CVE-2025-21816

hrtimers are migrated away from the dying CPU to any online target at the CPUHPAPHRTIMERS_DYING stage in order not to delay bandwidth timers handling tasks involved in the CPU hotplug forward progress.

However wakeups can still be performed by the outgoing CPU after CPUHPAPHRTIMERS_DYING. Those can result again in bandwidth timers being armed. Depending on several considerations (crystal ball power management based election, earliest timer already enqueued, timer migration enabled or not), the target may eventually be the current CPU even if offline. If that happens, the timer is eventually ignored.

The most notable example is RCU which had to deal with each and every of those wake-ups by deferring them to an online CPU, along with related workarounds:

_ e787644caf76 (rcu: Defer RCU kthreads wakeup when CPU is dying) _ 9139f93209d1 (rcu/nocb: Fix RT throttling hrtimer armed from offline CPU) _ f7345ccc62a4 (rcu/nocb: Fix rcuog wake-up from offline softirq)

The problem isn't confined to RCU though as the stop machine kthread (which runs CPUHPAPHRTIMERSDYING) reports its completion at the end of its work through cpustopsignaldone() and performs a wake up that eventually arms the deadline server timer:

WARNING: CPU: 94 PID: 588 at kernel/time/hrtimer.c:1086 hrtimerstartrangens+0x289/0x2d0 CPU: 94 UID: 0 PID: 588 Comm: migration/94 Not tainted Stopper: multicpustop+0x0/0x120 <- stopmachinecpuslocked+0x66/0xc0 RIP: 0010:hrtimerstartrangens+0x289/0x2d0 Call Trace: <TASK> startdltimer enqueuedlentity dlserverstart enqueuetaskfair enqueuetask ttwudoactivate trytowakeup complete cpustopperthread

Instead of providing yet another bandaid to work around the situation, fix it in the hrtimers infrastructure instead: always migrate away a timer to an online target whenever it is enqueued from an offline CPU.

This will also allow to revert all the above RCU disgraceful hacks.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

75b5016ce325f1ef9c63e5398a1064cf8a7a7354

Fixed

82ac6adbbb2aad14548a71d5e2e37f4964a15e38

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

53f408cad05bb987af860af22f4151e5a18e6ee8

Fixed

63815bef47ec25f5a125019ca480882481ee1553

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94

Fixed

e456a88bddae4030ba962447bb84be6669f2a0c1

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94

Fixed

2aecec58e9040ce3d2694707889f9914a2374955

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94

Fixed

53dac345395c0d2493cbc2f4c85fe38aef5b63f5

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9a2fc41acb69dd4e2a58d0c04346c3333c2341fc

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

54d0d83a53508d687fd4a225f8aa1f18559562d0

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

7f4c89400d2997939f6971c7981cc780a219e36b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6fcbcc6c8e52650749692c7613cbe71bf601670d

Affected versions

v4.*

v4.19.302

v4.19.303

v4.19.304

v4.19.305

v4.19.306

v4.19.307

v4.19.308

v4.19.309

v4.19.310

v4.19.311

v4.19.312

v4.19.313

v4.19.314

v4.19.315

v4.19.316

v4.19.317

v4.19.318

v4.19.319

v4.19.320

v4.19.321

v4.19.322

v4.19.323

v4.19.324

v4.19.325

v5.*

v5.10.204

v5.10.205

v5.10.206

v5.10.207

v5.10.208

v5.10.209

v5.10.210

v5.10.211

v5.10.212

v5.10.213

v5.10.214

v5.10.215

v5.10.216

v5.10.217

v5.10.218

v5.10.219

v5.10.220

v5.10.221

v5.10.222

v5.10.223

v5.10.224

v5.10.225

v5.10.226

v5.10.227

v5.10.228

v5.10.229

v5.10.230

v5.10.231

v5.10.232

v5.10.233

v5.10.234

v5.10.235

v5.10.236

v5.10.237

v5.10.238

v5.10.239

v5.10.240

v5.10.241

v5.10.242

v5.10.243

v5.10.244

v5.10.245

v5.15.143

v5.15.144

v5.15.145

v5.15.146

v5.15.147

v5.15.148

v5.15.149

v5.15.150

v5.15.151

v5.15.152

v5.15.153

v5.15.154

v5.15.155

v5.15.156

v5.15.157

v5.15.158

v5.15.159

v5.15.160

v5.15.161

v5.15.162

v5.15.163

v5.15.164

v5.15.165

v5.15.166

v5.15.167

v5.15.168

v5.15.169

v5.15.170

v5.15.171

v5.15.172

v5.15.173

v5.15.174

v5.15.175

v5.15.176

v5.15.177

v5.15.178

v5.15.179

v5.15.180

v5.15.181

v5.15.182

v5.15.183

v5.15.184

v5.15.185

v5.15.186

v5.15.187

v5.15.188

v5.15.189

v5.15.190

v5.15.191

v5.15.192

v5.15.193

v5.15.194

v5.4.264

v5.4.265

v5.4.266

v5.4.267

v5.4.268

v5.4.269

v5.4.270

v5.4.271

v5.4.272

v5.4.273

v5.4.274

v5.4.275

v5.4.276

v5.4.277

v5.4.278

v5.4.279

v5.4.280

v5.4.281

v5.4.282

v5.4.283

v5.4.284

v5.4.285

v5.4.286

v5.4.287

v5.4.288

v5.4.289

v5.4.290

v5.4.291

v5.4.292

v5.4.293

v5.4.294

v5.4.295

v5.4.296

v5.4.297

v5.4.298

v5.4.299

v5.4.300

v6.*

v6.1.100

v6.1.101

v6.1.102

v6.1.103

v6.1.104

v6.1.105

v6.1.106

v6.1.107

v6.1.108

v6.1.109

v6.1.110

v6.1.111

v6.1.112

v6.1.113

v6.1.114

v6.1.115

v6.1.116

v6.1.117

v6.1.118

v6.1.119

v6.1.120

v6.1.121

v6.1.122

v6.1.123

v6.1.124

v6.1.125

v6.1.126

v6.1.127

v6.1.128

v6.1.129

v6.1.130

v6.1.131

v6.1.132

v6.1.133

v6.1.134

v6.1.135

v6.1.136

v6.1.137

v6.1.138

v6.1.139

v6.1.140

v6.1.68

v6.1.69

v6.1.70

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.78

v6.1.79

v6.1.80

v6.1.81

v6.1.82

v6.1.83

v6.1.84

v6.1.85

v6.1.86

v6.1.87

v6.1.88

v6.1.89

v6.1.90

v6.1.91

v6.1.92

v6.1.93

v6.1.94

v6.1.95

v6.1.96

v6.1.97

v6.1.98

v6.1.99

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.2

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.2

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.59

v6.6.60

v6.6.61

v6.6.62

v6.6.63

v6.6.64

v6.6.65

v6.6.66

v6.6.67

v6.6.68

v6.6.69

v6.6.7

v6.6.70

v6.6.71

v6.6.72

v6.6.73

v6.6.74

v6.6.75

v6.6.76

v6.6.77

v6.6.78

v6.6.79

v6.6.8

v6.6.80

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.6.85

v6.6.86

v6.6.87

v6.6.88

v6.6.89

v6.6.9

v6.6.90

v6.6.91

v6.6.92

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.141

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.93

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.14

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.13.3