CVE-2025-68232

In the Linux kernel, the following vulnerability has been resolved:

veth: more robust handing of race to avoid txq getting stuck

Commit dc82a33297fc ("veth: apply qdisc backpressure on full ptr_ring to reduce TX drops") introduced a race condition that can lead to a permanently stalled TXQ. This was observed in production on ARM64 systems (Ampere Altra Max).

The race occurs in vethxmit(). The producer observes a full ptrring and stops the queue (netiftxstop_queue()). The subsequent conditional logic, intended to re-wake the queue if the consumer had just emptied it (if (__ptrringempty(...)) netiftxwakequeue()), can fail. This leads to a "lost wakeup" where the TXQ remains stopped (QUEUESTATEDRVXOFF) and traffic halts.

This failure is caused by an incorrect use of the __ptrringempty() API from the producer side. As noted in kernel comments, this check is not guaranteed to be correct if a consumer is operating on another CPU. The empty test is based on ptrring->consumerhead, making it reliable only for the consumer. Using this check from the producer side is fundamentally racy.

This patch fixes the race by adopting the more robust logic from an earlier version V4 of the patchset, which always flushed the peer:

(1) In veth_xmit(), the racy conditional wake-up logic and its memory barrier are removed. Instead, after stopping the queue, we unconditionally call __vethxdpflush(rq). This guarantees that the NAPI consumer is scheduled, making it solely responsible for re-waking the TXQ. This handles the race where vethpoll() consumes all packets and completes NAPI before vethxmit() on the producer side has called netiftxstop_queue. The __vethxdpflush(rq) will observe rxnotifymasked is false and schedule NAPI.

(2) On the consumer side, the logic for waking the peer TXQ is moved out of vethxdprcv() and placed at the end of the vethpoll() function. This placement is part of fixing the race, as the netiftxqueuestopped() check must occur after rxnotifymasked is potentially set to false during NAPI completion. This handles the race where vethpoll() consumes all packets, but haven't finished (rxnotifymasked is still true). The producer vethxmit() stops the TXQ and __vethxdpflush(rq) will observe rxnotifymasked is true, meaning not starting NAPI. Then vethpoll() change rxnotifymasked to false and stops NAPI. Before exiting vethpoll() will observe TXQ is stopped and wake it up.