CVE-2025-39767: 
CBL Mariner vulnerability analysis and mitigation

A vulnerability in the Linux kernel's LoongArch module loading mechanism was discovered and assigned CVE-2025-39767. The issue was disclosed on September 11, 2025, affecting systems with specific kernel configurations (CONFIGKASAN, CONFIGPREEMPTVOLUNTARYBUILD, and CONFIGPREEMPTVOLUNTARY enabled simultaneously). The vulnerability relates to inefficient PLT/GOT counting during module loading, particularly affecting the LoongArch architecture (NVD).

The vulnerability manifests as a soft deadlock condition during module loading, specifically when counting PLTs/GOTs needed for RELA handling. The original implementation used an O(n^2) complexity algorithm in the countmaxentries() function, causing significant performance degradation when loading modules with numerous relocations. The issue particularly impacts large modules like amdgpu, which showed load times of up to 1411ms before the fix (NVD).

The vulnerability causes system performance degradation and potential soft deadlocks, particularly noticeable when loading large kernel modules. Testing showed significant impact on module load times, with the amdgpu module taking 1411ms to load before the fix, compared to just 45ms after the patch. Other affected modules include ip_tables, fat, and radeon, though with less severe timing impacts (NVD).

The issue has been resolved by optimizing the PLT/GOT counting algorithm. The fix involves sorting the relocation list by info and addend, reducing the algorithm complexity from O(n^2) to O(n log n). This approach is similar to the optimization implemented in commit d4e0340919fb for arm64/module architecture (NVD).