CVE-2025-37821
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-37821
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37821.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-37821
- Downstream
- Published
- 2025-05-08T06:26:15.535Z
- Modified
- 2025-11-20T08:58:03.637442Z
- Summary
- sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash
There is a code path in dequeueentities() that can set the slice of a schedentity to U64_MAX, which sometimes results in a crash.
The offending case is when dequeue_entities() is called to dequeue a delayed group entity, and then the entity's parent's dequeue is delayed. In that case:
- In the if (entityistask(se)) else block at the beginning of dequeueentities(), slice is set to cfsrqminslice(groupcfsrq(se)). If the entity was delayed, then it has no queued tasks, so cfsrqminslice() returns U64MAX.
- The first foreachsched_entity() loop dequeues the entity.
- If the entity was its parent's only child, then the next iteration tries to dequeue the parent.
- If the parent's dequeue needs to be delayed, then it breaks from the first foreachschedentity() loop _without updating slice.
- The second foreachschedentity() loop sets the parent's ->slice to the saved slice, which is still U64MAX.
This throws off subsequent calculations with potentially catastrophic results. A manifestation we saw in production was:
- In updateentitylag(), se->slice is used to calculate limit, which ends up as a huge negative number.
- limit is used in se->vlag = clamp(vlag, -limit, limit). Because limit is negative, vlag > limit, so se->vlag is set to the same huge negative number.
- In place_entity(), se->vlag is scaled, which overflows and results in another huge (positive or negative) number.
- The adjusted lag is subtracted from se->vruntime, which increases or decreases se->vruntime by a huge number.
- pickeevdf() calls entityeligible()/vruntimeeligible(), which incorrectly returns false because the vruntime is so far from the other vruntimes on the queue, causing the (vruntime - cfsrq->min_vruntime) * load calulation to overflow.
- Nothing appears to be eligible, so pick_eevdf() returns NULL.
- picknextentity() tries to dereference the return value of pick_eevdf() and crashes.
Dumping the cfsrq states from the core dumps with drgn showed tell-tale huge vruntime ranges and bogus vlag values, and I also traced se->slice being set to U64MAX on live systems (which was usually "benign" since the rest of the runqueue needed to be in a particular state to crash).
Fix it in dequeueentities() by always setting slice from the first non-empty cfsrq.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaef6987d89544d63a47753cf3741cabff0b5574cFixed86b37810fa1e40b93171da023070b99ccbb4ea04
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaef6987d89544d63a47753cf3741cabff0b5574cFixed50a665496881262519f115f1bfe5822f30580eb0
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedaef6987d89544d63a47753cf3741cabff0b5574cFixedbbce3de72be56e4b5f68924b7da9630cc89aa1a8
Affected versions
v6.*
v6.11
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.14.3
v6.14.4
v6.15-rc1
v6.15-rc2
v6.15-rc3
Database specific
vanir_signatures
[
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "kernel/sched/fair.c"
},
"digest": {
"line_hashes": [
"254812602774900030681634740919117216862",
"46661204985432113856713005410586128974",
"100663824139019303145830991877082545680",
"18719678288745176932705292169155602718",
"228023440167149905752488831574382491530",
"156945693167515091309085832855911756898",
"35900549834265057296833847151734878182",
"168917490670314715908908945168607964416",
"20925002276611866394134364838331196919"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bbce3de72be56e4b5f68924b7da9630cc89aa1a8",
"signature_version": "v1",
"id": "CVE-2025-37821-44b4658d"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "kernel/sched/fair.c",
"function": "dequeue_entities"
},
"digest": {
"length": 1762.0,
"function_hash": "125726233019184832885931191188426564947"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@86b37810fa1e40b93171da023070b99ccbb4ea04",
"signature_version": "v1",
"id": "CVE-2025-37821-68e60693"
},
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "kernel/sched/fair.c"
},
"digest": {
"line_hashes": [
"149061015002992491603514491662611307528",
"246727224363075794728142365268250194459",
"243304741434649341661665589190206196400",
"18719678288745176932705292169155602718",
"228023440167149905752488831574382491530",
"156945693167515091309085832855911756898",
"35900549834265057296833847151734878182",
"168917490670314715908908945168607964416",
"11973284306858098222011192478283110134"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@86b37810fa1e40b93171da023070b99ccbb4ea04",
"signature_version": "v1",
"id": "CVE-2025-37821-8fb34649"
},
{
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "kernel/sched/fair.c"
},
"digest": {
"line_hashes": [
"254812602774900030681634740919117216862",
"46661204985432113856713005410586128974",
"100663824139019303145830991877082545680",
"18719678288745176932705292169155602718",
"228023440167149905752488831574382491530",
"156945693167515091309085832855911756898",
"35900549834265057296833847151734878182",
"168917490670314715908908945168607964416",
"20925002276611866394134364838331196919"
],
"threshold": 0.9
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@50a665496881262519f115f1bfe5822f30580eb0",
"signature_version": "v1",
"id": "CVE-2025-37821-9125d7b0"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "kernel/sched/fair.c",
"function": "dequeue_entities"
},
"digest": {
"length": 1761.0,
"function_hash": "143585755216910096424738967461548717356"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bbce3de72be56e4b5f68924b7da9630cc89aa1a8",
"signature_version": "v1",
"id": "CVE-2025-37821-9f2405f0"
},
{
"signature_type": "Function",
"deprecated": false,
"target": {
"file": "kernel/sched/fair.c",
"function": "dequeue_entities"
},
"digest": {
"length": 1761.0,
"function_hash": "143585755216910096424738967461548717356"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@50a665496881262519f115f1bfe5822f30580eb0",
"signature_version": "v1",
"id": "CVE-2025-37821-cf4ca97a"
}
]