ghsa-hv9m-xg7c-9q4v
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
fs/eventpoll: fix endless busy loop after timeout has expired
After commit 0a65bc27bd64 ("eventpoll: Set epoll timeout if it's in the future"), the following program would immediately enter a busy loop in the kernel:
int main() {
int e = epoll_create1(0);
struct epoll_event event = {.events = EPOLLIN};
epoll_ctl(e, EPOLL_CTL_ADD, 0, &event);
const struct timespec timeout = {.tv_nsec = 1};
epoll_pwait2(e, &event, 1, &timeout, 0);
}
This happens because the given (non-zero) timeout of 1 nanosecond
usually expires before ep_poll() is entered and then
ep_schedule_timeout() returns false, but timed_out is never set
because the code line that sets it is skipped. This quickly turns
into a soft lockup, RCU stalls and deadlocks, inflicting severe
headaches to the whole system.
When the timeout has expired, we don't need to schedule a hrtimer, but
we should set the timed_out variable. Therefore, I suggest moving
the ep_schedule_timeout() check into the timed_out expression
instead of skipping it.
brauner: Note that there was an earlier fix by Joe Damato in response to my bug report in [1].
{
"affected": [],
"aliases": [
"CVE-2025-38017"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T10:15:33Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/eventpoll: fix endless busy loop after timeout has expired\n\nAfter commit 0a65bc27bd64 (\"eventpoll: Set epoll timeout if it\u0027s in\nthe future\"), the following program would immediately enter a busy\nloop in the kernel:\n\n```\nint main() {\n int e = epoll_create1(0);\n struct epoll_event event = {.events = EPOLLIN};\n epoll_ctl(e, EPOLL_CTL_ADD, 0, \u0026event);\n const struct timespec timeout = {.tv_nsec = 1};\n epoll_pwait2(e, \u0026event, 1, \u0026timeout, 0);\n}\n```\n\nThis happens because the given (non-zero) timeout of 1 nanosecond\nusually expires before ep_poll() is entered and then\nep_schedule_timeout() returns false, but `timed_out` is never set\nbecause the code line that sets it is skipped. This quickly turns\ninto a soft lockup, RCU stalls and deadlocks, inflicting severe\nheadaches to the whole system.\n\nWhen the timeout has expired, we don\u0027t need to schedule a hrtimer, but\nwe should set the `timed_out` variable. Therefore, I suggest moving\nthe ep_schedule_timeout() check into the `timed_out` expression\ninstead of skipping it.\n\nbrauner: Note that there was an earlier fix by Joe Damato in response to\nmy bug report in [1].",
"id": "GHSA-hv9m-xg7c-9q4v",
"modified": "2025-11-14T21:30:27Z",
"published": "2025-06-18T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38017"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7631dca012593c95d36199082546a24a0058fc50"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d9ec73301099ec5975505e1c3effbe768bab9490"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.