CVE-2025-68202
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/12/2025
Last modified:
16/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
sched_ext: Fix unsafe locking in the scx_dump_state()<br />
<br />
For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted<br />
sleepable spinlock and not disable-irq, so the following scenarios occur:<br />
<br />
inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.<br />
irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes:<br />
(&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40<br />
{IN-HARDIRQ-W} state was registered at:<br />
lock_acquire+0x1e1/0x510<br />
_raw_spin_lock_nested+0x42/0x80<br />
raw_spin_rq_lock_nested+0x2b/0x40<br />
sched_tick+0xae/0x7b0<br />
update_process_times+0x14c/0x1b0<br />
tick_periodic+0x62/0x1f0<br />
tick_handle_periodic+0x48/0xf0<br />
timer_interrupt+0x55/0x80<br />
__handle_irq_event_percpu+0x20a/0x5c0<br />
handle_irq_event_percpu+0x18/0xc0<br />
handle_irq_event+0xb5/0x150<br />
handle_level_irq+0x220/0x460<br />
__common_interrupt+0xa2/0x1e0<br />
common_interrupt+0xb0/0xd0<br />
asm_common_interrupt+0x2b/0x40<br />
_raw_spin_unlock_irqrestore+0x45/0x80<br />
__setup_irq+0xc34/0x1a30<br />
request_threaded_irq+0x214/0x2f0<br />
hpet_time_init+0x3e/0x60<br />
x86_late_time_init+0x5b/0xb0<br />
start_kernel+0x308/0x410<br />
x86_64_start_reservations+0x1c/0x30<br />
x86_64_start_kernel+0x96/0xa0<br />
common_startup_64+0x13e/0x148<br />
<br />
other info that might help us debug this:<br />
Possible unsafe locking scenario:<br />
<br />
CPU0<br />
----<br />
lock(&rq->__lock);<br />
<br />
lock(&rq->__lock);<br />
<br />
*** DEADLOCK ***<br />
<br />
stack backtrace:<br />
CPU: 0 UID: 0 PID: 27 Comm: irq_work/0<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x8c/0xd0<br />
dump_stack+0x14/0x20<br />
print_usage_bug+0x42e/0x690<br />
mark_lock.part.44+0x867/0xa70<br />
? __pfx_mark_lock.part.44+0x10/0x10<br />
? string_nocheck+0x19c/0x310<br />
? number+0x739/0x9f0<br />
? __pfx_string_nocheck+0x10/0x10<br />
? __pfx_check_pointer+0x10/0x10<br />
? kvm_sched_clock_read+0x15/0x30<br />
? sched_clock_noinstr+0xd/0x20<br />
? local_clock_noinstr+0x1c/0xe0<br />
__lock_acquire+0xc4b/0x62b0<br />
? __pfx_format_decode+0x10/0x10<br />
? __pfx_string+0x10/0x10<br />
? __pfx___lock_acquire+0x10/0x10<br />
? __pfx_vsnprintf+0x10/0x10<br />
lock_acquire+0x1e1/0x510<br />
? raw_spin_rq_lock_nested+0x2b/0x40<br />
? __pfx_lock_acquire+0x10/0x10<br />
? dump_line+0x12e/0x270<br />
? raw_spin_rq_lock_nested+0x20/0x40<br />
_raw_spin_lock_nested+0x42/0x80<br />
? raw_spin_rq_lock_nested+0x2b/0x40<br />
raw_spin_rq_lock_nested+0x2b/0x40<br />
scx_dump_state+0x3b3/0x1270<br />
? finish_task_switch+0x27e/0x840<br />
scx_ops_error_irq_workfn+0x67/0x80<br />
irq_work_single+0x113/0x260<br />
irq_work_run_list.part.3+0x44/0x70<br />
run_irq_workd+0x6b/0x90<br />
? __pfx_run_irq_workd+0x10/0x10<br />
smpboot_thread_fn+0x529/0x870<br />
? __pfx_smpboot_thread_fn+0x10/0x10<br />
kthread+0x305/0x3f0<br />
? __pfx_kthread+0x10/0x10<br />
ret_from_fork+0x40/0x70<br />
? __pfx_kthread+0x10/0x10<br />
ret_from_fork_asm+0x1a/0x30<br />
<br />
<br />
This commit therefore use rq_lock_irqsave/irqrestore() to replace<br />
rq_lock/unlock() in the scx_dump_state().