CVE-2025-21813

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-21813
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21813.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-21813
Downstream
Related
Published
2025-02-27T20:04:13Z
Modified
2025-10-17T21:42:52.496506Z
Summary
timers/migration: Fix off-by-one root mis-connection
Details

In the Linux kernel, the following vulnerability has been resolved:

timers/migration: Fix off-by-one root mis-connection

Before attaching a new root to the old root, the children counter of the new root is checked to verify that only the upcoming CPU's top group have been connected to it. However since the recently added commit b729cc1ec21a ("timers/migration: Fix another race between hotplug and idle entry/exit") this check is not valid anymore because the old root is pre-accounted as a child to the new root. Therefore after connecting the upcoming CPU's top group to the new root, the children count to be expected must be 2 and not 1 anymore.

This omission results in the old root to not be connected to the new root. Then eventually the system may run with more than one top level, which defeats the purpose of a single idle migrator.

Also the old root is pre-accounted but not connected upon the new root creation. But it can be connected to the new root later on. Therefore the old root may be accounted twice to the new root. The propagation of such overcommit can end up creating a double final top-level root with a groupmask incorrectly initialized. Although harmless given that the final top level roots will never have a parent to walk up to, this oddity opportunistically reported the core issue:

WARNING: CPU: 8 PID: 0 at kernel/time/timermigration.c:543 tmigrrequireshandleremote CPU: 8 UID: 0 PID: 0 Comm: swapper/8 RIP: 0010:tmigrrequireshandleremote Call Trace: <IRQ> ? tmigrrequireshandleremote ? hrtimerrunqueues updateprocesstimes tickperiodic tickhandleperiodic _sysvecapictimerinterrupt sysvecapictimerinterrupt </IRQ>

Fix the problem by taking the old root into account in the children count of the new root so the connection is not omitted.

Also warn when more than one top level group exists to better detect similar issues in the future.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
12ead225b7996252a8bc1a49b03aad57c0794880
Fixed
c6dd70e5b465a2b77c7a7c3d868736d302e29aec
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b729cc1ec21a5899b7879ccfbe1786664928d597
Fixed
6f449d8fa1808a7f9ee644866bbc079285dbefdd
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b729cc1ec21a5899b7879ccfbe1786664928d597
Fixed
868c9037df626b3c245ee26a290a03ae1f9f58d3

Affected versions

v6.*

v6.12.11
v6.12.12
v6.12.13
v6.13
v6.13.1
v6.13.2

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "length": 1345.0,
            "function_hash": "30397286552552176070415608670238395157"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@868c9037df626b3c245ee26a290a03ae1f9f58d3",
        "id": "CVE-2025-21813-102ff4cc",
        "target": {
            "function": "tmigr_setup_groups",
            "file": "kernel/time/timer_migration.c"
        },
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "265538228087183162876075666618963035391",
                "256877966927615352605570974519251148203",
                "227353429063129704822729950066591850726",
                "60899948930677229428115632689405650289",
                "252107928997125252879367670183996416978",
                "239145677977374998606273424452349434021",
                "77749678022517264704847366684038604566"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c6dd70e5b465a2b77c7a7c3d868736d302e29aec",
        "id": "CVE-2025-21813-1db57b4c",
        "target": {
            "file": "kernel/time/timer_migration.c"
        },
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "265538228087183162876075666618963035391",
                "256877966927615352605570974519251148203",
                "227353429063129704822729950066591850726",
                "60899948930677229428115632689405650289",
                "252107928997125252879367670183996416978",
                "239145677977374998606273424452349434021",
                "77749678022517264704847366684038604566"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6f449d8fa1808a7f9ee644866bbc079285dbefdd",
        "id": "CVE-2025-21813-78b2233c",
        "target": {
            "file": "kernel/time/timer_migration.c"
        },
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "116191717211068891813116473440506152166",
                "256877966927615352605570974519251148203",
                "227353429063129704822729950066591850726",
                "60899948930677229428115632689405650289",
                "252107928997125252879367670183996416978",
                "239145677977374998606273424452349434021",
                "77749678022517264704847366684038604566"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@868c9037df626b3c245ee26a290a03ae1f9f58d3",
        "id": "CVE-2025-21813-8850ecdb",
        "target": {
            "file": "kernel/time/timer_migration.c"
        },
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "length": 1425.0,
            "function_hash": "285913949414124095889614207839813214990"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6f449d8fa1808a7f9ee644866bbc079285dbefdd",
        "id": "CVE-2025-21813-ac279702",
        "target": {
            "function": "tmigr_setup_groups",
            "file": "kernel/time/timer_migration.c"
        },
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "digest": {
            "length": 1425.0,
            "function_hash": "285913949414124095889614207839813214990"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c6dd70e5b465a2b77c7a7c3d868736d302e29aec",
        "id": "CVE-2025-21813-bca395b7",
        "target": {
            "function": "tmigr_setup_groups",
            "file": "kernel/time/timer_migration.c"
        },
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.14
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.3