{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21809","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.772Z","datePublished":"2025-02-27T20:01:00.969Z","dateUpdated":"2026-05-11T21:06:57.130Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:06:57.130Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc, afs: Fix peer hash locking vs RCU callback\n\nIn its address list, afs now retains pointers to and refs on one or more\nrxrpc_peer objects.  The address list is freed under RCU and at this time,\nit puts the refs on those peers.\n\nNow, when an rxrpc_peer object runs out of refs, it gets removed from the\npeer hash table and, for that, rxrpc has to take a spinlock.  However, it\nis now being called from afs's RCU cleanup, which takes place in BH\ncontext - but it is just taking an ordinary spinlock.\n\nThe put may also be called from non-BH context, and so there exists the\npossibility of deadlock if the BH-based RCU cleanup happens whilst the hash\nspinlock is held.  This led to the attached lockdep complaint.\n\nFix this by changing spinlocks of rxnet->peer_hash_lock back to\nBH-disabling locks.\n\n    ================================\n    WARNING: inconsistent lock state\n    6.13.0-rc5-build2+ #1223 Tainted: G            E\n    --------------------------------\n    inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.\n    swapper/1/0 [HC0[0]:SC1[1]:HE1:SE0] takes:\n    ffff88810babe228 (&rxnet->peer_hash_lock){+.?.}-{3:3}, at: rxrpc_put_peer+0xcb/0x180\n    {SOFTIRQ-ON-W} state was registered at:\n      mark_usage+0x164/0x180\n      __lock_acquire+0x544/0x990\n      lock_acquire.part.0+0x103/0x280\n      _raw_spin_lock+0x2f/0x40\n      rxrpc_peer_keepalive_worker+0x144/0x440\n      process_one_work+0x486/0x7c0\n      process_scheduled_works+0x73/0x90\n      worker_thread+0x1c8/0x2a0\n      kthread+0x19b/0x1b0\n      ret_from_fork+0x24/0x40\n      ret_from_fork_asm+0x1a/0x30\n    irq event stamp: 972402\n    hardirqs last  enabled at (972402): [<ffffffff8244360e>] _raw_spin_unlock_irqrestore+0x2e/0x50\n    hardirqs last disabled at (972401): [<ffffffff82443328>] _raw_spin_lock_irqsave+0x18/0x60\n    softirqs last  enabled at (972300): [<ffffffff810ffbbe>] handle_softirqs+0x3ee/0x430\n    softirqs last disabled at (972313): [<ffffffff810ffc54>] __irq_exit_rcu+0x44/0x110\n\n    other info that might help us debug this:\n     Possible unsafe locking scenario:\n           CPU0\n           ----\n      lock(&rxnet->peer_hash_lock);\n      <Interrupt>\n        lock(&rxnet->peer_hash_lock);\n\n     *** DEADLOCK ***\n    1 lock held by swapper/1/0:\n     #0: ffffffff83576be0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire+0x7/0x30\n\n    stack backtrace:\n    CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G            E      6.13.0-rc5-build2+ #1223\n    Tainted: [E]=UNSIGNED_MODULE\n    Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014\n    Call Trace:\n     <IRQ>\n     dump_stack_lvl+0x57/0x80\n     print_usage_bug.part.0+0x227/0x240\n     valid_state+0x53/0x70\n     mark_lock_irq+0xa5/0x2f0\n     mark_lock+0xf7/0x170\n     mark_usage+0xe1/0x180\n     __lock_acquire+0x544/0x990\n     lock_acquire.part.0+0x103/0x280\n     _raw_spin_lock+0x2f/0x40\n     rxrpc_put_peer+0xcb/0x180\n     afs_free_addrlist+0x46/0x90 [kafs]\n     rcu_do_batch+0x2d2/0x640\n     rcu_core+0x2f7/0x350\n     handle_softirqs+0x1ee/0x430\n     __irq_exit_rcu+0x44/0x110\n     irq_exit_rcu+0xa/0x30\n     sysvec_apic_timer_interrupt+0x7f/0xa0\n     </IRQ>"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/rxrpc/peer_event.c","net/rxrpc/peer_object.c"],"versions":[{"version":"72904d7b9bfbf2dd146254edea93958bc35bbbfe","lessThan":"10ba5a3d57af20e494e0d979d1894260989235dd","status":"affected","versionType":"git"},{"version":"72904d7b9bfbf2dd146254edea93958bc35bbbfe","lessThan":"0e77dd41689637ac4e1b8fe0f27541f373640855","status":"affected","versionType":"git"},{"version":"72904d7b9bfbf2dd146254edea93958bc35bbbfe","lessThan":"79d458c13056559d49b5e41fbc4b6890e68cf65b","status":"affected","versionType":"git"},{"version":"056fc740be000d39a7dba700a935f3bbfbc664e6","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/rxrpc/peer_event.c","net/rxrpc/peer_object.c"],"versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","status":"unaffected","versionType":"semver"},{"version":"6.12.13","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.2","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.12.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.13.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/10ba5a3d57af20e494e0d979d1894260989235dd"},{"url":"https://git.kernel.org/stable/c/0e77dd41689637ac4e1b8fe0f27541f373640855"},{"url":"https://git.kernel.org/stable/c/79d458c13056559d49b5e41fbc4b6890e68cf65b"}],"title":"rxrpc, afs: Fix peer hash locking vs RCU callback","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2025-21809","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-10-01T19:28:41.037357Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-667","description":"CWE-667 Improper Locking"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T19:36:38.646Z"}}]}}