GHSA-3X2H-JPXC-PV8R

Vulnerability from github – Published: 2025-09-12 18:31 – Updated: 2025-09-12 18:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

ACPI: processor: perflib: Move problematic pr->performance check

Commit d33bd88ac0eb ("ACPI: processor: perflib: Fix initial _PPC limit application") added a pr->performance check that prevents the frequency QoS request from being added when the given processor has no performance object. Unfortunately, this causes a WARN() in freq_qos_remove_request() to trigger on an attempt to take the given CPU offline later because the frequency QoS object has not been added for it due to the missing performance object.

Address this by moving the pr->performance check before calling acpi_processor_get_platform_limit() so it only prevents a limit from being set for the CPU if the performance object is not present. This way, the frequency QoS request is added as it was before the above commit and it is present all the time along with the CPU's cpufreq policy regardless of whether or not the CPU is online.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-39799"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-12T16:15:34Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: perflib: Move problematic pr-\u003eperformance check\n\nCommit d33bd88ac0eb (\"ACPI: processor: perflib: Fix initial _PPC limit\napplication\") added a pr-\u003eperformance check that prevents the frequency\nQoS request from being added when the given processor has no performance\nobject.  Unfortunately, this causes a WARN() in freq_qos_remove_request()\nto trigger on an attempt to take the given CPU offline later because the\nfrequency QoS object has not been added for it due to the missing\nperformance object.\n\nAddress this by moving the pr-\u003eperformance check before calling\nacpi_processor_get_platform_limit() so it only prevents a limit from\nbeing set for the CPU if the performance object is not present.  This\nway, the frequency QoS request is added as it was before the above\ncommit and it is present all the time along with the CPU\u0027s cpufreq\npolicy regardless of whether or not the CPU is online.",
  "id": "GHSA-3x2h-jpxc-pv8r",
  "modified": "2025-09-12T18:31:10Z",
  "published": "2025-09-12T18:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39799"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/19849010c9e18d54375091864a3313fc328d6186"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31ee723d6fc581b76396994a96b85be3e87f67d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8972d7dbdac029c9dbf62a45d7d8c71999785765"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf2809541497749c4f2646b87bf75244f5a2a5d9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cb4b5f4a1e778f6a20d06d4eda6842714a817618"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d405ec23df13e6df599f5bd965a55d13420366b8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/edc065c19257adfd9c356178dac021df661e169e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc36403e741d7674a44632313db33fa7605cb2b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fd9cad6b0676e0bb3a98ee0a8865a86e2f53eb07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.