CVE-2025-39749
published 2025-09-11CVE-2025-39749: In the Linux kernel, the following vulnerability has been resolved: rcu: Protect ->defer_qs_iw_pending from data race On kernels built with CONFIG_IRQ_WORK=y…
high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
rcu: Protect ->defer_qs_iw_pending from data race
On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is
invoked within an interrupts-disabled region of code [1], it will invoke
rcu_read_unlock_special(), which uses an irq-work handler to force the
system to notice when the RCU read-side critical section actually ends.
That end won't happen until interrupts are enabled at the soonest.
In some kernels, such as those booted with rcutree.use_softirq=y, the
irq-work handler is used unconditionally.
The per-CPU rcu_data structure's ->defer_qs_iw_pending field is
updated by the irq-work handler and is both read and updated by
rcu_read_unlock_special(). This resulted in the following KCSAN splat:
BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special
read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:
rcu_read_unlock_special+0x175/0x260
__rcu_read_unlock+0x92/0xa0
rt_spin_unlock+0x9b/0xc0
__local_bh_enable+0x10d/0x170
__local_bh_enable_ip+0xfb/0x150
rcu_do_batch+0x595/0xc40
rcu_cpu_kthread+0x4e9/0x830
smpboot_thread_fn+0x24d/0x3b0
kthread+0x3bd/0x410
ret_from_fork+0x35/0x40
ret_from_fork_asm+0x1a/0x30
write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:
rcu_preempt_deferred_qs_handler+0x1e/0x30
irq_work_single+0xaf/0x160
run_irq_workd+0x91/0xc0
smpboot_thread_fn+0x24d/0x3b0
kthread+0x3bd/0x410
ret_from_fork+0x35/0x40
ret_from_fork_asm+0x1a/0x30
no locks held by irq_work/8/88.
irq event stamp: 200272
hardirqs last enabled at (200272): [] finish_task_switch+0x131/0x320
hardirqs last disabled at (200271): [] __schedule+0x129/0xd70
softirqs last enabled at (0): [] copy_process+0x4df/0x1cc0
softirqs last disabled at (0): [] 0x0
The problem is that irq-work handlers run with interrupts enabled, which
means that rcu_preempt_deferred_qs_handler() could be interrupted,
and that interrupt handler might contain an RCU read-side critical
section, which m
Affected
38 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 0864f057b050bc6dd68106b3185e02db5140012d < 74f58f382a7c8333f8d09701aefaa25913bdbe0e | 74f58f382a7c8333f8d09701aefaa25913bdbe0e |
| linux | linux | >= 0864f057b050bc6dd68106b3185e02db5140012d < f937759c7432d6151b73e1393b6517661813d506 | f937759c7432d6151b73e1393b6517661813d506 |
| linux | linux | >= 0864f057b050bc6dd68106b3185e02db5140012d < 0ad84d62217488e679ecc90e8628980dcc003de3 | 0ad84d62217488e679ecc90e8628980dcc003de3 |
| linux | linux | >= 0864f057b050bc6dd68106b3185e02db5140012d < b5de8d80b5d049f051b95d9b1ee50ae4ab656124 | b5de8d80b5d049f051b95d9b1ee50ae4ab656124 |
| linux | linux | >= 0864f057b050bc6dd68106b3185e02db5140012d < b55947b725f190396f475d5d0c59aa855a4d8895 | b55947b725f190396f475d5d0c59aa855a4d8895 |
| linux | linux | >= 0864f057b050bc6dd68106b3185e02db5140012d < e35e711c78c8a4c43330c0dcb1c4d507a19c20f4 | e35e711c78c8a4c43330c0dcb1c4d507a19c20f4 |
| linux | linux | >= 0864f057b050bc6dd68106b3185e02db5140012d < 90de9c94ea72327cfa9c2c9f6113c23a513af60b | 90de9c94ea72327cfa9c2c9f6113c23a513af60b |
| linux | linux | >= 0864f057b050bc6dd68106b3185e02db5140012d < 55e11f6776798b27cf09a7aa0d718415d4fc9cf5 | 55e11f6776798b27cf09a7aa0d718415d4fc9cf5 |
| linux | linux | >= 0864f057b050bc6dd68106b3185e02db5140012d < 90c09d57caeca94e6f3f87c49e96a91edd40cbfd | 90c09d57caeca94e6f3f87c49e96a91edd40cbfd |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.43-1 | 6.12.43-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 5.11 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.149 | 6.1.149 |
| linux | linux_kernel | >= 5.3 < 5.4.297 | 5.4.297 |
| linux | linux_kernel | >= 5.5 < 5.10.241 | 5.10.241 |
| linux | linux_kernel | >= 6.13 < 6.15.11 | 6.15.11 |
| linux | linux_kernel | >= 6.16 < 6.16.2 | 6.16.2 |
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.0HIGH