CVE-2025-40305

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN<br /> <br /> p9_read_work() doesn&amp;#39;t set Rworksched and doesn&amp;#39;t do schedule_work(m-&gt;rq)<br /> if list_empty(&amp;m-&gt;req_list).<br /> <br /> However, if the pipe is full, we need to read more data and this used to<br /> work prior to commit aaec5a95d59615 ("pipe_read: don&amp;#39;t wake up the writer<br /> if the pipe is still full").<br /> <br /> p9_read_work() does p9_fd_read() -&gt; ... -&gt; anon_pipe_read() which (before<br /> the commit above) triggered the unnecessary wakeup. This wakeup calls<br /> p9_pollwake() which kicks p9_poll_workfn() -&gt; p9_poll_mux(), p9_poll_mux()<br /> will notice EPOLLIN and schedule_work(&amp;m-&gt;rq).<br /> <br /> This no longer happens after the optimization above, change p9_fd_request()<br /> to use p9_poll_mux() instead of only checking for EPOLLOUT.