CVE-2025-39953

Summary

In the Linux kernel, the following vulnerability has been resolved:

cgroup: split cgroup_destroy_wq into 3 workqueues

A hung task can occur during [1] LTP cgroup testing when repeatedly mounting/unmounting perf_event and net_prio controllers with systemd.unified_cgroup_hierarchy=1. The hang manifests in cgroup_lock_and_drain_offline() during root destruction.

Related case: cgroup_fj_function_perf_event cgroup_fj_function.sh perf_event cgroup_fj_function_net_prio cgroup_fj_function.sh net_prio

Call Trace: cgroup_lock_and_drain_offline+0x14c/0x1e8 cgroup_destroy_root+0x3c/0x2c0 css_free_rwork_fn+0x248/0x338 process_one_work+0x16c/0x3b8 worker_thread+0x22c/0x3b0 kthread+0xec/0x100 ret_from_fork+0x10/0x20

Root Cause:

CPU0 CPU1 mount perf_event umount net_prio cgroup1_get_tree cgroup_kill_sb rebind_subsystems // root destruction enqueues // cgroup_destroy_wq // kill all perf_event css // one perf_event css A is dying // css A offline enqueues cgroup_destroy_wq // root destruction will be executed first css_free_rwork_fn cgroup_destroy_root cgroup_lock_and_drain_offline // some perf descendants are dying // cgroup_destroy_wq max_active = 1 // waiting for css A to die

Problem scenario:

  1. CPU0 mounts perf_event (rebind_subsystems)
  2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work
  3. A dying perf_event CSS gets queued for offline after root destruction
  4. Root destruction waits for offline completion, but offline work is blocked behind root destruction in cgroup_destroy_wq (max_active=1)

Solution: Split cgroup_destroy_wq into three dedicated workqueues: cgroup_offline_wq – Handles CSS offline operations cgroup_release_wq – Manages resource release cgroup_free_wq – Performs final memory deallocation

This separation eliminates blocking in the CSS free path while waiting for offline operations to complete.

[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers

Affected Software

VendorProductVersion RangeStatus
LinuxLinux334c3679ec4b2b113c35ebe37d2018b112dd5013 < cabadd7fd15f97090f752fd22dd7f876a0dc3dc4affected
LinuxLinux334c3679ec4b2b113c35ebe37d2018b112dd5013 < a0c896bda7077aa5005473e2c5b3c27173313b4caffected
LinuxLinux334c3679ec4b2b113c35ebe37d2018b112dd5013 < f2795d1b92506e3adf52a298f7181032a1525e04affected
LinuxLinux334c3679ec4b2b113c35ebe37d2018b112dd5013 < 993049c9b1355c78918344a6403427d53f9ee700affected
LinuxLinux334c3679ec4b2b113c35ebe37d2018b112dd5013 < 4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811affected
LinuxLinux334c3679ec4b2b113c35ebe37d2018b112dd5013 < ded4d207a3209a834b6831ceec7f39b934c74802affected
LinuxLinux334c3679ec4b2b113c35ebe37d2018b112dd5013 < 05e0b03447cf215ec384210441b34b7a3b16e8b0affected
LinuxLinux334c3679ec4b2b113c35ebe37d2018b112dd5013 < 79f919a89c9d06816dbdbbd168fa41d27411a7f9affected
LinuxLinux4.6affected
LinuxLinux0 < 4.6unaffected
LinuxLinux5.4.300 <= 5.4.*unaffected
LinuxLinux5.10.245 <= 5.10.*unaffected
LinuxLinux5.15.194 <= 5.15.*unaffected
LinuxLinux6.1.154 <= 6.1.*unaffected
LinuxLinux6.6.108 <= 6.6.*unaffected
LinuxLinux6.12.49 <= 6.12.*unaffected
LinuxLinux6.16.9 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References