CVE-2025-21634

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cgroup/cpuset: remove kernfs active break<br /> <br /> A warning was found:<br /> <br /> WARNING: CPU: 10 PID: 3486953 at fs/kernfs/file.c:828<br /> CPU: 10 PID: 3486953 Comm: rmdir Kdump: loaded Tainted: G<br /> RIP: 0010:kernfs_should_drain_open_files+0x1a1/0x1b0<br /> RSP: 0018:ffff8881107ef9e0 EFLAGS: 00010202<br /> RAX: 0000000080000002 RBX: ffff888154738c00 RCX: dffffc0000000000<br /> RDX: 0000000000000007 RSI: 0000000000000004 RDI: ffff888154738c04<br /> RBP: ffff888154738c04 R08: ffffffffaf27fa15 R09: ffffed102a8e7180<br /> R10: ffff888154738c07 R11: 0000000000000000 R12: ffff888154738c08<br /> R13: ffff888750f8c000 R14: ffff888750f8c0e8 R15: ffff888154738ca0<br /> FS: 00007f84cd0be740(0000) GS:ffff8887ddc00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000555f9fbe00c8 CR3: 0000000153eec001 CR4: 0000000000370ee0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> kernfs_drain+0x15e/0x2f0<br /> __kernfs_remove+0x165/0x300<br /> kernfs_remove_by_name_ns+0x7b/0xc0<br /> cgroup_rm_file+0x154/0x1c0<br /> cgroup_addrm_files+0x1c2/0x1f0<br /> css_clear_dir+0x77/0x110<br /> kill_css+0x4c/0x1b0<br /> cgroup_destroy_locked+0x194/0x380<br /> cgroup_rmdir+0x2a/0x140<br /> <br /> It can be explained by:<br /> rmdir echo 1 &gt; cpuset.cpus<br /> kernfs_fop_write_iter // active=0<br /> cgroup_rm_file<br /> kernfs_remove_by_name_ns kernfs_get_active // active=1<br /> __kernfs_remove // active=0x80000002<br /> kernfs_drain cpuset_write_resmask<br /> wait_event<br /> //waiting (active == 0x80000001)<br /> kernfs_break_active_protection<br /> // active = 0x80000001<br /> // continue<br /> kernfs_unbreak_active_protection<br /> // active = 0x80000002<br /> ...<br /> kernfs_should_drain_open_files<br /> // warning occurs<br /> kernfs_put_active<br /> <br /> This warning is caused by &amp;#39;kernfs_break_active_protection&amp;#39; when it is<br /> writing to cpuset.cpus, and the cgroup is removed concurrently.<br /> <br /> The commit 3a5a6d0c2b03 ("cpuset: don&amp;#39;t nest cgroup_mutex inside<br /> get_online_cpus()") made cpuset_hotplug_workfn asynchronous, This change<br /> involves calling flush_work(), which can create a multiple processes<br /> circular locking dependency that involve cgroup_mutex, potentially leading<br /> to a deadlock. To avoid deadlock. the commit 76bb5ab8f6e3 ("cpuset: break<br /> kernfs active protection in cpuset_write_resmask()") added<br /> &amp;#39;kernfs_break_active_protection&amp;#39; in the cpuset_write_resmask. This could<br /> lead to this warning.<br /> <br /> After the commit 2125c0034c5d ("cgroup/cpuset: Make cpuset hotplug<br /> processing synchronous"), the cpuset_write_resmask no longer needs to<br /> wait the hotplug to finish, which means that concurrent hotplug and cpuset<br /> operations are no longer possible. Therefore, the deadlock doesn&amp;#39;t exist<br /> anymore and it does not have to &amp;#39;break active protection&amp;#39; now. To fix this<br /> warning, just remove kernfs_break_active_protection operation in the<br /> &amp;#39;cpuset_write_resmask&amp;#39;.