{ "schema_version": "1.4.0", "id": "GHSA-5h3j-3mgh-9rr3", "modified": "2025-09-11T18:35:51Z", "published": "2025-09-11T18:35:51Z", "aliases": [ "CVE-2025-39749" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Protect ->defer_qs_iw_pending from data race\n\nOn kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is\ninvoked within an interrupts-disabled region of code [1], it will invoke\nrcu_read_unlock_special(), which uses an irq-work handler to force the\nsystem to notice when the RCU read-side critical section actually ends.\nThat end won't happen until interrupts are enabled at the soonest.\n\nIn some kernels, such as those booted with rcutree.use_softirq=y, the\nirq-work handler is used unconditionally.\n\nThe per-CPU rcu_data structure's ->defer_qs_iw_pending field is\nupdated by the irq-work handler and is both read and updated by\nrcu_read_unlock_special(). This resulted in the following KCSAN splat:\n\n------------------------------------------------------------------------\n\nBUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special\n\nread to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:\n rcu_read_unlock_special+0x175/0x260\n __rcu_read_unlock+0x92/0xa0\n rt_spin_unlock+0x9b/0xc0\n __local_bh_enable+0x10d/0x170\n __local_bh_enable_ip+0xfb/0x150\n rcu_do_batch+0x595/0xc40\n rcu_cpu_kthread+0x4e9/0x830\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nwrite to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:\n rcu_preempt_deferred_qs_handler+0x1e/0x30\n irq_work_single+0xaf/0x160\n run_irq_workd+0x91/0xc0\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nno locks held by irq_work/8/88.\nirq event stamp: 200272\nhardirqs last enabled at (200272): [] finish_task_switch+0x131/0x320\nhardirqs last disabled at (200271): [] __schedule+0x129/0xd70\nsoftirqs last enabled at (0): [] copy_process+0x4df/0x1cc0\nsoftirqs last disabled at (0): [<0000000000000000>] 0x0\n\n------------------------------------------------------------------------\n\nThe problem is that irq-work handlers run with interrupts enabled, which\nmeans that rcu_preempt_deferred_qs_handler() could be interrupted,\nand that interrupt handler might contain an RCU read-side critical\nsection, which might invoke rcu_read_unlock_special(). In the strict\nKCSAN mode of operation used by RCU, this constitutes a data race on\nthe ->defer_qs_iw_pending field.\n\nThis commit therefore disables interrupts across the portion of the\nrcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending\nfield. This suffices because this handler is not a fast path.", "severity": [], "affected": [], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39749" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/0ad84d62217488e679ecc90e8628980dcc003de3" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/55e11f6776798b27cf09a7aa0d718415d4fc9cf5" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/74f58f382a7c8333f8d09701aefaa25913bdbe0e" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/90c09d57caeca94e6f3f87c49e96a91edd40cbfd" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/90de9c94ea72327cfa9c2c9f6113c23a513af60b" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/b55947b725f190396f475d5d0c59aa855a4d8895" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/b5de8d80b5d049f051b95d9b1ee50ae4ab656124" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/e35e711c78c8a4c43330c0dcb1c4d507a19c20f4" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/f937759c7432d6151b73e1393b6517661813d506" } ], "database_specific": { "cwe_ids": [], "severity": null, "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2025-09-11T17:15:38Z" } }