CVE-2025-68169

In the Linux kernel, the following vulnerability has been resolved:

netpoll: Fix deadlock in memory allocation under spinlock

Fix a AA deadlock in refillskbs() where memory allocation while holding skbpool->lock can trigger a recursive lock acquisition attempt.

The deadlock scenario occurs when the system is under severe memory pressure:

1. refillskbs() acquires skbpool->lock (spinlock)
2. alloc_skb() is called while holding the lock
3. Memory allocator fails and calls slaboutof_memory()
4. This triggers printk() for the OOM warning
5. The console output path calls netpollsendudp()
6. netpollsendudp() attempts to acquire the same skb_pool->lock
7. Deadlock: the lock is already held by the same CPU

Call stack: refillskbs() spinlockirqsave(&skbpool->lock) <- lock acquired _allocskb() kmemcacheallocnodenoprof() slaboutofmemory() printk() consoleflushall() netpollsendudp() skbdequeue() spinlockirqsave(&skb_pool->lock) <- deadlock attempt

This bug was exposed by commit 248f6571fd4c51 ("netpoll: Optimize skb refilling on critical path") which removed refillskbs() from the critical path (where nested printk was being deferred), letting nested printk being called from inside refillskbs()

Refactor refill_skbs() to never allocate memory while holding the spinlock.

Another possible solution to fix this problem is protecting the refillskbs() from nested printks, basically calling printkdeferred{enter,exit}() in refillskbs(), then, any nested pr_warn() would be deferred.

I prefer this approach, given I think it might be a good idea to move the allocskb() from GFPATOMIC to GFPKERNEL in the future, so, having the allocskb() outside of the lock will be necessary step.

There is a possible TOCTOU issue when checking for the pool length, and queueing the new allocated skb, but, this is not an issue, given that an extra SKB in the pool is harmless and it will be eventually used.