{"id":"CVE-2025-39749","summary":"rcu: Protect -\u003edefer_qs_iw_pending from data race","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Protect -\u003edefer_qs_iw_pending from data race\n\nOn kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is\ninvoked within an interrupts-disabled region of code [1], it will invoke\nrcu_read_unlock_special(), which uses an irq-work handler to force the\nsystem to notice when the RCU read-side critical section actually ends.\nThat end won't happen until interrupts are enabled at the soonest.\n\nIn some kernels, such as those booted with rcutree.use_softirq=y, the\nirq-work handler is used unconditionally.\n\nThe per-CPU rcu_data structure's -\u003edefer_qs_iw_pending field is\nupdated by the irq-work handler and is both read and updated by\nrcu_read_unlock_special().  This resulted in the following KCSAN splat:\n\n------------------------------------------------------------------------\n\nBUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special\n\nread to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:\n rcu_read_unlock_special+0x175/0x260\n __rcu_read_unlock+0x92/0xa0\n rt_spin_unlock+0x9b/0xc0\n __local_bh_enable+0x10d/0x170\n __local_bh_enable_ip+0xfb/0x150\n rcu_do_batch+0x595/0xc40\n rcu_cpu_kthread+0x4e9/0x830\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nwrite to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:\n rcu_preempt_deferred_qs_handler+0x1e/0x30\n irq_work_single+0xaf/0x160\n run_irq_workd+0x91/0xc0\n smpboot_thread_fn+0x24d/0x3b0\n kthread+0x3bd/0x410\n ret_from_fork+0x35/0x40\n ret_from_fork_asm+0x1a/0x30\n\nno locks held by irq_work/8/88.\nirq event stamp: 200272\nhardirqs last  enabled at (200272): [\u003cffffffffb0f56121\u003e] finish_task_switch+0x131/0x320\nhardirqs last disabled at (200271): [\u003cffffffffb25c7859\u003e] __schedule+0x129/0xd70\nsoftirqs last  enabled at (0): [\u003cffffffffb0ee093f\u003e] copy_process+0x4df/0x1cc0\nsoftirqs last disabled at (0): [\u003c0000000000000000\u003e] 0x0\n\n------------------------------------------------------------------------\n\nThe problem is that irq-work handlers run with interrupts enabled, which\nmeans that rcu_preempt_deferred_qs_handler() could be interrupted,\nand that interrupt handler might contain an RCU read-side critical\nsection, which might invoke rcu_read_unlock_special().  In the strict\nKCSAN mode of operation used by RCU, this constitutes a data race on\nthe -\u003edefer_qs_iw_pending field.\n\nThis commit therefore disables interrupts across the portion of the\nrcu_preempt_deferred_qs_handler() that updates the -\u003edefer_qs_iw_pending\nfield.  This suffices because this handler is not a fast path.","modified":"2026-04-02T12:48:08.451356Z","published":"2025-09-11T16:52:21.228Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03601-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3725-1","SUSE-SU-2025:3751-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39749.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0ad84d62217488e679ecc90e8628980dcc003de3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/55e11f6776798b27cf09a7aa0d718415d4fc9cf5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/74f58f382a7c8333f8d09701aefaa25913bdbe0e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/90c09d57caeca94e6f3f87c49e96a91edd40cbfd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/90de9c94ea72327cfa9c2c9f6113c23a513af60b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b55947b725f190396f475d5d0c59aa855a4d8895"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b5de8d80b5d049f051b95d9b1ee50ae4ab656124"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e35e711c78c8a4c43330c0dcb1c4d507a19c20f4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f937759c7432d6151b73e1393b6517661813d506"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39749.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39749"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0864f057b050bc6dd68106b3185e02db5140012d"},{"fixed":"74f58f382a7c8333f8d09701aefaa25913bdbe0e"},{"fixed":"f937759c7432d6151b73e1393b6517661813d506"},{"fixed":"0ad84d62217488e679ecc90e8628980dcc003de3"},{"fixed":"b5de8d80b5d049f051b95d9b1ee50ae4ab656124"},{"fixed":"b55947b725f190396f475d5d0c59aa855a4d8895"},{"fixed":"e35e711c78c8a4c43330c0dcb1c4d507a19c20f4"},{"fixed":"90de9c94ea72327cfa9c2c9f6113c23a513af60b"},{"fixed":"55e11f6776798b27cf09a7aa0d718415d4fc9cf5"},{"fixed":"90c09d57caeca94e6f3f87c49e96a91edd40cbfd"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39749.json"}}],"schema_version":"1.7.5"}