ghsa-vqg7-j8rg-9mw8
Vulnerability from github
Published
2025-09-11 18:35
Modified
2025-09-11 18:35
Details

In the Linux kernel, the following vulnerability has been resolved:

rcu: Fix rcu_read_unlock() deadloop due to IRQ work

During rcu_read_unlock_special(), if this happens during irq_exit(), we can lockup if an IPI is issued. This is because the IPI itself triggers the irq_exit() path causing a recursive lock up.

This is precisely what Xiongfeng found when invoking a BPF program on the trace_tick_stop() tracepoint As shown in the trace below. Fix by managing the irq_work state correctly.

irq_exit() __irq_exit_rcu() / in_hardirq() returns false after this / preempt_count_sub(HARDIRQ_OFFSET) tick_irq_exit() tick_nohz_irq_exit() tick_nohz_stop_sched_tick() trace_tick_stop() / a bpf prog is hooked on this trace point / __bpf_trace_tick_stop() bpf_trace_run2() rcu_read_unlock_special() / will send a IPI to itself / irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu);

A simple reproducer can also be obtained by doing the following in tick_irq_exit(). It will hang on boot without the patch:

static inline void tick_irq_exit(void) { + rcu_read_lock(); + WRITE_ONCE(current->rcu_read_unlock_special.b.need_qs, true); + rcu_read_unlock(); +

[neeraj: Apply Frederic's suggested fix for PREEMPT_RT]

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39744"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-11T17:15:37Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Fix rcu_read_unlock() deadloop due to IRQ work\n\nDuring rcu_read_unlock_special(), if this happens during irq_exit(), we\ncan lockup if an IPI is issued. This is because the IPI itself triggers\nthe irq_exit() path causing a recursive lock up.\n\nThis is precisely what Xiongfeng found when invoking a BPF program on\nthe trace_tick_stop() tracepoint As shown in the trace below. Fix by\nmanaging the irq_work state correctly.\n\nirq_exit()\n  __irq_exit_rcu()\n    /* in_hardirq() returns false after this */\n    preempt_count_sub(HARDIRQ_OFFSET)\n    tick_irq_exit()\n      tick_nohz_irq_exit()\n\t    tick_nohz_stop_sched_tick()\n\t      trace_tick_stop()  /* a bpf prog is hooked on this trace point */\n\t\t   __bpf_trace_tick_stop()\n\t\t      bpf_trace_run2()\n\t\t\t    rcu_read_unlock_special()\n                              /* will send a IPI to itself */\n\t\t\t      irq_work_queue_on(\u0026rdp-\u003edefer_qs_iw, rdp-\u003ecpu);\n\nA simple reproducer can also be obtained by doing the following in\ntick_irq_exit(). It will hang on boot without the patch:\n\n  static inline void tick_irq_exit(void)\n  {\n +\trcu_read_lock();\n +\tWRITE_ONCE(current-\u003ercu_read_unlock_special.b.need_qs, true);\n +\trcu_read_unlock();\n +\n\n[neeraj: Apply Frederic\u0027s suggested fix for PREEMPT_RT]",
  "id": "GHSA-vqg7-j8rg-9mw8",
  "modified": "2025-09-11T18:35:51Z",
  "published": "2025-09-11T18:35:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39744"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1cfa244f7198d325594e627574930b7b91df5bfe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/56c5ef194f4509df63fc0f7a91ea5973ce479b1e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b41642c87716bbd09797b1e4ea7d904f06c39b7b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddebb2a7677673cf4438a04e1a48b8ed6b0c8e9a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e7a375453cca2b8a0d2fa1b82b913f3fed7c0507"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.