CVE-2025-21809

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rxrpc, afs: Fix peer hash locking vs RCU callback<br /> <br /> In its address list, afs now retains pointers to and refs on one or more<br /> rxrpc_peer objects. The address list is freed under RCU and at this time,<br /> it puts the refs on those peers.<br /> <br /> Now, when an rxrpc_peer object runs out of refs, it gets removed from the<br /> peer hash table and, for that, rxrpc has to take a spinlock. However, it<br /> is now being called from afs&amp;#39;s RCU cleanup, which takes place in BH<br /> context - but it is just taking an ordinary spinlock.<br /> <br /> The put may also be called from non-BH context, and so there exists the<br /> possibility of deadlock if the BH-based RCU cleanup happens whilst the hash<br /> spinlock is held. This led to the attached lockdep complaint.<br /> <br /> Fix this by changing spinlocks of rxnet-&gt;peer_hash_lock back to<br /> BH-disabling locks.<br /> <br /> ================================<br /> WARNING: inconsistent lock state<br /> 6.13.0-rc5-build2+ #1223 Tainted: G E<br /> --------------------------------<br /> inconsistent {SOFTIRQ-ON-W} -&gt; {IN-SOFTIRQ-W} usage.<br /> swapper/1/0 [HC0[0]:SC1[1]:HE1:SE0] takes:<br /> ffff88810babe228 (&amp;rxnet-&gt;peer_hash_lock){+.?.}-{3:3}, at: rxrpc_put_peer+0xcb/0x180<br /> {SOFTIRQ-ON-W} state was registered at:<br /> mark_usage+0x164/0x180<br /> __lock_acquire+0x544/0x990<br /> lock_acquire.part.0+0x103/0x280<br /> _raw_spin_lock+0x2f/0x40<br /> rxrpc_peer_keepalive_worker+0x144/0x440<br /> process_one_work+0x486/0x7c0<br /> process_scheduled_works+0x73/0x90<br /> worker_thread+0x1c8/0x2a0<br /> kthread+0x19b/0x1b0<br /> ret_from_fork+0x24/0x40<br /> ret_from_fork_asm+0x1a/0x30<br /> irq event stamp: 972402<br /> hardirqs last enabled at (972402): [] _raw_spin_unlock_irqrestore+0x2e/0x50<br /> hardirqs last disabled at (972401): [] _raw_spin_lock_irqsave+0x18/0x60<br /> softirqs last enabled at (972300): [] handle_softirqs+0x3ee/0x430<br /> softirqs last disabled at (972313): [] __irq_exit_rcu+0x44/0x110<br /> <br /> other info that might help us debug this:<br /> Possible unsafe locking scenario:<br /> CPU0<br /> ----<br /> lock(&amp;rxnet-&gt;peer_hash_lock);<br /> <br /> lock(&amp;rxnet-&gt;peer_hash_lock);<br /> <br /> *** DEADLOCK ***<br /> 1 lock held by swapper/1/0:<br /> #0: ffffffff83576be0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire+0x7/0x30<br /> <br /> stack backtrace:<br /> CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G E 6.13.0-rc5-build2+ #1223<br /> Tainted: [E]=UNSIGNED_MODULE<br /> Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x57/0x80<br /> print_usage_bug.part.0+0x227/0x240<br /> valid_state+0x53/0x70<br /> mark_lock_irq+0xa5/0x2f0<br /> mark_lock+0xf7/0x170<br /> mark_usage+0xe1/0x180<br /> __lock_acquire+0x544/0x990<br /> lock_acquire.part.0+0x103/0x280<br /> _raw_spin_lock+0x2f/0x40<br /> rxrpc_put_peer+0xcb/0x180<br /> afs_free_addrlist+0x46/0x90 [kafs]<br /> rcu_do_batch+0x2d2/0x640<br /> rcu_core+0x2f7/0x350<br /> handle_softirqs+0x1ee/0x430<br /> __irq_exit_rcu+0x44/0x110<br /> irq_exit_rcu+0xa/0x30<br /> sysvec_apic_timer_interrupt+0x7f/0xa0<br />