CVE-2025-40147

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-throttle: fix access race during throttle policy activation<br /> <br /> On repeated cold boots we occasionally hit a NULL pointer crash in<br /> blk_should_throtl() when throttling is consulted before the throttle<br /> policy is fully enabled for the queue. Checking only q-&gt;td != NULL is<br /> insufficient during early initialization, so blkg_to_pd() for the<br /> throttle policy can still return NULL and blkg_to_tg() becomes NULL,<br /> which later gets dereferenced.<br /> <br /> Unable to handle kernel NULL pointer dereference<br /> at virtual address 0000000000000156<br /> ...<br /> pc : submit_bio_noacct+0x14c/0x4c8<br /> lr : submit_bio_noacct+0x48/0x4c8<br /> sp : ffff800087f0b690<br /> x29: ffff800087f0b690 x28: 0000000000005f90 x27: ffff00068af393c0<br /> x26: 0000000000080000 x25: 000000000002fbc0 x24: ffff000684ddcc70<br /> x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000<br /> x20: 0000000000080000 x19: ffff000684ddcd08 x18: ffffffffffffffff<br /> x17: 0000000000000000 x16: ffff80008132a550 x15: 0000ffff98020fff<br /> x14: 0000000000000000 x13: 1fffe000d11d7021 x12: ffff000688eb810c<br /> x11: ffff00077ec4bb80 x10: ffff000688dcb720 x9 : ffff80008068ef60<br /> x8 : 00000a6fb8a86e85 x7 : 000000000000111e x6 : 0000000000000002<br /> x5 : 0000000000000246 x4 : 0000000000015cff x3 : 0000000000394500<br /> x2 : ffff000682e35e40 x1 : 0000000000364940 x0 : 000000000000001a<br /> Call trace:<br /> submit_bio_noacct+0x14c/0x4c8<br /> verity_map+0x178/0x2c8<br /> __map_bio+0x228/0x250<br /> dm_submit_bio+0x1c4/0x678<br /> __submit_bio+0x170/0x230<br /> submit_bio_noacct_nocheck+0x16c/0x388<br /> submit_bio_noacct+0x16c/0x4c8<br /> submit_bio+0xb4/0x210<br /> f2fs_submit_read_bio+0x4c/0xf0<br /> f2fs_mpage_readpages+0x3b0/0x5f0<br /> f2fs_readahead+0x90/0xe8<br /> <br /> Tighten blk_throtl_activated() to also require that the throttle policy<br /> bit is set on the queue:<br /> <br /> return q-&gt;td != NULL &amp;&amp;<br /> test_bit(blkcg_policy_throtl.plid, q-&gt;blkcg_pols);<br /> <br /> This prevents blk_should_throtl() from accessing throttle group state<br /> until policy data has been attached to blkgs.