{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-19T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mm: slub: avoid wake up kswapd in set_track_prepare",
    "id" : "2396941",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2396941"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-833",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm: slub: avoid wake up kswapd in set_track_prepare\nset_track_prepare() can incur lock recursion.\nThe issue is that it is called from hrtimer_start_range_ns\nholding the per_cpu(hrtimer_bases)[n].lock, but when enabled\nCONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare,\nand try to hold the per_cpu(hrtimer_bases)[n].lock.\nAvoid deadlock caused by implicitly waking up kswapd by passing in\nallocation flags, which do not contain __GFP_KSWAPD_RECLAIM in the\ndebug_objects_fill_pool() case. Inside stack depot they are processed by\ngfp_nested_mask().\nSince ___slab_alloc() has preemption disabled, we mask out\n__GFP_DIRECT_RECLAIM from the flags there.\nThe oops looks something like:\nBUG: spinlock recursion on CPU#3, swapper/3/0\nlock: 0xffffff8a4bf29c80, .magic: dead4ead, .owner: swapper/3/0, .owner_cpu: 3\nHardware name: Qualcomm Technologies, Inc. Popsicle based on SM8850 (DT)\nCall trace:\nspin_bug+0x0\n_raw_spin_lock_irqsave+0x80\nhrtimer_try_to_cancel+0x94\ntask_contending+0x10c\nenqueue_dl_entity+0x2a4\ndl_server_start+0x74\nenqueue_task_fair+0x568\nenqueue_task+0xac\ndo_activate_task+0x14c\nttwu_do_activate+0xcc\ntry_to_wake_up+0x6c8\ndefault_wake_function+0x20\nautoremove_wake_function+0x1c\n__wake_up+0xac\nwakeup_kswapd+0x19c\nwake_all_kswapds+0x78\n__alloc_pages_slowpath+0x1ac\n__alloc_pages_noprof+0x298\nstack_depot_save_flags+0x6b0\nstack_depot_save+0x14\nset_track_prepare+0x5c\n___slab_alloc+0xccc\n__kmalloc_cache_noprof+0x470\n__set_page_owner+0x2bc\npost_alloc_hook[jt]+0x1b8\nprep_new_page+0x28\nget_page_from_freelist+0x1edc\n__alloc_pages_noprof+0x13c\nalloc_slab_page+0x244\nallocate_slab+0x7c\n___slab_alloc+0x8e8\nkmem_cache_alloc_noprof+0x450\ndebug_objects_fill_pool+0x22c\ndebug_object_activate+0x40\nenqueue_hrtimer[jt]+0xdc\nhrtimer_start_range_ns+0x5f8\n...", "A deadlock lock recursion vulnerability exists in the linux kernel such that when CONFIG_DEBUG_OBJECTS_TIMERS is set, may wake up kswapd in set_track_prepare, and try to hold the per_cpu(hrtimer_bases) lock." ],
  "statement" : "This issue can only occur on debug kernel builds with specific configuration options enabled (e.g. CONFIG_SLUB_DEBUG, CONFIG_STACKDEPOT, SLAB_STORE_USER). It may lead to a deadlock (spinlock recursion) under rare timing conditions but cannot be triggered on standard production kernels. The impact is limited to a local denial of service.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-01-12T00:00:00Z",
    "advisory" : "RHSA-2026:0453",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.27.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-01-08T00:00:00Z",
    "advisory" : "RHSA-2026:0271",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "kernel-0:6.12.0-55.52.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-24T00:00:00Z",
    "advisory" : "RHSA-2025:21926",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.9.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-24T00:00:00Z",
    "advisory" : "RHSA-2025:21926",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.9.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2025-12-22T00:00:00Z",
    "advisory" : "RHSA-2025:23789",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "kernel-0:5.14.0-570.76.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39843\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39843\nhttps://lore.kernel.org/linux-cve-announce/2025091903-CVE-2025-39843-0702@gregkh/T" ],
  "name" : "CVE-2025-39843",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}