Home

Description

In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb_pool->lock (spinlock) 2. alloc_skb() is called while holding the lock 3. Memory allocator fails and calls slab_out_of_memory() 4. This triggers printk() for the OOM warning 5. The console output path calls netpoll_send_udp() 6. netpoll_send_udp() attempts to acquire the same skb_pool->lock 7. Deadlock: the lock is already held by the same CPU Call stack: refill_skbs() spin_lock_irqsave(&skb_pool->lock) <- lock acquired __alloc_skb() kmem_cache_alloc_node_noprof() slab_out_of_memory() printk() console_flush_all() netpoll_send_udp() skb_dequeue() spin_lock_irqsave(&skb_pool->lock) <- deadlock attempt This bug was exposed by commit 248f6571fd4c51 ("netpoll: Optimize skb refilling on critical path") which removed refill_skbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refill_skbs() Refactor refill_skbs() to never allocate memory while holding the spinlock. Another possible solution to fix this problem is protecting the refill_skbs() from nested printks, basically calling printk_deferred_{enter,exit}() in refill_skbs(), then, any nested pr_warn() would be deferred. I prefer this approach, given I _think_ it might be a good idea to move the alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having the alloc_skb() outside of the lock will be necessary step. There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-16 | Updated 2025-12-16 | Assigner Linux

Product status

Default status
unaffected

248f6571fd4c51531f7f8f07f186f7ae98a50afc (git) before 06742a3ab884d7428c9050b205ffcf6a8a548397
affected

248f6571fd4c51531f7f8f07f186f7ae98a50afc (git) before 327c20c21d80e0d87834b392d83ae73c955ad8ff
affected

Default status
affected

6.15
affected

Any version before 6.15
unaffected

6.17.8 (semver)
unaffected

6.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/06742a3ab884d7428c9050b205ffcf6a8a548397

git.kernel.org/...c/327c20c21d80e0d87834b392d83ae73c955ad8ff

cve.org (CVE-2025-68169)

nvd.nist.gov (CVE-2025-68169)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.