lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <78fc451c-27a7-4156-a1a0-ea2fdd601403@huaweicloud.com>
Date: Sat, 29 Nov 2025 11:52:31 +0800
From: Zheng Qixing <zhengqixing@...weicloud.com>
To: Nilay Shroff <nilay@...ux.ibm.com>, Greg KH <gregkh@...uxfoundation.org>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org, yukuai@...as.com,
 ming.lei@...hat.com, "zhangyi (F)" <yi.zhang@...wei.com>,
 Hou Tao <houtao1@...wei.com>, yangerkun <yangerkun@...wei.com>,
 zhengqixing@...wei.com
Subject: Re: CVE-2025-40146: blk-mq: fix potential deadlock while nr_requests
 grown

Commit 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp 
context") has fixed a reclaim recursion for scoped GFP_NOFS context by 
avoiding taking pcpu_alloc_mutex.

@@ -1569,6 +1569,12 @@ static void __percpu *pcpu_alloc(size_t size, 
size_t align, bool reserved, void __percpu *ptr; size_t bits, bit_align; 
+ gfp = current_gfp_context(gfp); + /* whitelisted flags that can be 
passed to the backing allocators */ + pcpu_gfp = gfp & (GFP_KERNEL | 
__GFP_NORETRY | __GFP_NOWARN); + is_atomic = (gfp & GFP_KERNEL) != 
GFP_KERNEL; + do_warn = !(gfp & __GFP_NOWARN); Commit 9a5b183941b5 ("mm, 
percpu: do not consider sleepable allocations atomic") fixes premature 
allocation failures in certain scenarios. However, this change made it 
possible to acquire the pcpu_alloc_mutex under GFP_NOIO scope.

@@ -1745,7 +1745,7 @@ void __percpu *pcpu_alloc_noprof(size_t size, 
size_t align, bool reserved, gfp = current_gfp_context(gfp); /* 
whitelisted flags that can be passed to the backing allocators */ 
pcpu_gfp = gfp & (GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN); - 
is_atomic = (gfp & GFP_KERNEL) != GFP_KERNEL; + is_atomic = 
!gfpflags_allow_blocking(gfp); do_warn = !(gfp & __GFP_NOWARN); Here's 
the relevant commit timeline:

e3a2b3f931f5 ("blk-mq: allow changing of queue depth through sysfs") 
v3.16-rc1 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp 
context") v5.7-rc5 9a5b183941b5 ("mm, percpu: do not consider sleepable 
allocations atomic") v6.15-rc1 b86433721f46 ("blk-mq: fix potential 
deadlock while nr_requests grown") v6.18-rc1

This means that in the Linux master branch, this deadlock issue *did not 
exist* during the version window from v5.7-rc5 to v6.15-rc1. After 
analyzing the LTS versions, I found that linux-5.7.y through 
linux-6.13.y should also not have this deadlock issue.

If you have any questions or concerns, please feel free to discuss further.


Best regards,

Qixing

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