2419939 – (CVE-2025-40305) CVE-2025-40305 kernel: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN

Bug 2419939 (CVE-2025-40305) - CVE-2025-40305 kernel: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN

Summary: CVE-2025-40305 kernel: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN

Keywords:
Status:	NEW
Alias:	CVE-2025-40305
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-08 07:10 UTC by OSIDB Bzimport
Modified:	2025-12-08 17:59 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-08 07:10:36 UTC

In the Linux kernel, the following vulnerability has been resolved:

9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN

p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq)
if list_empty(&m->req_list).

However, if the pipe is full, we need to read more data and this used to
work prior to commit aaec5a95d59615 ("pipe_read: don't wake up the writer
if the pipe is still full").

p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before
the commit above) triggered the unnecessary wakeup. This wakeup calls
p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux()
will notice EPOLLIN and schedule_work(&m->rq).

This no longer happens after the optimization above, change p9_fd_request()
to use p9_poll_mux() instead of only checking for EPOLLOUT.

Comment 1 Jon Moroney 2025-12-08 17:55:50 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120820-CVE-2025-40305-d66a@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.