CVE-2025-40220
中文标题:
(暂无数据)
英文标题:
fuse: fix livelock in synchronous file put from fuseblk workers
漏洞描述
中文描述:
(暂无数据)
英文描述:
In the Linux kernel, the following vulnerability has been resolved: fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: "By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Linux | Linux | 9efe56738fecd591b5bf366a325440f9b457ebd6 | - | - |
cpe:2.3:a:linux:linux:9efe56738fecd591b5bf366a325440f9b457ebd6:*:*:*:*:*:*:*
|
| Linux | Linux | 5c46eb076e0a1b2c1769287cd6942e4594ade1b1 | - | - |
cpe:2.3:a:linux:linux:5c46eb076e0a1b2c1769287cd6942e4594ade1b1:*:*:*:*:*:*:*
|
| Linux | Linux | 83e6726210d6c815ce044437106c738eda5ff6f6 | - | - |
cpe:2.3:a:linux:linux:83e6726210d6c815ce044437106c738eda5ff6f6:*:*:*:*:*:*:*
|
| Linux | Linux | 23d154c71721fd0fa6199851078f32e6bd765664 | - | - |
cpe:2.3:a:linux:linux:23d154c71721fd0fa6199851078f32e6bd765664:*:*:*:*:*:*:*
|
| Linux | Linux | ca3edc920f5fd7d8ac040caaf109f925c24620a0 | - | - |
cpe:2.3:a:linux:linux:ca3edc920f5fd7d8ac040caaf109f925c24620a0:*:*:*:*:*:*:*
|
| Linux | Linux | 2.6.38 | - | - |
cpe:2.3:a:linux:linux:2.6.38:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
NOT_EXTRACTED
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-40220 |
2025-12-05 02:05:29 | 2026-01-12 02:11:46 |
| NVD | nvd_CVE-2025-40220 |
2025-12-05 03:00:03 | 2026-01-12 02:27:46 |
版本与语言
安全公告
变更历史
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']