CVE-2025-40305
Description
In the Linux kernel, the following vulnerability has been resolved:
9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN
p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list).
However, if the pipe is full, we need to read more data and this used to work prior to commit aaec5a95d59615 ("pipe_read: don't wake up the writer if the pipe is still full").
p9_read_work() does p9_fd_read() -> ... -> anon_pipe_read() which (before the commit above) triggered the unnecessary wakeup. This wakeup calls p9_pollwake() which kicks p9_poll_workfn() -> p9_poll_mux(), p9_poll_mux() will notice EPOLLIN and schedule_work(&m->rq).
This no longer happens after the optimization above, change p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's 9p/trans_fd driver can cause a pipe-full scenario can prevent the rx thread from being scheduled, leading to a potential denial of service.
Vulnerability
Overview
In the Linux kernel's 9p/trans_fd driver, a race condition exists in the p9_fd_request() function. The issue arises because p9_read_work() does not set Rworksched and does not call schedule_work(m->rq) when list_empty(&m->req_list). However, when the pipe is full, the system needs to read more data to proceed. Prior to commit aaec5a95d59615 ("pipe_read: don't wake up the writer if the pipe is still full"), p9_read_work() would trigger an unnecessary wakeup via anon_pipe_read(), which would call p9_pollwake(), eventually leading to p9_poll_mux() noticing EPOLLIN and scheduling the rx work. After the optimization in that commit, this wakeup no longer occurs, leaving the rx thread unscheduled when the pipe is full [1].
Exploitation
Conditions
To exploit this vulnerability, an attacker would need to be able to trigger a scenario where the pipe used for 9p communication becomes full. This requires the ability to send data over the 9p file system protocol, which typically requires local access or the ability to mount a 9p share. The attack does not require authentication beyond the ability to interact with the 9p file system. The vulnerability is triggered when the pipe is full and the rx thread is not scheduled, leading to a hang or denial of service [1].
Impact
If successfully exploited, an attacker could cause a denial of service by preventing the rx thread from processing incoming data, effectively stalling the 9p file system communication. This could lead to system hangs or unresponsiveness for processes relying on the 9p file system. The impact is limited to denial of service; there is no evidence of privilege escalation or data corruption [1].
Mitigation
The fix is implemented in commit 242531004d7de8c159f9f9bfadebe33fe8060b1046 in the Linux kernel stable tree. The patch modifies p9_fd_request() to use p9_poll_mux() instead of only checking for EPOLLOUT, ensuring that the rx thread is properly kicked when EPOLLIN is signaled. Users should apply the latest kernel updates to mitigate this vulnerability [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
2242531004d7de8fe3f07a357Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.