{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39953","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.149Z","datePublished":"2025-10-04T07:31:13.237Z","dateUpdated":"2026-05-11T21:39:37.071Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:39:37.071Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: split cgroup_destroy_wq into 3 workqueues\n\nA hung task can occur during [1] LTP cgroup testing when repeatedly\nmounting/unmounting perf_event and net_prio controllers with\nsystemd.unified_cgroup_hierarchy=1. The hang manifests in\ncgroup_lock_and_drain_offline() during root destruction.\n\nRelated case:\ncgroup_fj_function_perf_event cgroup_fj_function.sh perf_event\ncgroup_fj_function_net_prio cgroup_fj_function.sh net_prio\n\nCall Trace:\n\tcgroup_lock_and_drain_offline+0x14c/0x1e8\n\tcgroup_destroy_root+0x3c/0x2c0\n\tcss_free_rwork_fn+0x248/0x338\n\tprocess_one_work+0x16c/0x3b8\n\tworker_thread+0x22c/0x3b0\n\tkthread+0xec/0x100\n\tret_from_fork+0x10/0x20\n\nRoot Cause:\n\nCPU0                            CPU1\nmount perf_event                umount net_prio\ncgroup1_get_tree                cgroup_kill_sb\nrebind_subsystems               // root destruction enqueues\n\t\t\t\t// cgroup_destroy_wq\n// kill all perf_event css\n                                // one perf_event css A is dying\n                                // css A offline enqueues cgroup_destroy_wq\n                                // root destruction will be executed first\n                                css_free_rwork_fn\n                                cgroup_destroy_root\n                                cgroup_lock_and_drain_offline\n                                // some perf descendants are dying\n                                // cgroup_destroy_wq max_active = 1\n                                // waiting for css A to die\n\nProblem scenario:\n1. CPU0 mounts perf_event (rebind_subsystems)\n2. CPU1 unmounts net_prio (cgroup_kill_sb), queuing root destruction work\n3. A dying perf_event CSS gets queued for offline after root destruction\n4. Root destruction waits for offline completion, but offline work is\n   blocked behind root destruction in cgroup_destroy_wq (max_active=1)\n\nSolution:\nSplit cgroup_destroy_wq into three dedicated workqueues:\ncgroup_offline_wq – Handles CSS offline operations\ncgroup_release_wq – Manages resource release\ncgroup_free_wq – Performs final memory deallocation\n\nThis separation eliminates blocking in the CSS free path while waiting for\noffline operations to complete.\n\n[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/cgroup/cgroup.c"],"versions":[{"version":"334c3679ec4b2b113c35ebe37d2018b112dd5013","lessThan":"cabadd7fd15f97090f752fd22dd7f876a0dc3dc4","status":"affected","versionType":"git"},{"version":"334c3679ec4b2b113c35ebe37d2018b112dd5013","lessThan":"a0c896bda7077aa5005473e2c5b3c27173313b4c","status":"affected","versionType":"git"},{"version":"334c3679ec4b2b113c35ebe37d2018b112dd5013","lessThan":"f2795d1b92506e3adf52a298f7181032a1525e04","status":"affected","versionType":"git"},{"version":"334c3679ec4b2b113c35ebe37d2018b112dd5013","lessThan":"993049c9b1355c78918344a6403427d53f9ee700","status":"affected","versionType":"git"},{"version":"334c3679ec4b2b113c35ebe37d2018b112dd5013","lessThan":"4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811","status":"affected","versionType":"git"},{"version":"334c3679ec4b2b113c35ebe37d2018b112dd5013","lessThan":"ded4d207a3209a834b6831ceec7f39b934c74802","status":"affected","versionType":"git"},{"version":"334c3679ec4b2b113c35ebe37d2018b112dd5013","lessThan":"05e0b03447cf215ec384210441b34b7a3b16e8b0","status":"affected","versionType":"git"},{"version":"334c3679ec4b2b113c35ebe37d2018b112dd5013","lessThan":"79f919a89c9d06816dbdbbd168fa41d27411a7f9","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/cgroup/cgroup.c"],"versions":[{"version":"4.6","status":"affected"},{"version":"0","lessThan":"4.6","status":"unaffected","versionType":"semver"},{"version":"5.4.300","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.245","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.194","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.154","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.108","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.49","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.9","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"5.4.300"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"5.10.245"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"5.15.194"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.1.154"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.6.108"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.12.49"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.16.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.6","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/cabadd7fd15f97090f752fd22dd7f876a0dc3dc4"},{"url":"https://git.kernel.org/stable/c/a0c896bda7077aa5005473e2c5b3c27173313b4c"},{"url":"https://git.kernel.org/stable/c/f2795d1b92506e3adf52a298f7181032a1525e04"},{"url":"https://git.kernel.org/stable/c/993049c9b1355c78918344a6403427d53f9ee700"},{"url":"https://git.kernel.org/stable/c/4a1e3ec28e8062cd9f339aa6a942df9c5bcb6811"},{"url":"https://git.kernel.org/stable/c/ded4d207a3209a834b6831ceec7f39b934c74802"},{"url":"https://git.kernel.org/stable/c/05e0b03447cf215ec384210441b34b7a3b16e8b0"},{"url":"https://git.kernel.org/stable/c/79f919a89c9d06816dbdbbd168fa41d27411a7f9"}],"title":"cgroup: split cgroup_destroy_wq into 3 workqueues","x_generator":{"engine":"bippy-1.2.0"}}}}