CVE-2025-21823 (GCVE-0-2025-21823)
Vulnerability from cvelistv5
Published
2025-02-27 20:06
Modified
2025-05-04 07:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: batman-adv: Drop unmanaged ELP metric worker The ELP worker needs to calculate new metric values for all neighbors "reachable" over an interface. Some of the used metric sources require locks which might need to sleep. This sleep is incompatible with the RCU list iterator used for the recorded neighbors. The initial approach to work around of this problem was to queue another work item per neighbor and then run this in a new context. Even when this solved the RCU vs might_sleep() conflict, it has a major problems: Nothing was stopping the work item in case it is not needed anymore - for example because one of the related interfaces was removed or the batman-adv module was unloaded - resulting in potential invalid memory accesses. Directly canceling the metric worker also has various problems: * cancel_work_sync for a to-be-deactivated interface is called with rtnl_lock held. But the code in the ELP metric worker also tries to use rtnl_lock() - which will never return in this case. This also means that cancel_work_sync would never return because it is waiting for the worker to finish. * iterating over the neighbor list for the to-be-deactivated interface is currently done using the RCU specific methods. Which means that it is possible to miss items when iterating over it without the associated spinlock - a behaviour which is acceptable for a periodic metric check but not for a cleanup routine (which must "stop" all still running workers) The better approch is to get rid of the per interface neighbor metric worker and handle everything in the interface worker. The original problems are solved by: * creating a list of neighbors which require new metric information inside the RCU protected context, gathering the metric according to the new list outside the RCU protected context * only use rcu_trylock inside metric gathering code to avoid a deadlock when the cancel_delayed_work_sync is called in the interface removal code (which is called with the rtnl_lock held)
References
Impacted products
Vendor Product Version
Linux Linux Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
Version: c833484e5f3872a38fe232c663586069d5ad9645
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bat_v.c",
            "net/batman-adv/bat_v_elp.c",
            "net/batman-adv/bat_v_elp.h",
            "net/batman-adv/types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1c334629176c2d644befc31a20d4bf75542f7631",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "a0019971f340ae02ba54cf1861f72da7e03e6b66",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "3c0e0aecb78cb2a2ca1dc701982d08fedb088dc6",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "781a06fd265a8151f7601122d9c2e985663828ff",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "a7aa2317285806640c844acd4cd2cd768e395264",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "0fdc3c166ac17b26014313fa2b93696354511b24",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "af264c2a9adc37f4bdf88ca7f3affa15d8c7de9e",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            },
            {
              "lessThan": "8c8ecc98f5c65947b0070a24bac11e12e47cc65d",
              "status": "affected",
              "version": "c833484e5f3872a38fe232c663586069d5ad9645",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/batman-adv/bat_v.c",
            "net/batman-adv/bat_v_elp.c",
            "net/batman-adv/bat_v_elp.h",
            "net/batman-adv/types.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Drop unmanaged ELP metric worker\n\nThe ELP worker needs to calculate new metric values for all neighbors\n\"reachable\" over an interface. Some of the used metric sources require\nlocks which might need to sleep. This sleep is incompatible with the RCU\nlist iterator used for the recorded neighbors. The initial approach to work\naround of this problem was to queue another work item per neighbor and then\nrun this in a new context.\n\nEven when this solved the RCU vs might_sleep() conflict, it has a major\nproblems: Nothing was stopping the work item in case it is not needed\nanymore - for example because one of the related interfaces was removed or\nthe batman-adv module was unloaded - resulting in potential invalid memory\naccesses.\n\nDirectly canceling the metric worker also has various problems:\n\n* cancel_work_sync for a to-be-deactivated interface is called with\n  rtnl_lock held. But the code in the ELP metric worker also tries to use\n  rtnl_lock() - which will never return in this case. This also means that\n  cancel_work_sync would never return because it is waiting for the worker\n  to finish.\n* iterating over the neighbor list for the to-be-deactivated interface is\n  currently done using the RCU specific methods. Which means that it is\n  possible to miss items when iterating over it without the associated\n  spinlock - a behaviour which is acceptable for a periodic metric check\n  but not for a cleanup routine (which must \"stop\" all still running\n  workers)\n\nThe better approch is to get rid of the per interface neighbor metric\nworker and handle everything in the interface worker. The original problems\nare solved by:\n\n* creating a list of neighbors which require new metric information inside\n  the RCU protected context, gathering the metric according to the new list\n  outside the RCU protected context\n* only use rcu_trylock inside metric gathering code to avoid a deadlock\n  when the cancel_delayed_work_sync is called in the interface removal code\n  (which is called with the rtnl_lock held)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:54.473Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1c334629176c2d644befc31a20d4bf75542f7631"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0019971f340ae02ba54cf1861f72da7e03e6b66"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c0e0aecb78cb2a2ca1dc701982d08fedb088dc6"
        },
        {
          "url": "https://git.kernel.org/stable/c/781a06fd265a8151f7601122d9c2e985663828ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7aa2317285806640c844acd4cd2cd768e395264"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fdc3c166ac17b26014313fa2b93696354511b24"
