CVE-2025-38234

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/07/2025
Last modified:
08/07/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/rt: Fix race in push_rt_task<br /> <br /> Overview<br /> ========<br /> When a CPU chooses to call push_rt_task and picks a task to push to<br /> another CPU&amp;#39;s runqueue then it will call find_lock_lowest_rq method<br /> which would take a double lock on both CPUs&amp;#39; runqueues. If one of the<br /> locks aren&amp;#39;t readily available, it may lead to dropping the current<br /> runqueue lock and reacquiring both the locks at once. During this window<br /> it is possible that the task is already migrated and is running on some<br /> other CPU. These cases are already handled. However, if the task is<br /> migrated and has already been executed and another CPU is now trying to<br /> wake it up (ttwu) such that it is queued again on the runqeue<br /> (on_rq is 1) and also if the task was run by the same CPU, then the<br /> current checks will pass even though the task was migrated out and is no<br /> longer in the pushable tasks list.<br /> <br /> Crashes<br /> =======<br /> This bug resulted in quite a few flavors of crashes triggering kernel<br /> panics with various crash signatures such as assert failures, page<br /> faults, null pointer dereferences, and queue corruption errors all<br /> coming from scheduler itself.<br /> <br /> Some of the crashes:<br /> -&gt; kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx &gt;= MAX_RT_PRIO)<br /> Call Trace:<br /> ? __die_body+0x1a/0x60<br /> ? die+0x2a/0x50<br /> ? do_trap+0x85/0x100<br /> ? pick_next_task_rt+0x6e/0x1d0<br /> ? do_error_trap+0x64/0xa0<br /> ? pick_next_task_rt+0x6e/0x1d0<br /> ? exc_invalid_op+0x4c/0x60<br /> ? pick_next_task_rt+0x6e/0x1d0<br /> ? asm_exc_invalid_op+0x12/0x20<br /> ? pick_next_task_rt+0x6e/0x1d0<br /> __schedule+0x5cb/0x790<br /> ? update_ts_time_stats+0x55/0x70<br /> schedule_idle+0x1e/0x40<br /> do_idle+0x15e/0x200<br /> cpu_startup_entry+0x19/0x20<br /> start_secondary+0x117/0x160<br /> secondary_startup_64_no_verify+0xb0/0xbb<br /> <br /> -&gt; BUG: kernel NULL pointer dereference, address: 00000000000000c0<br /> Call Trace:<br /> ? __die_body+0x1a/0x60<br /> ? no_context+0x183/0x350<br /> ? __warn+0x8a/0xe0<br /> ? exc_page_fault+0x3d6/0x520<br /> ? asm_exc_page_fault+0x1e/0x30<br /> ? pick_next_task_rt+0xb5/0x1d0<br /> ? pick_next_task_rt+0x8c/0x1d0<br /> __schedule+0x583/0x7e0<br /> ? update_ts_time_stats+0x55/0x70<br /> schedule_idle+0x1e/0x40<br /> do_idle+0x15e/0x200<br /> cpu_startup_entry+0x19/0x20<br /> start_secondary+0x117/0x160<br /> secondary_startup_64_no_verify+0xb0/0xbb<br /> <br /> -&gt; BUG: unable to handle page fault for address: ffff9464daea5900<br /> kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq-&gt;cpu != task_cpu(p))<br /> <br /> -&gt; kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq-&gt;nr_running)<br /> Call Trace:<br /> ? __die_body+0x1a/0x60<br /> ? die+0x2a/0x50<br /> ? do_trap+0x85/0x100<br /> ? dequeue_top_rt_rq+0xa2/0xb0<br /> ? do_error_trap+0x64/0xa0<br /> ? dequeue_top_rt_rq+0xa2/0xb0<br /> ? exc_invalid_op+0x4c/0x60<br /> ? dequeue_top_rt_rq+0xa2/0xb0<br /> ? asm_exc_invalid_op+0x12/0x20<br /> ? dequeue_top_rt_rq+0xa2/0xb0<br /> dequeue_rt_entity+0x1f/0x70<br /> dequeue_task_rt+0x2d/0x70<br /> __schedule+0x1a8/0x7e0<br /> ? blk_finish_plug+0x25/0x40<br /> schedule+0x3c/0xb0<br /> futex_wait_queue_me+0xb6/0x120<br /> futex_wait+0xd9/0x240<br /> do_futex+0x344/0xa90<br /> ? get_mm_exe_file+0x30/0x60<br /> ? audit_exe_compare+0x58/0x70<br /> ? audit_filter_rules.constprop.26+0x65e/0x1220<br /> __x64_sys_futex+0x148/0x1f0<br /> do_syscall_64+0x30/0x80<br /> entry_SYSCALL_64_after_hwframe+0x62/0xc7<br /> <br /> -&gt; BUG: unable to handle page fault for address: ffff8cf3608bc2c0<br /> Call Trace:<br /> ? __die_body+0x1a/0x60<br /> ? no_context+0x183/0x350<br /> ? spurious_kernel_fault+0x171/0x1c0<br /> ? exc_page_fault+0x3b6/0x520<br /> ? plist_check_list+0x15/0x40<br /> ? plist_check_list+0x2e/0x40<br /> ? asm_exc_page_fault+0x1e/0x30<br /> ? _cond_resched+0x15/0x30<br /> ? futex_wait_queue_me+0xc8/0x120<br /> ? futex_wait+0xd9/0x240<br /> ? try_to_wake_up+0x1b8/0x490<br /> ? futex_wake+0x78/0x160<br /> ? do_futex+0xcd/0xa90<br /> ? plist_check_list+0x15/0x40<br /> ? plist_check_list+0x2e/0x40<br /> ? plist_del+0x6a/0xd0<br /> ? plist_check_list+0x15/0x40<br /> ? plist_check_list+0x2e/0x40<br /> ? dequeue_pushable_task+0x20/0x70<br /> ? __schedule+0x382/0x7e0<br /> ? asm_sysvec_reschedule_i<br /> ---truncated---

Impact