CVE-2025-39999

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
15/10/2025
Last modified:
16/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-mq: fix blk_mq_tags double free while nr_requests grown<br /> <br /> In the case user trigger tags grow by queue sysfs attribute nr_requests,<br /> hctx-&gt;sched_tags will be freed directly and replaced with a new<br /> allocated tags, see blk_mq_tag_update_depth().<br /> <br /> The problem is that hctx-&gt;sched_tags is from elevator-&gt;et-&gt;tags, while<br /> et-&gt;tags is still the freed tags, hence later elevator exit will try to<br /> free the tags again, causing kernel panic.<br /> <br /> Fix this problem by replacing et-&gt;tags with new allocated tags as well.<br /> <br /> Noted there are still some long term problems that will require some<br /> refactor to be fixed thoroughly[1].<br /> <br /> [1] https://lore.kernel.org/all/20250815080216.410665-1-yukuai1@huaweicloud.com/

Impact