Linux Kernel BPF Timer Cancellation Vulnerability in PREEMPT_RT Environment

A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) implementation has been identified, specifically in versions 6.12.0 and later with PREEMPT_RT enabled. The issue arises during the update process of a pre-allocated hash table element, where the old element is freed while a bucket lock is released. This creates a race condition, as the stashed element can be reused by a concurrent update, leading to a scheduling bug. The vulnerability is related to improper handling of timer cancellations, which can cause delays and potential inconsistencies in BPF program execution.

Impact

Exploitation of this vulnerability can lead to a race condition, causing scheduling issues and potential incorrect behavior in BPF programs, particularly those using timers.

Remediation

Users can apply the patch available in the Linux kernel Git repository to address this vulnerability. The patch is included in the official Linux kernel releases starting from version 6.12 with PREEMPT_RT enabled.