{"id":"CVE-2025-21809","summary":"rxrpc, afs: Fix peer hash locking vs RCU callback","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc, afs: Fix peer hash locking vs RCU callback\n\nIn its address list, afs now retains pointers to and refs on one or more\nrxrpc_peer objects.  The address list is freed under RCU and at this time,\nit puts the refs on those peers.\n\nNow, when an rxrpc_peer object runs out of refs, it gets removed from the\npeer hash table and, for that, rxrpc has to take a spinlock.  However, it\nis now being called from afs's RCU cleanup, which takes place in BH\ncontext - but it is just taking an ordinary spinlock.\n\nThe put may also be called from non-BH context, and so there exists the\npossibility of deadlock if the BH-based RCU cleanup happens whilst the hash\nspinlock is held.  This led to the attached lockdep complaint.\n\nFix this by changing spinlocks of rxnet-\u003epeer_hash_lock back to\nBH-disabling locks.\n\n    ================================\n    WARNING: inconsistent lock state\n    6.13.0-rc5-build2+ #1223 Tainted: G            E\n    --------------------------------\n    inconsistent {SOFTIRQ-ON-W} -\u003e {IN-SOFTIRQ-W} usage.\n    swapper/1/0 [HC0[0]:SC1[1]:HE1:SE0] takes:\n    ffff88810babe228 (&rxnet-\u003epeer_hash_lock){+.?.}-{3:3}, at: rxrpc_put_peer+0xcb/0x180\n    {SOFTIRQ-ON-W} state was registered at:\n      mark_usage+0x164/0x180\n      __lock_acquire+0x544/0x990\n      lock_acquire.part.0+0x103/0x280\n      _raw_spin_lock+0x2f/0x40\n      rxrpc_peer_keepalive_worker+0x144/0x440\n      process_one_work+0x486/0x7c0\n      process_scheduled_works+0x73/0x90\n      worker_thread+0x1c8/0x2a0\n      kthread+0x19b/0x1b0\n      ret_from_fork+0x24/0x40\n      ret_from_fork_asm+0x1a/0x30\n    irq event stamp: 972402\n    hardirqs last  enabled at (972402): [\u003cffffffff8244360e\u003e] _raw_spin_unlock_irqrestore+0x2e/0x50\n    hardirqs last disabled at (972401): [\u003cffffffff82443328\u003e] _raw_spin_lock_irqsave+0x18/0x60\n    softirqs last  enabled at (972300): [\u003cffffffff810ffbbe\u003e] handle_softirqs+0x3ee/0x430\n    softirqs last disabled at (972313): [\u003cffffffff810ffc54\u003e] __irq_exit_rcu+0x44/0x110\n\n    other info that might help us debug this:\n     Possible unsafe locking scenario:\n           CPU0\n           ----\n      lock(&rxnet-\u003epeer_hash_lock);\n      \u003cInterrupt\u003e\n        lock(&rxnet-\u003epeer_hash_lock);\n\n     *** DEADLOCK ***\n    1 lock held by swapper/1/0:\n     #0: ffffffff83576be0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire+0x7/0x30\n\n    stack backtrace:\n    CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G            E      6.13.0-rc5-build2+ #1223\n    Tainted: [E]=UNSIGNED_MODULE\n    Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014\n    Call Trace:\n     \u003cIRQ\u003e\n     dump_stack_lvl+0x57/0x80\n     print_usage_bug.part.0+0x227/0x240\n     valid_state+0x53/0x70\n     mark_lock_irq+0xa5/0x2f0\n     mark_lock+0xf7/0x170\n     mark_usage+0xe1/0x180\n     __lock_acquire+0x544/0x990\n     lock_acquire.part.0+0x103/0x280\n     _raw_spin_lock+0x2f/0x40\n     rxrpc_put_peer+0xcb/0x180\n     afs_free_addrlist+0x46/0x90 [kafs]\n     rcu_do_batch+0x2d2/0x640\n     rcu_core+0x2f7/0x350\n     handle_softirqs+0x1ee/0x430\n     __irq_exit_rcu+0x44/0x110\n     irq_exit_rcu+0xa/0x30\n     sysvec_apic_timer_interrupt+0x7f/0xa0\n     \u003c/IRQ\u003e","modified":"2026-04-02T12:45:14.318216Z","published":"2025-02-27T20:01:00.969Z","related":["USN-7521-2"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21809.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0e77dd41689637ac4e1b8fe0f27541f373640855"},{"type":"WEB","url":"https://git.kernel.org/stable/c/10ba5a3d57af20e494e0d979d1894260989235dd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/79d458c13056559d49b5e41fbc4b6890e68cf65b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21809.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21809"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"72904d7b9bfbf2dd146254edea93958bc35bbbfe"},{"fixed":"10ba5a3d57af20e494e0d979d1894260989235dd"},{"fixed":"0e77dd41689637ac4e1b8fe0f27541f373640855"},{"fixed":"79d458c13056559d49b5e41fbc4b6890e68cf65b"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"056fc740be000d39a7dba700a935f3bbfbc664e6"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21809.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}