CVE-2025-71132 Overview
A race condition vulnerability has been identified in the Linux kernel's smc91x network driver when compiled with PREEMPT_RT (Real-Time) support. The flaw exists in the interrupt context handling, where smc_special_trylock() disables IRQs but smc_special_unlock() fails to properly restore IRQs on PREEMPT_RT configurations. This mismatch causes workqueue atomic leaks and RCU state inconsistencies, potentially leading to system instability or denial of service conditions.
Critical Impact
Systems running PREEMPT_RT-enabled Linux kernels with SMC91x network controllers may experience kernel warnings, workqueue leaks, and potential system instability due to improper IRQ context handling.
Affected Products
- Linux kernel with PREEMPT_RT enabled
- Systems using SMC91x network driver (smc91x.c)
- ARM FVP (Fixed Virtual Platform) RevC and similar embedded platforms
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-71132 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2025-71132
Vulnerability Analysis
The vulnerability resides in the locking mechanism used by the smc91x network driver when operating under PREEMPT_RT (Real-Time preemption) kernel configurations. The driver uses custom spinlock wrappers (smc_special_trylock() and smc_special_unlock()) to manage critical sections during network operations. However, these functions exhibit asymmetric behavior on PREEMPT_RT systems.
When smc_special_trylock() acquires the lock, it disables hardware interrupts to protect the critical section. The problem arises in smc_special_unlock(), which calls spin_unlock_irqrestore(). On PREEMPT_RT systems, this does not properly restore the IRQ state, causing rcu_read_unlock_bh() in __dev_queue_xmit() to fail when attempting to invoke rcu_read_unlock() through __local_bh_enable_ip() after current->softirq_disable_cnt reaches zero.
This results in RCU state tracking inconsistencies, manifesting as kernel BUG warnings indicating workqueue leaked atomic or RCU contexts during network multicast operations, particularly during mld_ifc_work workqueue execution.
Root Cause
The root cause is the inconsistent handling of IRQ disabling and restoring between smc_special_trylock() and smc_special_unlock() functions on PREEMPT_RT kernel configurations. While PREEMPT_RT modifies spinlock behavior for real-time guarantees, the smc91x driver's custom lock wrapper functions do not account for these differences, creating an IRQ state mismatch that corrupts RCU tracking.
Attack Vector
This vulnerability can be triggered locally when network activity occurs on systems with PREEMPT_RT-enabled kernels using the SMC91x network driver. The issue manifests during normal network operations, particularly when IPv6 multicast listener discovery (MLD) workqueues execute concurrent network transmissions.
The attack surface is limited to local denial of service conditions on affected embedded systems. An attacker with local access could potentially cause system instability by generating network traffic that triggers the vulnerable code path during MLD processing.
Detection Methods for CVE-2025-71132
Indicators of Compromise
- Kernel log messages containing BUG: workqueue leaked atomic, lock or RCU warnings
- Stack traces referencing mld_ifc_work, process_scheduled_works, or worker_thread
- System instability or network driver issues on PREEMPT_RT enabled systems using SMC91x hardware
- RCU state inconsistency messages with RCU=0->1 patterns in kernel logs
Detection Strategies
- Monitor kernel ring buffer (dmesg) for workqueue atomic leak warnings associated with the smc91x driver
- Implement audit rules for kernel BUG messages related to preemption and RCU state tracking
- Review system logs for network driver anomalies on embedded ARM platforms using SMC91x controllers
- Deploy kernel tracing to identify IRQ context mismatches during network operations
Monitoring Recommendations
- Enable kernel watchdog and panic-on-BUG configurations to detect and respond to locking violations
- Implement centralized log collection for kernel warnings across affected embedded systems
- Configure alerts for PREEMPT and RCU related kernel messages on PREEMPT_RT deployments
- Monitor network driver health metrics on systems using the smc91x module
How to Mitigate CVE-2025-71132
Immediate Actions Required
- Identify systems running PREEMPT_RT-enabled kernels with SMC91x network hardware
- Apply the official kernel patches that replace smc_special_trylock() with spin_trylock_irqsave()
- Schedule maintenance windows to update affected embedded systems and ARM platforms
- Consider temporarily disabling PREEMPT_RT if patching is not immediately possible on critical systems
Patch Information
The Linux kernel maintainers have released patches to resolve this issue by replacing the smc_special_trylock() function with the standard spin_trylock_irqsave() call, which properly handles IRQ context on both standard and PREEMPT_RT configurations.
Multiple stable kernel commits address this vulnerability:
- Commit 1c4cb705e733
- Commit 36561b86cb25
- Commit 6402078bd9d1
- Commit 9d222141b001
- Commit b6018d5c1a8f
- Commit ef277ae121b3
Workarounds
- Disable PREEMPT_RT configuration if real-time preemption is not required for the deployment
- Use an alternative network driver or hardware if the smc91x driver is not essential
- Implement network isolation on affected embedded systems to reduce attack surface
- Configure kernel panic behavior to ensure system recovery if workqueue leaks occur
# Check if system is affected
uname -a | grep -i preempt
lsmod | grep smc91x
# Verify kernel configuration for PREEMPT_RT
zcat /proc/config.gz | grep CONFIG_PREEMPT_RT
# Apply kernel update on Debian/Ubuntu-based systems
apt update && apt upgrade linux-image-*
# On embedded systems, rebuild kernel with patched smc91x driver
make ARCH=arm menuconfig
make ARCH=arm -j$(nproc)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
