CVE-2025-68214
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
16/12/2025
Última modificación:
16/12/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
timers: Fix NULL function pointer race in timer_shutdown_sync()<br />
<br />
There is a race condition between timer_shutdown_sync() and timer<br />
expiration that can lead to hitting a WARN_ON in expire_timers().<br />
<br />
The issue occurs when timer_shutdown_sync() clears the timer function<br />
to NULL while the timer is still running on another CPU. The race<br />
scenario looks like this:<br />
<br />
CPU0 CPU1<br />
<br />
lock_timer_base()<br />
expire_timers()<br />
base->running_timer = timer;<br />
unlock_timer_base()<br />
[call_timer_fn enter]<br />
mod_timer()<br />
...<br />
timer_shutdown_sync()<br />
lock_timer_base()<br />
// For now, will not detach the timer but only clear its function to NULL<br />
if (base->running_timer != timer)<br />
ret = detach_if_pending(timer, base, true);<br />
if (shutdown)<br />
timer->function = NULL;<br />
unlock_timer_base()<br />
[call_timer_fn exit]<br />
lock_timer_base()<br />
base->running_timer = NULL;<br />
unlock_timer_base()<br />
...<br />
// Now timer is pending while its function set to NULL.<br />
// next timer trigger<br />
<br />
expire_timers()<br />
WARN_ON_ONCE(!fn) // hit<br />
...<br />
lock_timer_base()<br />
// Now timer will detach<br />
if (base->running_timer != timer)<br />
ret = detach_if_pending(timer, base, true);<br />
if (shutdown)<br />
timer->function = NULL;<br />
unlock_timer_base()<br />
<br />
The problem is that timer_shutdown_sync() clears the timer function<br />
regardless of whether the timer is currently running. This can leave a<br />
pending timer with a NULL function pointer, which triggers the<br />
WARN_ON_ONCE(!fn) check in expire_timers().<br />
<br />
Fix this by only clearing the timer function when actually detaching the<br />
timer. If the timer is running, leave the function pointer intact, which is<br />
safe because the timer will be properly detached when it finishes running.
Impacto
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/176725f4848376530a0f0da9023f956afcc33585
- https://git.kernel.org/stable/c/1a975716cc8977f461e45e28e3e5977d46ad7a6a
- https://git.kernel.org/stable/c/20739af07383e6eb1ec59dcd70b72ebfa9ac362c
- https://git.kernel.org/stable/c/6665fbd7730b26d770c232b20d1b907e6a67a914
- https://git.kernel.org/stable/c/a01efa7a780c42ac5170a949bd95c9786ffcc60a