CVE-2025-39953

In the Linux kernel, the following vulnerability has been resolved:

cgroup: split cgroupdestroywq into 3 workqueues

A hung task can occur during [1] LTP cgroup testing when repeatedly mounting/unmounting perfevent and netprio controllers with systemd.unifiedcgrouphierarchy=1. The hang manifests in cgrouplockanddrainoffline() during root destruction.

Related case: cgroupfjfunctionperfevent cgroupfjfunction.sh perfevent cgroupfjfunctionnetprio cgroupfjfunction.sh netprio

Call Trace: cgrouplockanddrainoffline+0x14c/0x1e8 cgroupdestroyroot+0x3c/0x2c0 cssfreerworkfn+0x248/0x338 processonework+0x16c/0x3b8 workerthread+0x22c/0x3b0 kthread+0xec/0x100 retfromfork+0x10/0x20

Root Cause:

CPU0 CPU1 mount perfevent umount netprio cgroup1gettree cgroupkillsb rebindsubsystems // root destruction enqueues // cgroupdestroywq // kill all perfevent css // one perfevent css A is dying // css A offline enqueues cgroupdestroywq // root destruction will be executed first cssfreerworkfn cgroupdestroyroot cgrouplockanddrainoffline // some perf descendants are dying // cgroupdestroywq max_active = 1 // waiting for css A to die

Problem scenario: 1. CPU0 mounts perfevent (rebindsubsystems) 2. CPU1 unmounts netprio (cgroupkillsb), queuing root destruction work 3. A dying perfevent CSS gets queued for offline after root destruction 4. Root destruction waits for offline completion, but offline work is blocked behind root destruction in cgroupdestroywq (max_active=1)

Solution: Split cgroupdestroywq into three dedicated workqueues: cgroupofflinewq – Handles CSS offline operations cgroupreleasewq – Manages resource release cgroupfreewq – Performs final memory deallocation

This separation eliminates blocking in the CSS free path while waiting for offline operations to complete.

[1] https://github.com/linux-test-project/ltp/blob/master/runtest/controllers