cve/published/2025/CVE-2025-21853.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21853: bpf: avoid holding freeze_mutex during mmap operation

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf: avoid holding freeze_mutex during mmap operation

 We use map->freeze_mutex to prevent races between map_freeze() and
 memory mapping BPF map contents with writable permissions. The way we
 naively do this means we'll hold freeze_mutex for entire duration of all
 the mm and VMA manipulations, which is completely unnecessary. This can
 potentially also lead to deadlocks, as reported by syzbot in [0].

 So, instead, hold freeze_mutex only during writeability checks, bump
 (proactively) "write active" count for the map, unlock the mutex and
 proceed with mmap logic. And only if something went wrong during mmap
 logic, then undo that "write active" counter increment.

   [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/

 The Linux kernel CVE team has assigned CVE-2025-21853 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 5.10.237 with commit 2ce31c97c219b4fe797749f950274f246eb88c49
 	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 5.15.181 with commit 0d90d9e154144a3a80e9fc0eb9b21b7fc990f68f
 	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 6.1.135 with commit 4759acbd44d24a69b7b14848012ec4201d6c5501
 	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 6.6.80 with commit 29cfda62ab4d92ab94123813db49ab76c1e61b29
 	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 6.12.17 with commit d95607a5f2f9bb08194c9deaf4a5f3e8ba59a9d4
 	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 6.13.5 with commit 271e49f8a58edba65bc2b1250a0abaa98c4bfdbe
 	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 6.14 with commit bc27c52eea189e8f7492d40739b7746d67b65beb

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21853
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/bpf/syscall.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2ce31c97c219b4fe797749f950274f246eb88c49
 	https://git.kernel.org/stable/c/0d90d9e154144a3a80e9fc0eb9b21b7fc990f68f
 	https://git.kernel.org/stable/c/4759acbd44d24a69b7b14848012ec4201d6c5501
 	https://git.kernel.org/stable/c/29cfda62ab4d92ab94123813db49ab76c1e61b29
 	https://git.kernel.org/stable/c/d95607a5f2f9bb08194c9deaf4a5f3e8ba59a9d4
 	https://git.kernel.org/stable/c/271e49f8a58edba65bc2b1250a0abaa98c4bfdbe
 	https://git.kernel.org/stable/c/bc27c52eea189e8f7492d40739b7746d67b65beb
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21853: bpf: avoid holding freeze_mutex during mmap operation

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf: avoid holding freeze_mutex during mmap operation

	We use map->freeze_mutex to prevent races between map_freeze() and
	memory mapping BPF map contents with writable permissions. The way we
	naively do this means we'll hold freeze_mutex for entire duration of all
	the mm and VMA manipulations, which is completely unnecessary. This can
	potentially also lead to deadlocks, as reported by syzbot in [0].

	So, instead, hold freeze_mutex only during writeability checks, bump
	(proactively) "write active" count for the map, unlock the mutex and
	proceed with mmap logic. And only if something went wrong during mmap
	logic, then undo that "write active" counter increment.

	[0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@google.com/

	The Linux kernel CVE team has assigned CVE-2025-21853 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 5.10.237 with commit 2ce31c97c219b4fe797749f950274f246eb88c49
	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 5.15.181 with commit 0d90d9e154144a3a80e9fc0eb9b21b7fc990f68f
	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 6.1.135 with commit 4759acbd44d24a69b7b14848012ec4201d6c5501
	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 6.6.80 with commit 29cfda62ab4d92ab94123813db49ab76c1e61b29
	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 6.12.17 with commit d95607a5f2f9bb08194c9deaf4a5f3e8ba59a9d4
	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 6.13.5 with commit 271e49f8a58edba65bc2b1250a0abaa98c4bfdbe
	Issue introduced in 5.5 with commit fc9702273e2edb90400a34b3be76f7b08fa3344b and fixed in 6.14 with commit bc27c52eea189e8f7492d40739b7746d67b65beb

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21853
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/bpf/syscall.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2ce31c97c219b4fe797749f950274f246eb88c49
	https://git.kernel.org/stable/c/0d90d9e154144a3a80e9fc0eb9b21b7fc990f68f
	https://git.kernel.org/stable/c/4759acbd44d24a69b7b14848012ec4201d6c5501
	https://git.kernel.org/stable/c/29cfda62ab4d92ab94123813db49ab76c1e61b29
	https://git.kernel.org/stable/c/d95607a5f2f9bb08194c9deaf4a5f3e8ba59a9d4
	https://git.kernel.org/stable/c/271e49f8a58edba65bc2b1250a0abaa98c4bfdbe
	https://git.kernel.org/stable/c/bc27c52eea189e8f7492d40739b7746d67b65beb