{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40220","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.180Z","datePublished":"2025-12-04T14:50:44.108Z","dateUpdated":"2026-05-11T21:45:06.687Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:45:06.687Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix livelock in synchronous file put from fuseblk workers\n\nI observed a hang when running generic/323 against a fuseblk server.\nThis test opens a file, initiates a lot of AIO writes to that file\ndescriptor, and closes the file descriptor before the writes complete.\nUnsurprisingly, the AIO exerciser threads are mostly stuck waiting for\nresponses from the fuseblk server:\n\n# cat /proc/372265/task/372313/stack\n[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]\n[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[<0>] fuse_do_getattr+0xfc/0x1f0 [fuse]\n[<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse]\n[<0>] aio_read+0x130/0x1e0\n[<0>] io_submit_one+0x542/0x860\n[<0>] __x64_sys_io_submit+0x98/0x1a0\n[<0>] do_syscall_64+0x37/0xf0\n[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nBut the /weird/ part is that the fuseblk server threads are waiting for\nresponses from itself:\n\n# cat /proc/372210/task/372232/stack\n[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]\n[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[<0>] fuse_file_put+0x9a/0xd0 [fuse]\n[<0>] fuse_release+0x36/0x50 [fuse]\n[<0>] __fput+0xec/0x2b0\n[<0>] task_work_run+0x55/0x90\n[<0>] syscall_exit_to_user_mode+0xe9/0x100\n[<0>] do_syscall_64+0x43/0xf0\n[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe fuseblk server is fuse2fs so there's nothing all that exciting in\nthe server itself.  So why is the fuse server calling fuse_file_put?\nThe commit message for the fstest sheds some light on that:\n\n\"By closing the file descriptor before calling io_destroy, you pretty\nmuch guarantee that the last put on the ioctx will be done in interrupt\ncontext (during I/O completion).\n\nAha.  AIO fgets a new struct file from the fd when it queues the ioctx.\nThe completion of the FUSE_WRITE command from userspace causes the fuse\nserver to call the AIO completion function.  The completion puts the\nstruct file, queuing a delayed fput to the fuse server task.  When the\nfuse server task returns to userspace, it has to run the delayed fput,\nwhich in the case of a fuseblk server, it does synchronously.\n\nSending the FUSE_RELEASE command sychronously from fuse server threads\nis a bad idea because a client program can initiate enough simultaneous\nAIOs such that all the fuse server threads end up in delayed_fput, and\nnow there aren't any threads left to handle the queued fuse commands.\n\nFix this by only using asynchronous fputs when closing files, and leave\na comment explaining why."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/fuse/file.c"],"versions":[{"version":"5a18ec176c934ca1bc9dc61580a5e0e90a9b5733","lessThan":"548e1f2bac1d4df91a6138f26bb4ab00323fd948","status":"affected","versionType":"git"},{"version":"5a18ec176c934ca1bc9dc61580a5e0e90a9b5733","lessThan":"cfd1aa3e2b71f3327cb373c45a897c9028c62b35","status":"affected","versionType":"git"},{"version":"5a18ec176c934ca1bc9dc61580a5e0e90a9b5733","lessThan":"83b375c6efef69b1066ad2d79601221e7892745a","status":"affected","versionType":"git"},{"version":"5a18ec176c934ca1bc9dc61580a5e0e90a9b5733","lessThan":"bfd17b6138df0122a95989457d8e18ce0b86165e","status":"affected","versionType":"git"},{"version":"5a18ec176c934ca1bc9dc61580a5e0e90a9b5733","lessThan":"b26923512dbe57ae4917bafd31396d22a9d1691a","status":"affected","versionType":"git"},{"version":"5a18ec176c934ca1bc9dc61580a5e0e90a9b5733","lessThan":"f19a1390af448d9e193c08e28ea5f727bf3c3049","status":"affected","versionType":"git"},{"version":"5a18ec176c934ca1bc9dc61580a5e0e90a9b5733","lessThan":"26e5c67deb2e1f42a951f022fdf5b9f7eb747b01","status":"affected","versionType":"git"},{"version":"9efe56738fecd591b5bf366a325440f9b457ebd6","status":"affected","versionType":"git"},{"version":"5c46eb076e0a1b2c1769287cd6942e4594ade1b1","status":"affected","versionType":"git"},{"version":"83e6726210d6c815ce044437106c738eda5ff6f6","status":"affected","versionType":"git"},{"version":"23d154c71721fd0fa6199851078f32e6bd765664","status":"affected","versionType":"git"},{"version":"ca3edc920f5fd7d8ac040caaf109f925c24620a0","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/fuse/file.c"],"versions":[{"version":"2.6.38","status":"affected"},{"version":"0","lessThan":"2.6.38","status":"unaffected","versionType":"semver"},{"version":"5.10.246","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.196","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.158","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.115","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.54","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.4","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"5.10.246"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"5.15.196"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"6.1.158"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"6.6.115"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"6.12.54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"6.17.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38","versionEndExcluding":"6.18"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32.32"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.37.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/548e1f2bac1d4df91a6138f26bb4ab00323fd948"},{"url":"https://git.kernel.org/stable/c/cfd1aa3e2b71f3327cb373c45a897c9028c62b35"},{"url":"https://git.kernel.org/stable/c/83b375c6efef69b1066ad2d79601221e7892745a"},{"url":"https://git.kernel.org/stable/c/bfd17b6138df0122a95989457d8e18ce0b86165e"},{"url":"https://git.kernel.org/stable/c/b26923512dbe57ae4917bafd31396d22a9d1691a"},{"url":"https://git.kernel.org/stable/c/f19a1390af448d9e193c08e28ea5f727bf3c3049"},{"url":"https://git.kernel.org/stable/c/26e5c67deb2e1f42a951f022fdf5b9f7eb747b01"}],"title":"fuse: fix livelock in synchronous file put from fuseblk workers","x_generator":{"engine":"bippy-1.2.0"}}}}