CVE-2025-68821

NONE EPSS 6.9%
Published Jan 13, 20265mo ago · Modified Jun 17, 20261w ago
Find Similar
Published Jan 13, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: fuse: fix readahead reclaim deadlock Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed") skips allocating ff->release_args if the server does not implement open. However in doing so, fuse_prepare_release() now skips grabbing the reference on the inode, which makes it possible for an inode to be evicted from the dcache while there are inflight readahead requests. This causes a deadlock if the server triggers reclaim while servicing the readahead request and reclaim attempts to evict the inode of the file being read ahead. Since the folio is locked during readahead, when reclaim evicts the fuse inode and fuse_evict_inode() attempts to remove all folios associated with the inode from the page cache (truncate_inode_pages_range()), reclaim will block forever waiting for the lock since readahead cannot relinquish the lock because it is itself blocked in reclaim: >>> stack_trace(1504735) folio_wait_bit_common (mm/filemap.c:1308:4) folio_lock (./include/linux/pagemap.h:1052:3) truncate_inode_pages_range (mm/truncate.c:336:10) fuse_evict_inode (fs/fuse/inode.c:161:2) evict (fs/inode.c:704:3) dentry_unlink_inode (fs/dcache.c:412:3) __dentry_kill (fs/dcache.c:615:3) shrink_kill (fs/dcache.c:1060:12) shrink_dentry_list (fs/dcache.c:1087:3) prune_dcache_sb (fs/dcache.c:1168:2) super_cache_scan (fs/super.c:221:10) do_shrink_slab (mm/shrinker.c:435:9) shrink_slab (mm/shrinker.c:626:10) shrink_node (mm/vmscan.c:5951:2) shrink_zones (mm/vmscan.c:6195:3) do_try_to_free_pages (mm/vmscan.c:6257:3) do_swap_page (mm/memory.c:4136:11) handle_pte_fault (mm/memory.c:5562:10) handle_mm_fault (mm/memory.c:5870:9) do_user_addr_fault (arch/x86/mm/fault.c:1338:10) handle_page_fault (arch/x86/mm/fault.c:1481:3) exc_page_fault (arch/x86/mm/fault.c:1539:2) asm_exc_page_fault+0x22/0x27 Fix this deadlock by allocating ff->release_args and grabbing the reference on the inode when preparing the file for release even if the server does not implement open. The inode reference will be dropped when the last reference on the fuse file is dropped (see fuse_file_put() -> fuse_release_end()).

Threat Intelligence

EPSS Exploit Probability
6.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

References 6

  • git.kernel.org https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a
  • git.kernel.org https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50
  • git.kernel.org https://git.kernel.org/stable/c/cbbf3f1bb9f834bb2acbb61ddca74363456e19cd
  • git.kernel.org https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f
  • git.kernel.org https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411
  • git.kernel.org https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.