We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-38048

virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN



Description

In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is the simplified stack when the issue occurred: ================================================================== BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0: virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264 __netdev_start_xmit include/linux/netdevice.h:5151 [inline] netdev_start_xmit include/linux/netdevice.h:5160 [inline] xmit_one net/core/dev.c:3800 [inline] read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1: virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline] virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] value changed: 0x01 -> 0x00 ================================================================== When the data race occurs, the function virtqueue_enable_cb_delayed() sets event_triggered to false, and virtqueue_disable_cb_split/packed() reads it as false due to the race condition. Since event_triggered is an unreliable hint used for optimization, this should only cause the driver temporarily suggest that the device not send an interrupt notification when the event index is used. Fix this KCSAN reported data-race issue by explicitly tagging the access as data_racy.

Reserved 2025-04-16 | Published 2025-06-18 | Updated 2025-06-18 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 02d2d6caee3abc9335cfca35f8eb4492173ae6f2
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before b6d6419548286b2b9d2b90df824d3cab797f6ae8
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before b49b5132e4c7307599492aee1cdc6d89f7f2a7da
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before b730cb109633c455ce8a7cd6934986c6a16d88d8
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 4ed8f0e808b3fcc71c5b8be7902d8738ed595b17
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 2e2f925fe737576df2373931c95e1a2b66efdfef
affected

Default status
affected

5.15.185
unaffected

6.1.141
unaffected

6.6.93
unaffected

6.12.31
unaffected

6.14.9
unaffected

6.15
unaffected

References

git.kernel.org/...c/02d2d6caee3abc9335cfca35f8eb4492173ae6f2

git.kernel.org/...c/b6d6419548286b2b9d2b90df824d3cab797f6ae8

git.kernel.org/...c/b49b5132e4c7307599492aee1cdc6d89f7f2a7da

git.kernel.org/...c/b730cb109633c455ce8a7cd6934986c6a16d88d8

git.kernel.org/...c/4ed8f0e808b3fcc71c5b8be7902d8738ed595b17

git.kernel.org/...c/2e2f925fe737576df2373931c95e1a2b66efdfef

cve.org (CVE-2025-38048)

nvd.nist.gov (CVE-2025-38048)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-38048

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.