        },
        {
          "url": "https://git.kernel.org/stable/c/af264c2a9adc37f4bdf88ca7f3affa15d8c7de9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c8ecc98f5c65947b0070a24bac11e12e47cc65d"
        }
      ],
      "title": "batman-adv: Drop unmanaged ELP metric worker",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21823",
    "datePublished": "2025-02-27T20:06:14.074Z",
    "dateReserved": "2024-12-29T08:45:45.775Z",
    "dateUpdated": "2025-05-04T07:21:54.473Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21823\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T20:16:04.793\",\"lastModified\":\"2025-03-13T13:15:56.547\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbatman-adv: Drop unmanaged ELP metric worker\\n\\nThe ELP worker needs to calculate new metric values for all neighbors\\n\\\"reachable\\\" over an interface. Some of the used metric sources require\\nlocks which might need to sleep. This sleep is incompatible with the RCU\\nlist iterator used for the recorded neighbors. The initial approach to work\\naround of this problem was to queue another work item per neighbor and then\\nrun this in a new context.\\n\\nEven when this solved the RCU vs might_sleep() conflict, it has a major\\nproblems: Nothing was stopping the work item in case it is not needed\\nanymore - for example because one of the related interfaces was removed or\\nthe batman-adv module was unloaded - resulting in potential invalid memory\\naccesses.\\n\\nDirectly canceling the metric worker also has various problems:\\n\\n* cancel_work_sync for a to-be-deactivated interface is called with\\n  rtnl_lock held. But the code in the ELP metric worker also tries to use\\n  rtnl_lock() - which will never return in this case. This also means that\\n  cancel_work_sync would never return because it is waiting for the worker\\n  to finish.\\n* iterating over the neighbor list for the to-be-deactivated interface is\\n  currently done using the RCU specific methods. Which means that it is\\n  possible to miss items when iterating over it without the associated\\n  spinlock - a behaviour which is acceptable for a periodic metric check\\n  but not for a cleanup routine (which must \\\"stop\\\" all still running\\n  workers)\\n\\nThe better approch is to get rid of the per interface neighbor metric\\nworker and handle everything in the interface worker. The original problems\\nare solved by:\\n\\n* creating a list of neighbors which require new metric information inside\\n  the RCU protected context, gathering the metric according to the new list\\n  outside the RCU protected context\\n* only use rcu_trylock inside metric gathering code to avoid a deadlock\\n  when the cancel_delayed_work_sync is called in the interface removal code\\n  (which is called with the rtnl_lock held)\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: batman-adv: eliminar un trabajador de m\u00e9tricas ELP no administrado El trabajador ELP necesita calcular nuevos valores de m\u00e9tricas para todos los vecinos \\\"alcanzables\\\" a trav\u00e9s de una interfaz. Algunas de las fuentes de m\u00e9tricas utilizadas requieren bloqueos que podr\u00edan necesitar dormir. Esta suspensi\u00f3n es incompatible con el iterador de lista RCU utilizado para los vecinos registrados. El enfoque inicial para solucionar este problema fue poner en cola otro elemento de trabajo por vecino y luego ejecutarlo en un nuevo contexto. Incluso cuando esto resolvi\u00f3 el conflicto RCU vs might_sleep(), tiene un problema importante: nada deten\u00eda el elemento de trabajo en caso de que ya no fuera necesario, por ejemplo, porque se elimin\u00f3 una de las interfaces relacionadas o se descarg\u00f3 el m\u00f3dulo batman-adv, lo que result\u00f3 en posibles accesos de memoria no v\u00e1lidos. Cancelar directamente el trabajador de m\u00e9tricas tambi\u00e9n tiene varios problemas: * cancel_work_sync para una interfaz que se desactivar\u00e1 se llama con rtnl_lock retenido. Pero el c\u00f3digo en el trabajador de m\u00e9tricas ELP tambi\u00e9n intenta usar rtnl_lock() - que nunca regresar\u00e1 en este caso. Esto tambi\u00e9n significa que cancel_work_sync nunca regresar\u00eda porque est\u00e1 esperando que el trabajador termine. * iterar sobre la lista de vecinos para la interfaz que se va a desactivar se realiza actualmente utilizando los m\u00e9todos espec\u00edficos de RCU. Lo que significa que es posible omitir elementos al iterarla sin el spinlock asociado - un comportamiento que es aceptable para una verificaci\u00f3n peri\u00f3dica de m\u00e9tricas pero no para una rutina de limpieza (que debe \\\"detener\\\" todos los trabajadores que a\u00fan se est\u00e1n ejecutando) El mejor enfoque es deshacerse del trabajador de m\u00e9tricas de vecinos por interfaz y manejar todo en el trabajador de interfaz. Los problemas originales se resuelven: * creando una lista de vecinos que requieren nueva informaci\u00f3n m\u00e9trica dentro del contexto protegido de RCU, recopilando la m\u00e9trica de acuerdo con la nueva lista fuera del contexto protegido de RCU * solo use rcu_trylock dentro del c\u00f3digo de recopilaci\u00f3n de m\u00e9tricas para evitar un bloqueo cuando se llama a cancel_delayed_work_sync en el c\u00f3digo de eliminaci\u00f3n de interfaz (que se llama con rtnl_lock retenido)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0fdc3c166ac17b26014313fa2b93696354511b24\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1c334629176c2d644befc31a20d4bf75542f7631\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3c0e0aecb78cb2a2ca1dc701982d08fedb088dc6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/781a06fd265a8151f7601122d9c2e985663828ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8c8ecc98f5c65947b0070a24bac11e12e47cc65d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a0019971f340ae02ba54cf1861f72da7e03e6b66\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a7aa2317285806640c844acd4cd2cd768e395264\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/af264c2a9adc37f4bdf88ca7f3affa15d8c7de9e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.