CVE-2025-21983
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/04/2025
Last modified:
30/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mm/slab/kvfree_rcu: Switch to WQ_MEM_RECLAIM wq<br />
<br />
Currently kvfree_rcu() APIs use a system workqueue which is<br />
"system_unbound_wq" to driver RCU machinery to reclaim a memory.<br />
<br />
Recently, it has been noted that the following kernel warning can<br />
be observed:<br />
<br />
<br />
workqueue: WQ_MEM_RECLAIM nvme-wq:nvme_scan_work is flushing !WQ_MEM_RECLAIM events_unbound:kfree_rcu_work<br />
WARNING: CPU: 21 PID: 330 at kernel/workqueue.c:3719 check_flush_dependency+0x112/0x120<br />
Modules linked in: intel_uncore_frequency(E) intel_uncore_frequency_common(E) skx_edac(E) ...<br />
CPU: 21 UID: 0 PID: 330 Comm: kworker/u144:6 Tainted: G E 6.13.2-0_g925d379822da #1<br />
Hardware name: Wiwynn Twin Lakes MP/Twin Lakes Passive MP, BIOS YMM20 02/01/2023<br />
Workqueue: nvme-wq nvme_scan_work<br />
RIP: 0010:check_flush_dependency+0x112/0x120<br />
Code: 05 9a 40 14 02 01 48 81 c6 c0 00 00 00 48 8b 50 18 48 81 c7 c0 00 00 00 48 89 f9 48 ...<br />
RSP: 0018:ffffc90000df7bd8 EFLAGS: 00010082<br />
RAX: 000000000000006a RBX: ffffffff81622390 RCX: 0000000000000027<br />
RDX: 00000000fffeffff RSI: 000000000057ffa8 RDI: ffff88907f960c88<br />
RBP: 0000000000000000 R08: ffffffff83068e50 R09: 000000000002fffd<br />
R10: 0000000000000004 R11: 0000000000000000 R12: ffff8881001a4400<br />
R13: 0000000000000000 R14: ffff88907f420fb8 R15: 0000000000000000<br />
FS: 0000000000000000(0000) GS:ffff88907f940000(0000) knlGS:0000000000000000<br />
CR2: 00007f60c3001000 CR3: 000000107d010005 CR4: 00000000007726f0<br />
PKRU: 55555554<br />
Call Trace:<br />
<br />
? __warn+0xa4/0x140<br />
? check_flush_dependency+0x112/0x120<br />
? report_bug+0xe1/0x140<br />
? check_flush_dependency+0x112/0x120<br />
? handle_bug+0x5e/0x90<br />
? exc_invalid_op+0x16/0x40<br />
? asm_exc_invalid_op+0x16/0x20<br />
? timer_recalc_next_expiry+0x190/0x190<br />
? check_flush_dependency+0x112/0x120<br />
? check_flush_dependency+0x112/0x120<br />
__flush_work.llvm.1643880146586177030+0x174/0x2c0<br />
flush_rcu_work+0x28/0x30<br />
kvfree_rcu_barrier+0x12f/0x160<br />
kmem_cache_destroy+0x18/0x120<br />
bioset_exit+0x10c/0x150<br />
disk_release.llvm.6740012984264378178+0x61/0xd0<br />
device_release+0x4f/0x90<br />
kobject_put+0x95/0x180<br />
nvme_put_ns+0x23/0xc0<br />
nvme_remove_invalid_namespaces+0xb3/0xd0<br />
nvme_scan_work+0x342/0x490<br />
process_scheduled_works+0x1a2/0x370<br />
worker_thread+0x2ff/0x390<br />
? pwq_release_workfn+0x1e0/0x1e0<br />
kthread+0xb1/0xe0<br />
? __kthread_parkme+0x70/0x70<br />
ret_from_fork+0x30/0x40<br />
? __kthread_parkme+0x70/0x70<br />
ret_from_fork_asm+0x11/0x20<br />
<br />
---[ end trace 0000000000000000 ]---<br />
<br />
<br />
To address this switch to use of independent WQ_MEM_RECLAIM<br />
workqueue, so the rules are not violated from workqueue framework<br />
point of view.<br />
<br />
Apart of that, since kvfree_rcu() does reclaim memory it is worth<br />
to go with WQ_MEM_RECLAIM type of wq because it is designed for<br />
this purpose.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.12 (including) | 6.12.20 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.13.8 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page