CVE-2025-71181

Summary

In the Linux kernel, the following vulnerability has been resolved:

rust_binder: remove spin_lock() in rust_shrink_free_page()

When forward-porting Rust Binder to 6.18, I neglected to take commit fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope") into account, and apparently I did not end up running the shrinker callback when I sanity tested the driver before submission. This leads to crashes like the following:

============================================
WARNING: possible recursive locking detected
6.18.0-mainline-maybe-dirty #1 Tainted: G          IO
--------------------------------------------
kswapd0/68 is trying to acquire lock:
ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: lock_list_lru_of_memcg+0x128/0x230

but task is already holding lock:
ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&l->lock);
  lock(&l->lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

3 locks held by kswapd0/68:
 #0: ffffffff90d2e260 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x597/0x1160
 #1: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20
 #2: ffffffff90cf3680 (rcu_read_lock){....}-{1:2}, at: lock_list_lru_of_memcg+0x2d/0x230

To fix this, remove the spin_lock() call from rust_shrink_free_page().

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxeafedbc7c050c44744fbdf80bdf3315e860b7513 < 30a98c97f7874031f2e1de19c777ce011143cba4affected
LinuxLinuxeafedbc7c050c44744fbdf80bdf3315e860b7513 < 361e0ff456a8daf9753c18030533256e4133ce7aaffected
LinuxLinux6.18affected
LinuxLinux0 < 6.18unaffected
LinuxLinux6.18.6 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References