CVE-2025-68178
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/12/2025
Last modified:
18/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
blk-cgroup: fix possible deadlock while configuring policy<br />
<br />
Following deadlock can be triggered easily by lockdep:<br />
<br />
WARNING: possible circular locking dependency detected<br />
6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted<br />
------------------------------------------------------<br />
check/1334 is trying to acquire lock:<br />
ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180<br />
<br />
but task is already holding lock:<br />
ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110<br />
<br />
which lock already depends on the new lock.<br />
<br />
the existing dependency chain (in reverse order) is:<br />
<br />
-> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}:<br />
blk_queue_enter+0x40b/0x470<br />
blkg_conf_prep+0x7b/0x3c0<br />
tg_set_limit+0x10a/0x3e0<br />
cgroup_file_write+0xc6/0x420<br />
kernfs_fop_write_iter+0x189/0x280<br />
vfs_write+0x256/0x490<br />
ksys_write+0x83/0x190<br />
__x64_sys_write+0x21/0x30<br />
x64_sys_call+0x4608/0x4630<br />
do_syscall_64+0xdb/0x6b0<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
<br />
-> #1 (&q->rq_qos_mutex){+.+.}-{4:4}:<br />
__mutex_lock+0xd8/0xf50<br />
mutex_lock_nested+0x2b/0x40<br />
wbt_init+0x17e/0x280<br />
wbt_enable_default+0xe9/0x140<br />
blk_register_queue+0x1da/0x2e0<br />
__add_disk+0x38c/0x5d0<br />
add_disk_fwnode+0x89/0x250<br />
device_add_disk+0x18/0x30<br />
virtblk_probe+0x13a3/0x1800<br />
virtio_dev_probe+0x389/0x610<br />
really_probe+0x136/0x620<br />
__driver_probe_device+0xb3/0x230<br />
driver_probe_device+0x2f/0xe0<br />
__driver_attach+0x158/0x250<br />
bus_for_each_dev+0xa9/0x130<br />
driver_attach+0x26/0x40<br />
bus_add_driver+0x178/0x3d0<br />
driver_register+0x7d/0x1c0<br />
__register_virtio_driver+0x2c/0x60<br />
virtio_blk_init+0x6f/0xe0<br />
do_one_initcall+0x94/0x540<br />
kernel_init_freeable+0x56a/0x7b0<br />
kernel_init+0x2b/0x270<br />
ret_from_fork+0x268/0x4c0<br />
ret_from_fork_asm+0x1a/0x30<br />
<br />
-> #0 (&q->sysfs_lock){+.+.}-{4:4}:<br />
__lock_acquire+0x1835/0x2940<br />
lock_acquire+0xf9/0x450<br />
__mutex_lock+0xd8/0xf50<br />
mutex_lock_nested+0x2b/0x40<br />
blk_unregister_queue+0x53/0x180<br />
__del_gendisk+0x226/0x690<br />
del_gendisk+0xba/0x110<br />
sd_remove+0x49/0xb0 [sd_mod]<br />
device_remove+0x87/0xb0<br />
device_release_driver_internal+0x11e/0x230<br />
device_release_driver+0x1a/0x30<br />
bus_remove_device+0x14d/0x220<br />
device_del+0x1e1/0x5a0<br />
__scsi_remove_device+0x1ff/0x2f0<br />
scsi_remove_device+0x37/0x60<br />
sdev_store_delete+0x77/0x100<br />
dev_attr_store+0x1f/0x40<br />
sysfs_kf_write+0x65/0x90<br />
kernfs_fop_write_iter+0x189/0x280<br />
vfs_write+0x256/0x490<br />
ksys_write+0x83/0x190<br />
__x64_sys_write+0x21/0x30<br />
x64_sys_call+0x4608/0x4630<br />
do_syscall_64+0xdb/0x6b0<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
<br />
other info that might help us debug this:<br />
<br />
Chain exists of:<br />
&q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3<br />
<br />
Possible unsafe locking scenario:<br />
<br />
CPU0 CPU1<br />
---- ----<br />
lock(&q->q_usage_counter(queue)#3);<br />
lock(&q->rq_qos_mutex);<br />
lock(&q->q_usage_counter(queue)#3);<br />
lock(&q->sysfs_lock);<br />
<br />
Root cause is that queue_usage_counter is grabbed with rq_qos_mutex<br />
held in blkg_conf_prep(), while queue should be freezed before<br />
rq_qos_mutex from other context.<br />
<br />
The blk_queue_enter() from blkg_conf_prep() is used to protect against<br />
policy deactivation, which is already protected with blkcg_mutex, hence<br />
convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile,<br />
consider that blkcg_mutex is held after queue is freezed from policy<br />
deactivation, also convert blkg_alloc() to use GFP_NOIO.