{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39953", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.149Z", "datePublished": "2025-10-04T07:31:13.237Z", "dateUpdated": "2025-10-04T07:37:08.557Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-04T07:37:08.557Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: split cgroup_destroy_wq into 3 workqueues\n\nA hung task can occur during [1] LTP cgroup testing when repeatedly\nmounting/unmounting perf_event and net_prio controllers with\nsystemd.unified_cgroup_hierarchy=1. The hang manifests in\ncgroup_lock_and_drain_offline() during root destruction.\n\nRelated case:\ncgroup_fj_function_perf_event cgroup_fj_function.sh perf_event\ncgroup_fj_function_net_prio cgroup_fj_function.sh net_prio\n\nCall Trace:\n\tcgroup_lock_and_drain_offline+0x14c/0x1e8\n\tcgroup_destroy_root+0x3c/0x2c0\n\tcss_free_rwork_fn+0x248/0x338\n\tprocess_one_work+0x16c/0x3b8\n\tworker_thread+0x22c/0x3b0\n\tkthread+0xec/0x100\n\tret_from_fork+0x10/0x20\n\nRoot Cause:\n\nCPU0 CPU1\nmount perf_event umount net_prio\ncgroup1_get_tree cgroup_kill_sb\nrebind_subsystems // root destruction enqueues\n\t\t\t\t// cgroup_destroy_wq\n// kill all perf_event css\n // one perf_event css A is dying\n // css A offline enqueues cgroup_destroy_wq\n // root destruction will be executed first\n css_free_rwork_fn\n cgroup_destroy_root\n cgroup_lock_and_drain_offline\n // some perf descendants are dying\n // cgroup_destroy_wq max_active = 1\n // waiting for css A to die\n\nProblem scenario:\n1. CPU0 mounts perf_event (rebind_subsystems)\n2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work\n3. A dying perf_event CSS gets queued for offline after root destruction\n4. Root destruction waits for offline completion, but offline work is\n blocked behind root destruction in cgroup_destroy_wq (max_active=1)\n\nSolution:\nSplit cgroup_destroy_wq into three dedicated workqueues:\ncgroup_offline_wq \u2013 Handles CSS offline operations\ncgroup_release_wq \u2013 Manages resource release\ncgroup_free_wq \u2013 Performs final memory deallocation\n\nThis separation eliminates blocking in the CSS free path while waiting for\noffline operations to complete.\n\n[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/cgroup/cgroup.c"], "versions": [{"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013", "lessThan": "cabadd7fd15f97090f752fd22dd7f876a0dc3dc4", "status": "affected", "versionType": "git"}, {"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013", "lessThan": "a0c896bda7077aa5005473e2c5b3c27173313b4c", "status": "affected", "versionType": "git"}, {"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013", "lessThan": "f2795d1b92506e3adf52a298f7181032a1525e04", "status": "affected", "versionType": "git"}, {"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013", "lessThan": "993049c9b1355c78918344a6403427d53f9ee700", "status": "affected", "versionType": "git"}, {"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013", "lessThan": "4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811", "status": "affected", "versionType": "git"}, {"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013", "lessThan": "ded4d207a3209a834b6831ceec7f39b934c74802", "status": "affected", "versionType": "git"}, {"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013", "lessThan": "05e0b03447cf215ec384210441b34b7a3b16e8b0", "status": "affected", "versionType": "git"}, {"version": "334c3679ec4b2b113c35ebe37d2018b112dd5013", "lessThan": "79f919a89c9d06816dbdbbd168fa41d27411a7f9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/cgroup/cgroup.c"], "versions": [{"version": "4.6", "status": "affected"}, {"version": "0", "lessThan": "4.6", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.300", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.245", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.194", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.154", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.108", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.49", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.9", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.4.300"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.10.245"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "5.15.194"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "6.1.154"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "6.6.108"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "6.12.49"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "6.16.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.6", "versionEndExcluding": "6.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cabadd7fd15f97090f752fd22dd7f876a0dc3dc4"}, {"url": "https://git.kernel.org/stable/c/a0c896bda7077aa5005473e2c5b3c27173313b4c"}, {"url": "https://git.kernel.org/stable/c/f2795d1b92506e3adf52a298f7181032a1525e04"}, {"url": "https://git.kernel.org/stable/c/993049c9b1355c78918344a6403427d53f9ee700"}, {"url": "https://git.kernel.org/stable/c/4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811"}, {"url": "https://git.kernel.org/stable/c/ded4d207a3209a834b6831ceec7f39b934c74802"}, {"url": "https://git.kernel.org/stable/c/05e0b03447cf215ec384210441b34b7a3b16e8b0"}, {"url": "https://git.kernel.org/stable/c/79f919a89c9d06816dbdbbd168fa41d27411a7f9"}], "title": "cgroup: split cgroup_destroy_wq into 3 workqueues", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: split cgroup_destroy_wq into 3 workqueues\n\nA hung task can occur during [1] LTP cgroup testing when repeatedly\nmounting/unmounting perf_event and net_prio controllers with\nsystemd.unified_cgroup_hierarchy=1. The hang manifests in\ncgroup_lock_and_drain_offline() during root destruction.\n\nRelated case:\ncgroup_fj_function_perf_event cgroup_fj_function.sh perf_event\ncgroup_fj_function_net_prio cgroup_fj_function.sh net_prio\n\nCall Trace:\n\tcgroup_lock_and_drain_offline+0x14c/0x1e8\n\tcgroup_destroy_root+0x3c/0x2c0\n\tcss_free_rwork_fn+0x248/0x338\n\tprocess_one_work+0x16c/0x3b8\n\tworker_thread+0x22c/0x3b0\n\tkthread+0xec/0x100\n\tret_from_fork+0x10/0x20\n\nRoot Cause:\n\nCPU0 CPU1\nmount perf_event umount net_prio\ncgroup1_get_tree cgroup_kill_sb\nrebind_subsystems // root destruction enqueues\n\t\t\t\t// cgroup_destroy_wq\n// kill all perf_event css\n // one perf_event css A is dying\n // css A offline enqueues cgroup_destroy_wq\n // root destruction will be executed first\n css_free_rwork_fn\n cgroup_destroy_root\n cgroup_lock_and_drain_offline\n // some perf descendants are dying\n // cgroup_destroy_wq max_active = 1\n // waiting for css A to die\n\nProblem scenario:\n1. CPU0 mounts perf_event (rebind_subsystems)\n2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work\n3. A dying perf_event CSS gets queued for offline after root destruction\n4. Root destruction waits for offline completion, but offline work is\n blocked behind root destruction in cgroup_destroy_wq (max_active=1)\n\nSolution:\nSplit cgroup_destroy_wq into three dedicated workqueues:\ncgroup_offline_wq \u2013 Handles CSS offline operations\ncgroup_release_wq \u2013 Manages resource release\ncgroup_free_wq \u2013 Performs final memory deallocation\n\nThis separation eliminates blocking in the CSS free path while waiting for\noffline operations to complete.\n\n[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers"}], "id": "CVE-2025-39953", "lastModified": "2025-10-04T08:15:48.627", "metrics": {}, "published": "2025-10-04T08:15:48.627", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/05e0b03447cf215ec384210441b34b7a3b16e8b0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/79f919a89c9d06816dbdbbd168fa41d27411a7f9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/993049c9b1355c78918344a6403427d53f9ee700"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a0c896bda7077aa5005473e2c5b3c27173313b4c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cabadd7fd15f97090f752fd22dd7f876a0dc3dc4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ded4d207a3209a834b6831ceec7f39b934c74802"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f2795d1b92506e3adf52a298f7181032a1525e04"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}