CVE-2025-21813: timers/migration: Fix off-by-one root mis-connection
Description
In the Linux kernel, the following vulnerability has been resolved:
timers/migration: Fix off-by-one root mis-connection
Before attaching a new root to the old root, the children counter of the
new root is checked to verify that only the upcoming CPU's top group have
been connected to it. However since the recently added commit b729cc1ec21a
("timers/migration: Fix another race between hotplug and idle entry/exit")
this check is not valid anymore because the old root is pre-accounted
as a child to the new root. Therefore after connecting the upcoming
CPU's top group to the new root, the children count to be expected must
be 2 and not 1 anymore.
This omission results in the old root to not be connected to the new
root. Then eventually the system may run with more than one top level,
which defeats the purpose of a single idle migrator.
Also the old root is pre-accounted but not connected upon the new root
creation. But it can be connected to the new root later on. Therefore
the old root may be accounted twice to the new root. The propagation of
such overcommit can end up creating a double final top-level root with a
groupmask incorrectly initialized. Although harmless given that the final
top level roots will never have a parent to walk up to, this oddity
opportunistically reported the core issue:
WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote
CPU: 8 UID: 0 PID: 0 Comm: swapper/8
RIP: 0010:tmigr_requires_handle_remote
Cal...
Classification
CVE ID: CVE-2025-21813
Affected Products
Vendor: Linux, Linux
Product: Linux, Linux
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.03% (probability of being exploited)
EPSS Percentile: 4.0% (scored less or equal to compared to others)
EPSS Date: 2025-03-28 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-21813https://git.kernel.org/stable/c/c6dd70e5b465a2b77c7a7c3d868736d302e29aec
https://git.kernel.org/stable/c/6f449d8fa1808a7f9ee644866bbc079285dbefdd
https://git.kernel.org/stable/c/868c9037df626b3c245ee26a290a03ae1f9f58d3