{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39744","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.120Z","datePublished":"2025-09-11T16:52:17.725Z","dateUpdated":"2026-05-11T21:35:26.395Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:35:26.395Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Fix rcu_read_unlock() deadloop due to IRQ work\n\nDuring rcu_read_unlock_special(), if this happens during irq_exit(), we\ncan lockup if an IPI is issued. This is because the IPI itself triggers\nthe irq_exit() path causing a recursive lock up.\n\nThis is precisely what Xiongfeng found when invoking a BPF program on\nthe trace_tick_stop() tracepoint As shown in the trace below. Fix by\nmanaging the irq_work state correctly.\n\nirq_exit()\n  __irq_exit_rcu()\n    /* in_hardirq() returns false after this */\n    preempt_count_sub(HARDIRQ_OFFSET)\n    tick_irq_exit()\n      tick_nohz_irq_exit()\n\t    tick_nohz_stop_sched_tick()\n\t      trace_tick_stop()  /* a bpf prog is hooked on this trace point */\n\t\t   __bpf_trace_tick_stop()\n\t\t      bpf_trace_run2()\n\t\t\t    rcu_read_unlock_special()\n                              /* will send a IPI to itself */\n\t\t\t      irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu);\n\nA simple reproducer can also be obtained by doing the following in\ntick_irq_exit(). It will hang on boot without the patch:\n\n  static inline void tick_irq_exit(void)\n  {\n +\trcu_read_lock();\n +\tWRITE_ONCE(current->rcu_read_unlock_special.b.need_qs, true);\n +\trcu_read_unlock();\n +\n\n[neeraj: Apply Frederic's suggested fix for PREEMPT_RT]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/rcu/tree.h","kernel/rcu/tree_plugin.h"],"versions":[{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"e7a375453cca2b8a0d2fa1b82b913f3fed7c0507","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"1cfa244f7198d325594e627574930b7b91df5bfe","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"ddebb2a7677673cf4438a04e1a48b8ed6b0c8e9a","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"56c5ef194f4509df63fc0f7a91ea5973ce479b1e","status":"affected","versionType":"git"},{"version":"0864f057b050bc6dd68106b3185e02db5140012d","lessThan":"b41642c87716bbd09797b1e4ea7d904f06c39b7b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/rcu/tree.h","kernel/rcu/tree_plugin.h"],"versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","status":"unaffected","versionType":"semver"},{"version":"6.6.103","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.43","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.11","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.2","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.6.103"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.12.43"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.15.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.16.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e7a375453cca2b8a0d2fa1b82b913f3fed7c0507"},{"url":"https://git.kernel.org/stable/c/1cfa244f7198d325594e627574930b7b91df5bfe"},{"url":"https://git.kernel.org/stable/c/ddebb2a7677673cf4438a04e1a48b8ed6b0c8e9a"},{"url":"https://git.kernel.org/stable/c/56c5ef194f4509df63fc0f7a91ea5973ce479b1e"},{"url":"https://git.kernel.org/stable/c/b41642c87716bbd09797b1e4ea7d904f06c39b7b"}],"title":"rcu: Fix rcu_read_unlock() deadloop due to IRQ work","x_generator":{"engine":"bippy-1.2.0"}}}}