CVE-2025-68232

Description

In the Linux kernel, the following vulnerability has been resolved:veth: more robust handing of race to avoid txq getting stuckCommit dc82a33297fc (veth: apply qdisc backpressure on full ptr_ring toreduce TX drops) introduced a race condition that can lead to a permanentlystalled TXQ. This was observed in production on ARM64 systems (Ampere AltraMax).The race occurs in veth_xmit(). The producer observes a full ptr_ring andstops the queue (netif_tx_stop_queue()). The subsequent conditional logic,intended to re-wake the queue if the consumer had just emptied it (if(__ptr_ring_empty(...)) netif_tx_wake_queue()), can fail. This leads to alost wakeup where the TXQ remains stopped (QUEUE_STATE_DRV_XOFF) andtraffic halts.This failure is caused by an incorrect use of the __ptr_ring_empty() APIfrom the producer side. As noted in kernel comments, this check is notguaranteed to be correct if a consumer is operating on another CPU. Theempty test is based on ptr_ring->consumer_head, making it reliable only forthe consumer. Using this check from the producer side is fundamentally racy.This patch fixes the race by adopting the more robust logic from an earlierversion V4 of the patchset, which always flushed the peer:(1) In veth_xmit(), the racy conditional wake-up logic and its memory barrierare removed. Instead, after stopping the queue, we unconditionally call__veth_xdp_flush(rq). This guarantees that the NAPI consumer is scheduled,making it solely responsible for re-waking the TXQ. This handles the race where veth_poll() consumes all packets and completesNAPI *before* veth_xmit() on the producer side has called netif_tx_stop_queue.The __veth_xdp_flush(rq) will observe rx_notify_masked is false and scheduleNAPI.(2) On the consumer side, the logic for waking the peer TXQ is moved out ofveth_xdp_rcv() and placed at the end of the veth_poll() function. Thisplacement is part of fixing the race, as the netif_tx_queue_stopped() checkmust occur after rx_notify_masked is potentially set to false during NAPIcompletion. This handles the race where veth_poll() consumes all packets, but haventfinished (rx_notify_masked is still true). The producer veth_xmit() stops theTXQ and __veth_xdp_flush(rq) will observe rx_notify_masked is true, meaningnot starting NAPI. Then veth_poll() change rx_notify_masked to false andstops NAPI. Before exiting veth_poll() will observe TXQ is stopped and wakeit up.

Risk Information

Base Score

5.5

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score

Exploitation Probability

0.025

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234