{"id":"CVE-2025-68169","summary":"netpoll: Fix deadlock in memory allocation under spinlock","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetpoll: Fix deadlock in memory allocation under spinlock\n\nFix a AA deadlock in refill_skbs() where memory allocation while holding\nskb_pool-\u003elock can trigger a recursive lock acquisition attempt.\n\nThe deadlock scenario occurs when the system is under severe memory\npressure:\n\n1. refill_skbs() acquires skb_pool-\u003elock (spinlock)\n2. alloc_skb() is called while holding the lock\n3. Memory allocator fails and calls slab_out_of_memory()\n4. This triggers printk() for the OOM warning\n5. The console output path calls netpoll_send_udp()\n6. netpoll_send_udp() attempts to acquire the same skb_pool-\u003elock\n7. Deadlock: the lock is already held by the same CPU\n\nCall stack:\n  refill_skbs()\n    spin_lock_irqsave(&skb_pool-\u003elock)    \u003c- lock acquired\n    __alloc_skb()\n      kmem_cache_alloc_node_noprof()\n        slab_out_of_memory()\n          printk()\n            console_flush_all()\n              netpoll_send_udp()\n                skb_dequeue()\n                  spin_lock_irqsave(&skb_pool-\u003elock)     \u003c- deadlock attempt\n\nThis bug was exposed by commit 248f6571fd4c51 (\"netpoll: Optimize skb\nrefilling on critical path\") which removed refill_skbs() from the\ncritical path (where nested printk was being deferred), letting nested\nprintk being called from inside refill_skbs()\n\nRefactor refill_skbs() to never allocate memory while holding\nthe spinlock.\n\nAnother possible solution to fix this problem is protecting the\nrefill_skbs() from nested printks, basically calling\nprintk_deferred_{enter,exit}() in refill_skbs(), then, any nested\npr_warn() would be deferred.\n\nI prefer this approach, given I _think_ it might be a good idea to move\nthe alloc_skb() from GFP_ATOMIC to GFP_KERNEL in the future, so, having\nthe alloc_skb() outside of the lock will be necessary step.\n\nThere is a possible TOCTOU issue when checking for the pool length, and\nqueueing the new allocated skb, but, this is not an issue, given that\nan extra SKB in the pool is harmless and it will be eventually used.","modified":"2026-03-20T12:46:13.940184Z","published":"2025-12-16T13:42:49.270Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68169.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/06742a3ab884d7428c9050b205ffcf6a8a548397"},{"type":"WEB","url":"https://git.kernel.org/stable/c/327c20c21d80e0d87834b392d83ae73c955ad8ff"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68169.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68169"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"248f6571fd4c51531f7f8f07f186f7ae98a50afc"},{"fixed":"06742a3ab884d7428c9050b205ffcf6a8a548397"},{"fixed":"327c20c21d80e0d87834b392d83ae73c955ad8ff"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68169.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.15.0"},{"fixed":"6.17.8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68169.json"}}],"schema_version":"1.7.5"}