CVE-2025-68821

Commit e26ee4efbc79 ("fuse: allocate ff->releaseargs only if release is needed") skips allocating ff->releaseargs if the server does not implement open. However in doing so, fusepreparerelease() now skips grabbing the reference on the inode, which makes it possible for an inode to be evicted from the dcache while there are inflight readahead requests. This causes a deadlock if the server triggers reclaim while servicing the readahead request and reclaim attempts to evict the inode of the file being read ahead. Since the folio is locked during readahead, when reclaim evicts the fuse inode and fuseevictinode() attempts to remove all folios associated with the inode from the page cache (truncateinodepages_range()), reclaim will block forever waiting for the lock since readahead cannot relinquish the lock because it is itself blocked in reclaim:

stacktrace(1504735) foliowaitbitcommon (mm/filemap.c:1308:4) foliolock (./include/linux/pagemap.h:1052:3) truncateinodepagesrange (mm/truncate.c:336:10) fuseevictinode (fs/fuse/inode.c:161:2) evict (fs/inode.c:704:3) dentryunlinkinode (fs/dcache.c:412:3) _dentrykill (fs/dcache.c:615:3) shrinkkill (fs/dcache.c:1060:12) shrinkdentrylist (fs/dcache.c:1087:3) prunedcachesb (fs/dcache.c:1168:2) supercachescan (fs/super.c:221:10) doshrinkslab (mm/shrinker.c:435:9) shrinkslab (mm/shrinker.c:626:10) shrinknode (mm/vmscan.c:5951:2) shrinkzones (mm/vmscan.c:6195:3) dotrytofreepages (mm/vmscan.c:6257:3) doswappage (mm/memory.c:4136:11) handleptefault (mm/memory.c:5562:10) handlemmfault (mm/memory.c:5870:9) douseraddrfault (arch/x86/mm/fault.c:1338:10) handlepagefault (arch/x86/mm/fault.c:1481:3) excpagefault (arch/x86/mm/fault.c:1539:2) asmexcpagefault+0x22/0x27

Fix this deadlock by allocating ff->releaseargs and grabbing the reference on the inode when preparing the file for release even if the server does not implement open. The inode reference will be dropped when the last reference on the fuse file is dropped (see fusefileput() -> fuserelease_end()).

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68821.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a39f70d63f4373a598820d9491719e44cd60afe9

Fixed

cbbf3f1bb9f834bb2acbb61ddca74363456e19cd

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

7d38aa079ed859b73f4460aab89c7619b04963b8

Fixed

4703bc0e8cd3409acb1476a70cb5b7ff943cf39a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c7ec75f3cbf73bd46f479f7d6942585f765715da

Fixed

cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

e26ee4efbc79610b20e7abe9d96c87f33dacc1ff

Fixed

fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6

Fixed

e0d6de83a4cc22bbac72713f3a58121af36cc411

Fixed

bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50

Affected versions

v5.*

v5.15.196

v5.15.197

v6.*

v6.1.158

v6.1.159

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.36

v6.12.37

v6.12.38

v6.12.39

v6.12.4

v6.12.40

v6.12.41

v6.12.42

v6.12.43

v6.12.44

v6.12.45

v6.12.46

v6.12.47

v6.12.48

v6.12.49

v6.12.5

v6.12.50

v6.12.51

v6.12.52

v6.12.53

v6.12.54

v6.12.55

v6.12.56

v6.12.57

v6.12.58

v6.12.59

v6.12.6

v6.12.60

v6.12.61

v6.12.62

v6.12.63

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.17

v6.17-rc1

v6.17-rc2

v6.17-rc3

v6.17-rc4

v6.17-rc5

v6.17-rc6

v6.17-rc7

v6.18

v6.18-rc1

v6.18-rc2

v6.18-rc3

v6.18-rc4

v6.18-rc5

v6.18-rc6

v6.18-rc7

v6.18.1

v6.18.2

v6.6.115

v6.6.116

v6.6.117

v6.6.118

v6.6.119

v6.8

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68821.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.198

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.160

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.120

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.64

Type: ECOSYSTEM
Events: Introduced

6.9.0

Fixed

6.18.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68821.json"