{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40147","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.175Z","datePublished":"2025-11-12T10:23:26.556Z","dateUpdated":"2026-05-11T21:43:38.854Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:43:38.854Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-throttle: fix access race during throttle policy activation\n\nOn repeated cold boots we occasionally hit a NULL pointer crash in\nblk_should_throtl() when throttling is consulted before the throttle\npolicy is fully enabled for the queue. Checking only q->td != NULL is\ninsufficient during early initialization, so blkg_to_pd() for the\nthrottle policy can still return NULL and blkg_to_tg() becomes NULL,\nwhich later gets dereferenced.\n\n Unable to handle kernel NULL pointer dereference\n at virtual address 0000000000000156\n ...\n pc : submit_bio_noacct+0x14c/0x4c8\n lr : submit_bio_noacct+0x48/0x4c8\n sp : ffff800087f0b690\n x29: ffff800087f0b690 x28: 0000000000005f90 x27: ffff00068af393c0\n x26: 0000000000080000 x25: 000000000002fbc0 x24: ffff000684ddcc70\n x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000\n x20: 0000000000080000 x19: ffff000684ddcd08 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffff80008132a550 x15: 0000ffff98020fff\n x14: 0000000000000000 x13: 1fffe000d11d7021 x12: ffff000688eb810c\n x11: ffff00077ec4bb80 x10: ffff000688dcb720 x9 : ffff80008068ef60\n x8 : 00000a6fb8a86e85 x7 : 000000000000111e x6 : 0000000000000002\n x5 : 0000000000000246 x4 : 0000000000015cff x3 : 0000000000394500\n x2 : ffff000682e35e40 x1 : 0000000000364940 x0 : 000000000000001a\n Call trace:\n  submit_bio_noacct+0x14c/0x4c8\n  verity_map+0x178/0x2c8\n  __map_bio+0x228/0x250\n  dm_submit_bio+0x1c4/0x678\n  __submit_bio+0x170/0x230\n  submit_bio_noacct_nocheck+0x16c/0x388\n  submit_bio_noacct+0x16c/0x4c8\n  submit_bio+0xb4/0x210\n  f2fs_submit_read_bio+0x4c/0xf0\n  f2fs_mpage_readpages+0x3b0/0x5f0\n  f2fs_readahead+0x90/0xe8\n\nTighten blk_throtl_activated() to also require that the throttle policy\nbit is set on the queue:\n\n  return q->td != NULL &&\n         test_bit(blkcg_policy_throtl.plid, q->blkcg_pols);\n\nThis prevents blk_should_throtl() from accessing throttle group state\nuntil policy data has been attached to blkgs."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/blk-cgroup.c","block/blk-cgroup.h","block/blk-throttle.c","block/blk-throttle.h"],"versions":[{"version":"a3166c51702bb00b8f8b84022090cbab8f37be1a","lessThan":"7b4bfd02c934dbbb18814ed012ecb90b58db6935","status":"affected","versionType":"git"},{"version":"a3166c51702bb00b8f8b84022090cbab8f37be1a","lessThan":"6a0c394300a7b0c05504596685de8a46707171fc","status":"affected","versionType":"git"},{"version":"a3166c51702bb00b8f8b84022090cbab8f37be1a","lessThan":"bd9fd5be6bc0836820500f68fff144609fbd85a9","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["block/blk-cgroup.c","block/blk-cgroup.h","block/blk-throttle.c","block/blk-throttle.h"],"versions":[{"version":"6.10","status":"affected"},{"version":"0","lessThan":"6.10","status":"unaffected","versionType":"semver"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.3","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.12.78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.10","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7b4bfd02c934dbbb18814ed012ecb90b58db6935"},{"url":"https://git.kernel.org/stable/c/6a0c394300a7b0c05504596685de8a46707171fc"},{"url":"https://git.kernel.org/stable/c/bd9fd5be6bc0836820500f68fff144609fbd85a9"}],"title":"blk-throttle: fix access race during throttle policy activation","x_generator":{"engine":"bippy-1.2.0"}}}}