ghsa-j92p-7382-5wph
Vulnerability from github
Published
2025-11-12 12:30
Modified
2025-11-12 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

blk-throttle: fix access race during throttle policy activation

On repeated cold boots we occasionally hit a NULL pointer crash in blk_should_throtl() when throttling is consulted before the throttle policy is fully enabled for the queue. Checking only q->td != NULL is insufficient during early initialization, so blkg_to_pd() for the throttle policy can still return NULL and blkg_to_tg() becomes NULL, which later gets dereferenced.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000156 ... pc : submit_bio_noacct+0x14c/0x4c8 lr : submit_bio_noacct+0x48/0x4c8 sp : ffff800087f0b690 x29: ffff800087f0b690 x28: 0000000000005f90 x27: ffff00068af393c0 x26: 0000000000080000 x25: 000000000002fbc0 x24: ffff000684ddcc70 x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000 x20: 0000000000080000 x19: ffff000684ddcd08 x18: ffffffffffffffff x17: 0000000000000000 x16: ffff80008132a550 x15: 0000ffff98020fff x14: 0000000000000000 x13: 1fffe000d11d7021 x12: ffff000688eb810c x11: ffff00077ec4bb80 x10: ffff000688dcb720 x9 : ffff80008068ef60 x8 : 00000a6fb8a86e85 x7 : 000000000000111e x6 : 0000000000000002 x5 : 0000000000000246 x4 : 0000000000015cff x3 : 0000000000394500 x2 : ffff000682e35e40 x1 : 0000000000364940 x0 : 000000000000001a Call trace: submit_bio_noacct+0x14c/0x4c8 verity_map+0x178/0x2c8 __map_bio+0x228/0x250 dm_submit_bio+0x1c4/0x678 __submit_bio+0x170/0x230 submit_bio_noacct_nocheck+0x16c/0x388 submit_bio_noacct+0x16c/0x4c8 submit_bio+0xb4/0x210 f2fs_submit_read_bio+0x4c/0xf0 f2fs_mpage_readpages+0x3b0/0x5f0 f2fs_readahead+0x90/0xe8

Tighten blk_throtl_activated() to also require that the throttle policy bit is set on the queue:

return q->td != NULL && test_bit(blkcg_policy_throtl.plid, q->blkcg_pols);

This prevents blk_should_throtl() from accessing throttle group state until policy data has been attached to blkgs.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-40147"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T11:15:44Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-throttle: fix access race during throttle policy activation\n\nOn repeated cold boots we occasionally hit a NULL pointer crash in\nblk_should_throtl() when throttling is consulted before the throttle\npolicy is fully enabled for the queue. Checking only q-\u003etd != NULL is\ninsufficient during early initialization, so blkg_to_pd() for the\nthrottle policy can still return NULL and blkg_to_tg() becomes NULL,\nwhich later gets dereferenced.\n\n Unable to handle kernel NULL pointer dereference\n at virtual address 0000000000000156\n ...\n pc : submit_bio_noacct+0x14c/0x4c8\n lr : submit_bio_noacct+0x48/0x4c8\n sp : ffff800087f0b690\n x29: ffff800087f0b690 x28: 0000000000005f90 x27: ffff00068af393c0\n x26: 0000000000080000 x25: 000000000002fbc0 x24: ffff000684ddcc70\n x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000\n x20: 0000000000080000 x19: ffff000684ddcd08 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffff80008132a550 x15: 0000ffff98020fff\n x14: 0000000000000000 x13: 1fffe000d11d7021 x12: ffff000688eb810c\n x11: ffff00077ec4bb80 x10: ffff000688dcb720 x9 : ffff80008068ef60\n x8 : 00000a6fb8a86e85 x7 : 000000000000111e x6 : 0000000000000002\n x5 : 0000000000000246 x4 : 0000000000015cff x3 : 0000000000394500\n x2 : ffff000682e35e40 x1 : 0000000000364940 x0 : 000000000000001a\n Call trace:\n  submit_bio_noacct+0x14c/0x4c8\n  verity_map+0x178/0x2c8\n  __map_bio+0x228/0x250\n  dm_submit_bio+0x1c4/0x678\n  __submit_bio+0x170/0x230\n  submit_bio_noacct_nocheck+0x16c/0x388\n  submit_bio_noacct+0x16c/0x4c8\n  submit_bio+0xb4/0x210\n  f2fs_submit_read_bio+0x4c/0xf0\n  f2fs_mpage_readpages+0x3b0/0x5f0\n  f2fs_readahead+0x90/0xe8\n\nTighten blk_throtl_activated() to also require that the throttle policy\nbit is set on the queue:\n\n  return q-\u003etd != NULL \u0026\u0026\n         test_bit(blkcg_policy_throtl.plid, q-\u003eblkcg_pols);\n\nThis prevents blk_should_throtl() from accessing throttle group state\nuntil policy data has been attached to blkgs.",
  "id": "GHSA-j92p-7382-5wph",
  "modified": "2025-11-12T12:30:27Z",
  "published": "2025-11-12T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40147"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a0c394300a7b0c05504596685de8a46707171fc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd9fd5be6bc0836820500f68fff144609fbd85a9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.