CVE-2025-68821

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fuse: fix readahead reclaim deadlock<br /> <br /> Commit e26ee4efbc79 ("fuse: allocate ff-&gt;release_args only if release is<br /> needed") skips allocating ff-&gt;release_args if the server does not<br /> implement open. However in doing so, fuse_prepare_release() now skips<br /> grabbing the reference on the inode, which makes it possible for an<br /> inode to be evicted from the dcache while there are inflight readahead<br /> requests. This causes a deadlock if the server triggers reclaim while<br /> servicing the readahead request and reclaim attempts to evict the inode<br /> of the file being read ahead. Since the folio is locked during<br /> readahead, when reclaim evicts the fuse inode and fuse_evict_inode()<br /> attempts to remove all folios associated with the inode from the page<br /> cache (truncate_inode_pages_range()), reclaim will block forever waiting<br /> for the lock since readahead cannot relinquish the lock because it is<br /> itself blocked in reclaim:<br /> <br /> &gt;&gt;&gt; stack_trace(1504735)<br /> folio_wait_bit_common (mm/filemap.c:1308:4)<br /> folio_lock (./include/linux/pagemap.h:1052:3)<br /> truncate_inode_pages_range (mm/truncate.c:336:10)<br /> fuse_evict_inode (fs/fuse/inode.c:161:2)<br /> evict (fs/inode.c:704:3)<br /> dentry_unlink_inode (fs/dcache.c:412:3)<br /> __dentry_kill (fs/dcache.c:615:3)<br /> shrink_kill (fs/dcache.c:1060:12)<br /> shrink_dentry_list (fs/dcache.c:1087:3)<br /> prune_dcache_sb (fs/dcache.c:1168:2)<br /> super_cache_scan (fs/super.c:221:10)<br /> do_shrink_slab (mm/shrinker.c:435:9)<br /> shrink_slab (mm/shrinker.c:626:10)<br /> shrink_node (mm/vmscan.c:5951:2)<br /> shrink_zones (mm/vmscan.c:6195:3)<br /> do_try_to_free_pages (mm/vmscan.c:6257:3)<br /> do_swap_page (mm/memory.c:4136:11)<br /> handle_pte_fault (mm/memory.c:5562:10)<br /> handle_mm_fault (mm/memory.c:5870:9)<br /> do_user_addr_fault (arch/x86/mm/fault.c:1338:10)<br /> handle_page_fault (arch/x86/mm/fault.c:1481:3)<br /> exc_page_fault (arch/x86/mm/fault.c:1539:2)<br /> asm_exc_page_fault+0x22/0x27<br /> <br /> Fix this deadlock by allocating ff-&gt;release_args and grabbing the<br /> reference on the inode when preparing the file for release even if the<br /> server does not implement open. The inode reference will be dropped when<br /> the last reference on the fuse file is dropped (see fuse_file_put() -&gt;<br /> fuse_release_end()).