CVE-2025-40163: sched/deadline: Stop dl_server before CPU goes offline
In the Linux kernel, the following vulnerability has been resolved:
sched/deadline: Stop dl_server before CPU goes offline
IBM CI tool reported kernel warning[1] when running a CPU removal
operation through drmgr[2]. i.e "drmgr -c cpu -r -q 1"
WARNING: CPU: 0 PID: 0 at kernel/sched/cpudeadline.c:219 cpudl_set+0x58/0x170
NIP [c0000000002b6ed8] cpudl_set+0x58/0x170
LR [c0000000002b7cb8] dl_server_timer+0x168/0x2a0
Call Trace:
[c000000002c2f8c0] init_stack+0x78c0/0x8000 (unreliable)
[c0000000002b7cb8] dl_server_timer+0x168/0x2a0
[c00000000034df84] __hrtimer_run_queues+0x1a4/0x390
[c00000000034f624] hrtimer_interrupt+0x124/0x300
[c00000000002a230] timer_interrupt+0x140/0x320
Git bisects to: commit 4ae8d9aa9f9d ("sched/deadline: Fix dl_server getting stuck")
This happens since:
- dl_server hrtimer gets enqueued close to cpu offline, when
kthread_park enqueues a fair task.
- CPU goes offline and drmgr removes it from cpu_present_mask.
- hrtimer fires and warning is hit.
Fix it by stopping the dl_server before CPU is marked dead.
[1]: https://lore.kernel.org/all/8218e149-7718-4432-9312-f97297c352b9@linux.ibm.com/
[2]: https://github.com/ibm-power-utilities/powerpc-utils/tree/next/src/drmgr
[sshegde: wrote the changelog and tested it]
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue can trigger a kernel warning during CPU removal operations. The provided sources describe an operational scheduler bug, not confirmed attacker exploitation. Business urgency depends on whether affected kernel versions are used on systems that perform CPU hotplug or CPU removal.
Executive priority
Treat as a targeted operational stability issue unless vendor guidance adds stronger impact detail. Patch during normal kernel maintenance, faster for platforms using CPU hotplug or CPU removal.
Technical view
The scheduler deadline server timer can fire after a CPU is removed from cpu_present_mask, reaching cpudl_set and triggering a warning. The fix stops dl_server before the CPU is marked dead. The source links only identify Linux kernel versions and stable commits, with no CVSS or CWE.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions, especially environments using CPU hotplug or CPU removal. The source example involved IBM CI and drmgr, but the CVE names Linux generally.
Exploitation context
The bundle does not show active exploitation, KEV listing, public exploit use, or attacker-controlled impact. The described trigger is a CPU removal operation that exposed a kernel scheduler timing bug.
Researcher notes
Evidence is incomplete for security impact: no CVSS, CWE, exploit status, or privilege boundary is provided. The root cause and fix direction are clear from the kernel description and stable commit references.
Mitigation direction
Apply a Linux kernel update containing the referenced stable fixes.
Check your distribution vendor advisory for backported patches.
Prioritize systems using CPU hotplug or planned CPU removal workflows.
Defer nonessential CPU removal operations on affected kernels where practical.
Validation and detection
Inventory Linux kernel versions against the CVE affected-version data.
Confirm distribution packages include one of the referenced stable fixes.
Review kernel logs for scheduler warnings during CPU removal events.
Validate remediation in a controlled maintenance or lab environment.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-40163 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Nov 12, 2025, 10:26 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.