  __kmalloc_node_noprof\n...\n [10.011611]  bpf_map_kmalloc_node\n [10.011612]  __bpf_async_init\n [10.011615]  bpf_timer_init             (3) BPF calls bpf_timer_init()\n [10.011617]  bpf_prog_xxxxxxxxxxxxxxxx_fcg_runnable\n [10.011619]  bpf__sched_ext_ops_runnable\n [10.011620]  enqueue_task_scx           (2) BPF runs with rq_lock held\n [10.011622]  enqueue_task\n [10.011626]  ttwu_do_activate\n [10.011629]  sched_ttwu_pending         (1) grabs rq_lock\n...\n\nThe above was reproduced on bpf-next (b338cf849ec8) by modifying\n./tools/sched_ext/scx_flatcg.bpf.c to call bpf_timer_init() during\nops.runnable(), and hacking the memcg accounting code a bit to make\na bpf_timer_init() call more likely to raise an MEMCG_MAX event.\n\nWe have also run into other similar variants (both internally and on\nbpf-next), including double-acquiring cgroup_file_kn_lock, the same\nworker_pool::lock, etc.\n\nAs suggested by Shakeel, fix this by using __GFP_HIGH instead of\nGFP_ATOMIC in __bpf_async_init(), so that e.g. if try_charge_memcg()\nraises an MEMCG_MAX event, we call __memcg_memory_event() with\n@allow_spinning=false and avoid calling cgroup_file_notify() there.\n\nDepends on mm patch\n\"memcg: skip cgroup_file_notify if spinning is not allowed\":\nhttps://lore.kernel.org/bpf/20250905201606.66198-1-shakeel.butt@linux.dev/\n\nv0 approach s/bpf_map_kmalloc_node/bpf_mem_alloc/\nhttps://lore.kernel.org/bpf/20250905061919.439648-1-yepeilin@google.com/\nv1 approach:\nhttps://lore.kernel.org/bpf/20250905234547.862249-1-yepeilin@google.com/",
  "id": "GHSA-6wfv-64f3-9h2q",
  "modified": "2025-09-23T06:30:28Z",
  "published": "2025-09-23T06:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39886"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/449682e76f32601f211816d3e2100bed87e67a4c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d78b4473cdb08b74662355a9e8510bde09c511e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac70cd446f83ccb25532b343919ab86eacdcd06a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd1fd26bb13473c1734e3026b2b97025a0a4087b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.