lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9163678f-0800-4721-a0f4-abdc42b76744@huaweicloud.com>
Date: Sat, 29 Nov 2025 12:01:38 +0800
From: Zheng Qixing <zhengqixing@...weicloud.com>
To: gregkh@...uxfoundation.org, Nilay Shroff <nilay@...ux.ibm.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org, yukuai@...as.com,
 ming.lei@...hat.com, "zhangyi (F)" <yi.zhang@...wei.com>,
 Hou Tao <houtao1@...wei.com>, yangerkun <yangerkun@...wei.com>,
 zhengqixing@...wei.com
Subject: Re: CVE-2025-40146: blk-mq: fix potential deadlock while nr_requests
 grown

Sorry for resending this message.


Commit 28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp 
context") has fixed a reclaim recursion for scoped GFP_NOFS context by 
avoiding taking pcpu_alloc_mutex.

@@ -1569,6 +1569,12 @@ static void __percpu *pcpu_alloc(size_t size, 
size_t align, bool reserved,
      void __percpu *ptr;
      size_t bits, bit_align;

+    gfp = current_gfp_context(gfp);
+    /* whitelisted flags that can be passed to the backing allocators */
+    pcpu_gfp = gfp & (GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN);
+    is_atomic = (gfp & GFP_KERNEL) != GFP_KERNEL;
+    do_warn = !(gfp & __GFP_NOWARN);


Commit 9a5b183941b5 ("mm, percpu: do not consider sleepable allocations 
atomic") fixes premature allocation failures in certain scenarios. 
However, this change made it possible to acquire the pcpu_alloc_mutex 
under GFP_NOIO scope.

@@ -1745,7 +1745,7 @@ void __percpu *pcpu_alloc_noprof(size_t size, 
size_t align, bool reserved,
      gfp = current_gfp_context(gfp);
      /* whitelisted flags that can be passed to the backing allocators */
      pcpu_gfp = gfp & (GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN);
-    is_atomic = (gfp & GFP_KERNEL) != GFP_KERNEL;
+    is_atomic = !gfpflags_allow_blocking(gfp);
      do_warn = !(gfp & __GFP_NOWARN);


Here's the relevant commit timeline:

e3a2b3f931f5 ("blk-mq: allow changing of queue depth through sysfs")    
         v3.16-rc1

28307d938fb2 ("percpu: make pcpu_alloc() aware of current gfp context")  
        v5.7-rc5

9a5b183941b5 ("mm, percpu: do not consider sleepable allocations 
atomic")    v6.15-rc1

b86433721f46 ("blk-mq: fix potential deadlock while nr_requests grown")  
         v6.18-rc1


This means that in the Linux master branch, this deadlock issue *did not 
exist* during the version window from v5.7-rc5 to v6.15-rc1. After 
analyzing the LTS versions, I found that linux-5.7.y through 
linux-6.13.y should also not have this deadlock issue.

If you have any questions or concerns, please feel free to discuss further.


Best regards,

Qixing

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