CVE-2025-68821 (GCVE-0-2025-68821)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29
VLAI?
Title
fuse: fix readahead reclaim deadlock
Summary
In the Linux kernel, the following vulnerability has been resolved: fuse: fix readahead reclaim deadlock Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed") skips allocating ff->release_args if the server does not implement open. However in doing so, fuse_prepare_release() now skips grabbing the reference on the inode, which makes it possible for an inode to be evicted from the dcache while there are inflight readahead requests. This causes a deadlock if the server triggers reclaim while servicing the readahead request and reclaim attempts to evict the inode of the file being read ahead. Since the folio is locked during readahead, when reclaim evicts the fuse inode and fuse_evict_inode() attempts to remove all folios associated with the inode from the page cache (truncate_inode_pages_range()), reclaim will block forever waiting for the lock since readahead cannot relinquish the lock because it is itself blocked in reclaim: >>> stack_trace(1504735) folio_wait_bit_common (mm/filemap.c:1308:4) folio_lock (./include/linux/pagemap.h:1052:3) truncate_inode_pages_range (mm/truncate.c:336:10) fuse_evict_inode (fs/fuse/inode.c:161:2) evict (fs/inode.c:704:3) dentry_unlink_inode (fs/dcache.c:412:3) __dentry_kill (fs/dcache.c:615:3) shrink_kill (fs/dcache.c:1060:12) shrink_dentry_list (fs/dcache.c:1087:3) prune_dcache_sb (fs/dcache.c:1168:2) super_cache_scan (fs/super.c:221:10) do_shrink_slab (mm/shrinker.c:435:9) shrink_slab (mm/shrinker.c:626:10) shrink_node (mm/vmscan.c:5951:2) shrink_zones (mm/vmscan.c:6195:3) do_try_to_free_pages (mm/vmscan.c:6257:3) do_swap_page (mm/memory.c:4136:11) handle_pte_fault (mm/memory.c:5562:10) handle_mm_fault (mm/memory.c:5870:9) do_user_addr_fault (arch/x86/mm/fault.c:1338:10) handle_page_fault (arch/x86/mm/fault.c:1481:3) exc_page_fault (arch/x86/mm/fault.c:1539:2) asm_exc_page_fault+0x22/0x27 Fix this deadlock by allocating ff->release_args and grabbing the reference on the inode when preparing the file for release even if the server does not implement open. The inode reference will be dropped when the last reference on the fuse file is dropped (see fuse_file_put() -> fuse_release_end()).
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 7d38aa079ed859b73f4460aab89c7619b04963b8 , < 4703bc0e8cd3409acb1476a70cb5b7ff943cf39a (git)
Affected: c7ec75f3cbf73bd46f479f7d6942585f765715da , < cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f (git)
Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6 (git)
Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < e0d6de83a4cc22bbac72713f3a58121af36cc411 (git)
Affected: e26ee4efbc79610b20e7abe9d96c87f33dacc1ff , < bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50 (git)
Affected: a39f70d63f4373a598820d9491719e44cd60afe9 (git)
Create a notification for this product.
    Linux Linux Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.18.3 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/fuse/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4703bc0e8cd3409acb1476a70cb5b7ff943cf39a",
              "status": "affected",
              "version": "7d38aa079ed859b73f4460aab89c7619b04963b8",
              "versionType": "git"
            },
            {
              "lessThan": "cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f",
              "status": "affected",
              "version": "c7ec75f3cbf73bd46f479f7d6942585f765715da",
              "versionType": "git"
            },
            {
              "lessThan": "fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6",
              "status": "affected",
              "version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
              "versionType": "git"
            },
            {
              "lessThan": "e0d6de83a4cc22bbac72713f3a58121af36cc411",
              "status": "affected",
              "version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
              "versionType": "git"
            },
            {
              "lessThan": "bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50",
              "status": "affected",
