GHSA-X9W7-P4VP-Q593

Vulnerability from github – Published: 2025-12-16 15:30 – Updated: 2025-12-16 15:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

netpoll: Fix deadlock in memory allocation under spinlock

Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt.

The deadlock scenario occurs when the system is under severe memory pressure:

  1. refill_skbs() acquires skb_pool->lock (spinlock)
  2. alloc_skb() is called while holding the lock
  3. Memory allocator fails and calls slab_out_of_memory()
  4. This triggers printk() for the OOM warning
  5. The console output path calls netpoll_send_udp()
  6. netpoll_send_udp() attempts to acquire the same skb_pool->lock
  7. Deadlock: the lock is already held by the same CPU

Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt

This bug was exposed by commit 248f6571fd4c51 ("netpoll: Optimize skb refilling on critical path") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs()

Refactor refill_skbs() to never allocate memory while holding the spinlock.

Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred.

I prefer this approach, given I think it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step.

There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-68169"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T14:15:48Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetpoll: Fix deadlock in memory allocation under spinlock\n\nFix a AA deadlock in refill_skbs() where memory allocation while holding\nskb_pool-\u003elock can trigger a recursive lock acquisition attempt.\n\nThe deadlock scenario occurs when the system is under severe memory\npressure:\n\n1. refill_skbs() acquires skb_pool-\u003elock (spinlock)\n2. alloc_skb() is called while holding the lock\n3. Memory allocator fails and calls slab_out_of_memory()\n4. This triggers printk() for the OOM warning\n5. The console output path calls netpoll_send_udp()\n6. netpoll_send_udp() attempts to acquire the same skb_pool-\u003elock\n7. Deadlock: the lock is already held by the same CPU\n\nCall stack:\n  refill_skbs()\n    spin_lock_irqsave(\u0026skb_pool-\u003elock)    \u003c- lock acquired\n    __alloc_skb()\n      kmem_cache_alloc_node_noprof()\n        slab_out_of_memory()\n          printk()\n            console_flush_all()\n              netpoll_send_udp()\n                skb_dequeue()\n                  spin_lock_irqsave(\u0026skb_pool-\u003elock)     \u003c- deadlock attempt\n\nThis bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb\nrefilling on critical path\") which removed refill_skbs() from the\ncritical path (where nested printk was being deferred), letting nested\nprintk being called from inside refill_skbs()\n\nRefactor refill_skbs() to never allocate memory while holding\nthe spinlock.\n\nAnother possible solution to fix this problem is protecting the\nrefill_skbs() from nested printks, basically calling\nprintk_deferred_{enter,exit}() in refill_skbs(), then, any nested\npr_warn() would be deferred.\n\nI prefer this approach, given I _think_ it might be a good idea to move\nthe alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having\nthe alloc_skb() outside of the lock will be necessary step.\n\nThere is a possible TOCTOU issue when checking for the pool length, and\nqueueing the new allocated skb, but, this is not an issue, given that\nan extra SKB in the pool is harmless and it will be eventually used.",
  "id": "GHSA-x9w7-p4vp-q593",
  "modified": "2025-12-16T15:30:44Z",
  "published": "2025-12-16T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68169"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/06742a3ab884d7428c9050b205ffcf6a8a548397"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/327c20c21d80e0d87834b392d83ae73c955ad8ff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.