CVE-2025-39886
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-39886
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39886.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39886
- Downstream
- Published
- 2025-09-23T06:00:53Z
- Modified
- 2025-10-18T07:34:56.407233Z
- Summary
- bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: Tell memcg to use allowspinning=false path in bpftimer_init()
Currently, calling bpfmapkmallocnode() from _bpfasyncinit() can cause various locking issues; see the following stack trace (edited for style) as one example:
... [10.011566] dorawspinlock.cold [10.011570] trytowakeup (5) double-acquiring the same [10.011575] kickpool rqlock, causing a hardlockup [10.011579] queuework [10.011582] queueworkon [10.011585] kernfsnotify [10.011589] cgroupfilenotify [10.011593] trychargememcg (4) memcg accounting raises an [10.011597] objcgroupchargepages MEMCGMAX event [10.011599] objcgroupchargeaccount [10.011600] _memcgslabpostallochook [10.011603] _kmallocnodenoprof ... [10.011611] bpfmapkmallocnode [10.011612] _bpfasyncinit [10.011615] bpftimerinit (3) BPF calls bpftimerinit() [10.011617] bpfprogxxxxxxxxxxxxxxxxfcgrunnable [10.011619] bpfschedextopsrunnable [10.011620] enqueuetaskscx (2) BPF runs with rqlock held [10.011622] enqueuetask [10.011626] ttwudoactivate [10.011629] schedttwupending (1) grabs rq_lock ...
The above was reproduced on bpf-next (b338cf849ec8) by modifying ./tools/schedext/scxflatcg.bpf.c to call bpftimerinit() during ops.runnable(), and hacking the memcg accounting code a bit to make a bpftimerinit() call more likely to raise an MEMCG_MAX event.
We have also run into other similar variants (both internally and on bpf-next), including double-acquiring cgroupfileknlock, the same workerpool::lock, etc.
As suggested by Shakeel, fix this by using _GFPHIGH instead of GFPATOMIC in _bpfasyncinit(), so that e.g. if trychargememcg() raises an MEMCGMAX event, we call _memcgmemoryevent() with @allowspinning=false and avoid calling cgroupfile_notify() there.
Depends on mm patch "memcg: skip cgroupfilenotify if spinning is not allowed": https://lore.kernel.org/bpf/20250905201606.66198-1-shakeel.butt@linux.dev/
v0 approach s/bpfmapkmallocnode/bpfmem_alloc/ https://lore.kernel.org/bpf/20250905061919.439648-1-yepeilin@google.com/ v1 approach: https://lore.kernel.org/bpf/20250905234547.862249-1-yepeilin@google.com/
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/449682e76f32601f211816d3e2100bed87e67a4c
- https://git.kernel.org/stable/c/6d78b4473cdb08b74662355a9e8510bde09c511e
- https://git.kernel.org/stable/c/ac70cd446f83ccb25532b343919ab86eacdcd06a
- https://git.kernel.org/stable/c/cd1fd26bb13473c1734e3026b2b97025a0a4087b
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb00628b1c7d595ae5b544e059c27b1f5828314b4Fixed449682e76f32601f211816d3e2100bed87e67a4c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb00628b1c7d595ae5b544e059c27b1f5828314b4Fixedcd1fd26bb13473c1734e3026b2b97025a0a4087b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb00628b1c7d595ae5b544e059c27b1f5828314b4Fixedac70cd446f83ccb25532b343919ab86eacdcd06a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb00628b1c7d595ae5b544e059c27b1f5828314b4Fixed6d78b4473cdb08b74662355a9e8510bde09c511e