CVE-2025-40305
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN
p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list).
However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 ("pipe_read: don't wake up the writer if the pipe is still full").
p9_read_work() does p9_fd_read() -> … -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq).
This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | aaec5a95d59615523db03dd53c2052f0a87beea7 < 242531004d7de8c159f9bfadebe33fe8060b1046 | affected |
| Linux | Linux | aaec5a95d59615523db03dd53c2052f0a87beea7 < e8fe3f07a357c39d429e02ca34f740692d88967a | affected |
| Linux | Linux | 6.14 | affected |
| Linux | Linux | 0 < 6.14 | unaffected |
| Linux | Linux | 6.17.8 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/242531004d7de8c159f9bfadebe33fe8060b1046
- https://git.kernel.org/stable/c/e8fe3f07a357c39d429e02ca34f740692d88967a
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.