CVE-2025-39749

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rcu: Protect -&gt;defer_qs_iw_pending from data race<br /> <br /> On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is<br /> invoked within an interrupts-disabled region of code [1], it will invoke<br /> rcu_read_unlock_special(), which uses an irq-work handler to force the<br /> system to notice when the RCU read-side critical section actually ends.<br /> That end won&amp;#39;t happen until interrupts are enabled at the soonest.<br /> <br /> In some kernels, such as those booted with rcutree.use_softirq=y, the<br /> irq-work handler is used unconditionally.<br /> <br /> The per-CPU rcu_data structure&amp;#39;s -&gt;defer_qs_iw_pending field is<br /> updated by the irq-work handler and is both read and updated by<br /> rcu_read_unlock_special(). This resulted in the following KCSAN splat:<br /> <br /> ------------------------------------------------------------------------<br /> <br /> BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special<br /> <br /> read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:<br /> rcu_read_unlock_special+0x175/0x260<br /> __rcu_read_unlock+0x92/0xa0<br /> rt_spin_unlock+0x9b/0xc0<br /> __local_bh_enable+0x10d/0x170<br /> __local_bh_enable_ip+0xfb/0x150<br /> rcu_do_batch+0x595/0xc40<br /> rcu_cpu_kthread+0x4e9/0x830<br /> smpboot_thread_fn+0x24d/0x3b0<br /> kthread+0x3bd/0x410<br /> ret_from_fork+0x35/0x40<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:<br /> rcu_preempt_deferred_qs_handler+0x1e/0x30<br /> irq_work_single+0xaf/0x160<br /> run_irq_workd+0x91/0xc0<br /> smpboot_thread_fn+0x24d/0x3b0<br /> kthread+0x3bd/0x410<br /> ret_from_fork+0x35/0x40<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> no locks held by irq_work/8/88.<br /> irq event stamp: 200272<br /> hardirqs last enabled at (200272): [] finish_task_switch+0x131/0x320<br /> hardirqs last disabled at (200271): [] __schedule+0x129/0xd70<br /> softirqs last enabled at (0): [] copy_process+0x4df/0x1cc0<br /> softirqs last disabled at (0): [] 0x0<br /> <br /> ------------------------------------------------------------------------<br /> <br /> The problem is that irq-work handlers run with interrupts enabled, which<br /> means that rcu_preempt_deferred_qs_handler() could be interrupted,<br /> and that interrupt handler might contain an RCU read-side critical<br /> section, which might invoke rcu_read_unlock_special(). In the strict<br /> KCSAN mode of operation used by RCU, this constitutes a data race on<br /> the -&gt;defer_qs_iw_pending field.<br /> <br /> This commit therefore disables interrupts across the portion of the<br /> rcu_preempt_deferred_qs_handler() that updates the -&gt;defer_qs_iw_pending<br /> field. This suffices because this handler is not a fast path.