CVE-2025-38234
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
04/07/2025
Last modified:
08/07/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
sched/rt: Fix race in push_rt_task<br />
<br />
Overview<br />
========<br />
When a CPU chooses to call push_rt_task and picks a task to push to<br />
another CPU&#39;s runqueue then it will call find_lock_lowest_rq method<br />
which would take a double lock on both CPUs&#39; runqueues. If one of the<br />
locks aren&#39;t readily available, it may lead to dropping the current<br />
runqueue lock and reacquiring both the locks at once. During this window<br />
it is possible that the task is already migrated and is running on some<br />
other CPU. These cases are already handled. However, if the task is<br />
migrated and has already been executed and another CPU is now trying to<br />
wake it up (ttwu) such that it is queued again on the runqeue<br />
(on_rq is 1) and also if the task was run by the same CPU, then the<br />
current checks will pass even though the task was migrated out and is no<br />
longer in the pushable tasks list.<br />
<br />
Crashes<br />
=======<br />
This bug resulted in quite a few flavors of crashes triggering kernel<br />
panics with various crash signatures such as assert failures, page<br />
faults, null pointer dereferences, and queue corruption errors all<br />
coming from scheduler itself.<br />
<br />
Some of the crashes:<br />
-> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO)<br />
Call Trace:<br />
? __die_body+0x1a/0x60<br />
? die+0x2a/0x50<br />
? do_trap+0x85/0x100<br />
? pick_next_task_rt+0x6e/0x1d0<br />
? do_error_trap+0x64/0xa0<br />
? pick_next_task_rt+0x6e/0x1d0<br />
? exc_invalid_op+0x4c/0x60<br />
? pick_next_task_rt+0x6e/0x1d0<br />
? asm_exc_invalid_op+0x12/0x20<br />
? pick_next_task_rt+0x6e/0x1d0<br />
__schedule+0x5cb/0x790<br />
? update_ts_time_stats+0x55/0x70<br />
schedule_idle+0x1e/0x40<br />
do_idle+0x15e/0x200<br />
cpu_startup_entry+0x19/0x20<br />
start_secondary+0x117/0x160<br />
secondary_startup_64_no_verify+0xb0/0xbb<br />
<br />
-> BUG: kernel NULL pointer dereference, address: 00000000000000c0<br />
Call Trace:<br />
? __die_body+0x1a/0x60<br />
? no_context+0x183/0x350<br />
? __warn+0x8a/0xe0<br />
? exc_page_fault+0x3d6/0x520<br />
? asm_exc_page_fault+0x1e/0x30<br />
? pick_next_task_rt+0xb5/0x1d0<br />
? pick_next_task_rt+0x8c/0x1d0<br />
__schedule+0x583/0x7e0<br />
? update_ts_time_stats+0x55/0x70<br />
schedule_idle+0x1e/0x40<br />
do_idle+0x15e/0x200<br />
cpu_startup_entry+0x19/0x20<br />
start_secondary+0x117/0x160<br />
secondary_startup_64_no_verify+0xb0/0xbb<br />
<br />
-> BUG: unable to handle page fault for address: ffff9464daea5900<br />
kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p))<br />
<br />
-> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running)<br />
Call Trace:<br />
? __die_body+0x1a/0x60<br />
? die+0x2a/0x50<br />
? do_trap+0x85/0x100<br />
? dequeue_top_rt_rq+0xa2/0xb0<br />
? do_error_trap+0x64/0xa0<br />
? dequeue_top_rt_rq+0xa2/0xb0<br />
? exc_invalid_op+0x4c/0x60<br />
? dequeue_top_rt_rq+0xa2/0xb0<br />
? asm_exc_invalid_op+0x12/0x20<br />
? dequeue_top_rt_rq+0xa2/0xb0<br />
dequeue_rt_entity+0x1f/0x70<br />
dequeue_task_rt+0x2d/0x70<br />
__schedule+0x1a8/0x7e0<br />
? blk_finish_plug+0x25/0x40<br />
schedule+0x3c/0xb0<br />
futex_wait_queue_me+0xb6/0x120<br />
futex_wait+0xd9/0x240<br />
do_futex+0x344/0xa90<br />
? get_mm_exe_file+0x30/0x60<br />
? audit_exe_compare+0x58/0x70<br />
? audit_filter_rules.constprop.26+0x65e/0x1220<br />
__x64_sys_futex+0x148/0x1f0<br />
do_syscall_64+0x30/0x80<br />
entry_SYSCALL_64_after_hwframe+0x62/0xc7<br />
<br />
-> BUG: unable to handle page fault for address: ffff8cf3608bc2c0<br />
Call Trace:<br />
? __die_body+0x1a/0x60<br />
? no_context+0x183/0x350<br />
? spurious_kernel_fault+0x171/0x1c0<br />
? exc_page_fault+0x3b6/0x520<br />
? plist_check_list+0x15/0x40<br />
? plist_check_list+0x2e/0x40<br />
? asm_exc_page_fault+0x1e/0x30<br />
? _cond_resched+0x15/0x30<br />
? futex_wait_queue_me+0xc8/0x120<br />
? futex_wait+0xd9/0x240<br />
? try_to_wake_up+0x1b8/0x490<br />
? futex_wake+0x78/0x160<br />
? do_futex+0xcd/0xa90<br />
? plist_check_list+0x15/0x40<br />
? plist_check_list+0x2e/0x40<br />
? plist_del+0x6a/0xd0<br />
? plist_check_list+0x15/0x40<br />
? plist_check_list+0x2e/0x40<br />
? dequeue_pushable_task+0x20/0x70<br />
? __schedule+0x382/0x7e0<br />
? asm_sysvec_reschedule_i<br />
---truncated---