              "version": "e26ee4efbc79610b20e7abe9d96c87f33dacc1ff",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a39f70d63f4373a598820d9491719e44cd60afe9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/fuse/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "6.1.158",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "6.6.115",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.196",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix readahead reclaim deadlock\n\nCommit e26ee4efbc79 (\"fuse: allocate ff-\u003erelease_args only if release is\nneeded\") skips allocating ff-\u003erelease_args if the server does not\nimplement open. However in doing so, fuse_prepare_release() now skips\ngrabbing the reference on the inode, which makes it possible for an\ninode to be evicted from the dcache while there are inflight readahead\nrequests. This causes a deadlock if the server triggers reclaim while\nservicing the readahead request and reclaim attempts to evict the inode\nof the file being read ahead. Since the folio is locked during\nreadahead, when reclaim evicts the fuse inode and fuse_evict_inode()\nattempts to remove all folios associated with the inode from the page\ncache (truncate_inode_pages_range()), reclaim will block forever waiting\nfor the lock since readahead cannot relinquish the lock because it is\nitself blocked in reclaim:\n\n\u003e\u003e\u003e stack_trace(1504735)\n folio_wait_bit_common (mm/filemap.c:1308:4)\n folio_lock (./include/linux/pagemap.h:1052:3)\n truncate_inode_pages_range (mm/truncate.c:336:10)\n fuse_evict_inode (fs/fuse/inode.c:161:2)\n evict (fs/inode.c:704:3)\n dentry_unlink_inode (fs/dcache.c:412:3)\n __dentry_kill (fs/dcache.c:615:3)\n shrink_kill (fs/dcache.c:1060:12)\n shrink_dentry_list (fs/dcache.c:1087:3)\n prune_dcache_sb (fs/dcache.c:1168:2)\n super_cache_scan (fs/super.c:221:10)\n do_shrink_slab (mm/shrinker.c:435:9)\n shrink_slab (mm/shrinker.c:626:10)\n shrink_node (mm/vmscan.c:5951:2)\n shrink_zones (mm/vmscan.c:6195:3)\n do_try_to_free_pages (mm/vmscan.c:6257:3)\n do_swap_page (mm/memory.c:4136:11)\n handle_pte_fault (mm/memory.c:5562:10)\n handle_mm_fault (mm/memory.c:5870:9)\n do_user_addr_fault (arch/x86/mm/fault.c:1338:10)\n handle_page_fault (arch/x86/mm/fault.c:1481:3)\n exc_page_fault (arch/x86/mm/fault.c:1539:2)\n asm_exc_page_fault+0x22/0x27\n\nFix this deadlock by allocating ff-\u003erelease_args and grabbing the\nreference on the inode when preparing the file for release even if the\nserver does not implement open. The inode reference will be dropped when\nthe last reference on the fuse file is dropped (see fuse_file_put() -\u003e\nfuse_release_end())."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-13T15:29:24.014Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50"
        }
      ],
      "title": "fuse: fix readahead reclaim deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68821",
    "datePublished": "2026-01-13T15:29:24.014Z",
    "dateReserved": "2025-12-24T10:30:51.048Z",
    "dateUpdated": "2026-01-13T15:29:24.014Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-68821\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-13T16:16:04.440\",\"lastModified\":\"2026-01-13T16:16:04.440\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfuse: fix readahead reclaim deadlock\\n\\nCommit e26ee4efbc79 (\\\"fuse: allocate ff-\u003erelease_args only if release is\\nneeded\\\") skips allocating ff-\u003erelease_args if the server does not\\nimplement open. However in doing so, fuse_prepare_release() now skips\\ngrabbing the reference on the inode, which makes it possible for an\\ninode to be evicted from the dcache while there are inflight readahead\\nrequests. This causes a deadlock if the server triggers reclaim while\\nservicing the readahead request and reclaim attempts to evict the inode\\nof the file being read ahead. Since the folio is locked during\\nreadahead, when reclaim evicts the fuse inode and fuse_evict_inode()\\nattempts to remove all folios associated with the inode from the page\\ncache (truncate_inode_pages_range()), reclaim will block forever waiting\\nfor the lock since readahead cannot relinquish the lock because it is\\nitself blocked in reclaim:\\n\\n\u003e\u003e\u003e stack_trace(1504735)\\n folio_wait_bit_common (mm/filemap.c:1308:4)\\n folio_lock (./include/linux/pagemap.h:1052:3)\\n truncate_inode_pages_range (mm/truncate.c:336:10)\\n fuse_evict_inode (fs/fuse/inode.c:161:2)\\n evict (fs/inode.c:704:3)\\n dentry_unlink_inode (fs/dcache.c:412:3)\\n __dentry_kill (fs/dcache.c:615:3)\\n shrink_kill (fs/dcache.c:1060:12)\\n shrink_dentry_list (fs/dcache.c:1087:3)\\n prune_dcache_sb (fs/dcache.c:1168:2)\\n super_cache_scan (fs/super.c:221:10)\\n do_shrink_slab (mm/shrinker.c:435:9)\\n shrink_slab (mm/shrinker.c:626:10)\\n shrink_node (mm/vmscan.c:5951:2)\\n shrink_zones (mm/vmscan.c:6195:3)\\n do_try_to_free_pages (mm/vmscan.c:6257:3)\\n do_swap_page (mm/memory.c:4136:11)\\n handle_pte_fault (mm/memory.c:5562:10)\\n handle_mm_fault (mm/memory.c:5870:9)\\n do_user_addr_fault (arch/x86/mm/fault.c:1338:10)\\n handle_page_fault (arch/x86/mm/fault.c:1481:3)\\n exc_page_fault (arch/x86/mm/fault.c:1539:2)\\n asm_exc_page_fault+0x22/0x27\\n\\nFix this deadlock by allocating ff-\u003erelease_args and grabbing the\\nreference on the inode when preparing the file for release even if the\\nserver does not implement open. The inode reference will be dropped when\\nthe last reference on the fuse file is dropped (see fuse_file_put() -\u003e\\nfuse_release_end()).\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.