CVE-2025-40125 (GCVE-0-2025-40125)

Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2026-05-11 21:43
VLAI
Title
blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx
Summary
In the Linux kernel, the following vulnerability has been resolved: blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx In __blk_mq_update_nr_hw_queues() the return value of blk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx fails, later changing the number of hw_queues or removing disk will trigger the following warning: kernfs: can not remove 'nr_tags', no directory WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160 Call Trace: remove_files.isra.1+0x38/0xb0 sysfs_remove_group+0x4d/0x100 sysfs_remove_groups+0x31/0x60 __kobject_del+0x23/0xf0 kobject_del+0x17/0x40 blk_mq_unregister_hctx+0x5d/0x80 blk_mq_sysfs_unregister_hctxs+0x94/0xd0 blk_mq_update_nr_hw_queues+0x124/0x760 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_submit_queues_store+0x92/0x120 [null_blk] kobjct_del() was called unconditionally even if sysfs creation failed. Fix it by checkig the kobject creation statusbefore deleting it.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < a8c53553f1833cc2d14175d2d72cf37193a01898 (git)
Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < cc14ea21c4e658814d737ed4dedde6cd626a15ad (git)
Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < 4b97e99b87a773d52699521d40864f3ec888e9a6 (git)
Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < 6e7dadc5763c48eb3b9b91265a21f312599ebb2c (git)
Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < 06c4826b1d900611096e4621e93133db57e13911 (git)
Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < babc634e9fe2803962dba98a07587e835dbc0731 (git)
Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < d5ddd76ee52bdc16e9f8b1e7791291e785dab032 (git)
Affected: 477e19dedc9d3e1f4443a1d4ae00572a988120ea , < 4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed (git)
Create a notification for this product.
Linux Linux Affected: 4.20
Unaffected: 0 , < 4.20 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.156 , ≤ 6.1.* (semver)
Unaffected: 6.6.112 , ≤ 6.6.* (semver)
Unaffected: 6.12.53 , ≤ 6.12.* (semver)
Unaffected: 6.17.3 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/blk-mq-sysfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a8c53553f1833cc2d14175d2d72cf37193a01898",
              "status": "affected",
              "version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
              "versionType": "git"
            },
            {
              "lessThan": "cc14ea21c4e658814d737ed4dedde6cd626a15ad",
              "status": "affected",
              "version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
              "versionType": "git"
            },
            {
              "lessThan": "4b97e99b87a773d52699521d40864f3ec888e9a6",
              "status": "affected",
              "version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
              "versionType": "git"
            },
            {
              "lessThan": "6e7dadc5763c48eb3b9b91265a21f312599ebb2c",
              "status": "affected",
              "version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
              "versionType": "git"
            },
            {
              "lessThan": "06c4826b1d900611096e4621e93133db57e13911",
              "status": "affected",
              "version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
              "versionType": "git"
            },
            {
              "lessThan": "babc634e9fe2803962dba98a07587e835dbc0731",
              "status": "affected",
              "version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
              "versionType": "git"
            },
            {
              "lessThan": "d5ddd76ee52bdc16e9f8b1e7791291e785dab032",
              "status": "affected",
              "version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
              "versionType": "git"
            },
            {
              "lessThan": "4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed",
              "status": "affected",
              "version": "477e19dedc9d3e1f4443a1d4ae00572a988120ea",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/blk-mq-sysfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.112",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.53",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.156",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.112",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.53",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.3",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx\n\nIn __blk_mq_update_nr_hw_queues() the return value of\nblk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx\nfails, later changing the number of hw_queues or removing disk will\ntrigger the following warning:\n\n  kernfs: can not remove \u0027nr_tags\u0027, no directory\n  WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160\n  Call Trace:\n   remove_files.isra.1+0x38/0xb0\n   sysfs_remove_group+0x4d/0x100\n   sysfs_remove_groups+0x31/0x60\n   __kobject_del+0x23/0xf0\n   kobject_del+0x17/0x40\n   blk_mq_unregister_hctx+0x5d/0x80\n   blk_mq_sysfs_unregister_hctxs+0x94/0xd0\n   blk_mq_update_nr_hw_queues+0x124/0x760\n   nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\n   nullb_device_submit_queues_store+0x92/0x120 [null_blk]\n\nkobjct_del() was called unconditionally even if sysfs creation failed.\nFix it by checkig the kobject creation statusbefore deleting it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:43:15.313Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a8c53553f1833cc2d14175d2d72cf37193a01898"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc14ea21c4e658814d737ed4dedde6cd626a15ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b97e99b87a773d52699521d40864f3ec888e9a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e7dadc5763c48eb3b9b91265a21f312599ebb2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/06c4826b1d900611096e4621e93133db57e13911"
        },
        {
          "url": "https://git.kernel.org/stable/c/babc634e9fe2803962dba98a07587e835dbc0731"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5ddd76ee52bdc16e9f8b1e7791291e785dab032"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed"
        }
      ],
      "title": "blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40125",
    "datePublished": "2025-11-12T10:23:20.180Z",
    "dateReserved": "2025-04-16T07:20:57.169Z",
    "dateUpdated": "2026-05-11T21:43:15.313Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-40125",
      "date": "2026-06-18",
      "epss": "0.00184",
      "percentile": "0.08065"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40125\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-11-12T11:15:42.043\",\"lastModified\":\"2025-11-12T16:19:12.850\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nblk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx\\n\\nIn __blk_mq_update_nr_hw_queues() the return value of\\nblk_mq_sysfs_register_hctxs() is not checked. If sysfs creation for hctx\\nfails, later changing the number of hw_queues or removing disk will\\ntrigger the following warning:\\n\\n  kernfs: can not remove \u0027nr_tags\u0027, no directory\\n  WARNING: CPU: 2 PID: 637 at fs/kernfs/dir.c:1707 kernfs_remove_by_name_ns+0x13f/0x160\\n  Call Trace:\\n   remove_files.isra.1+0x38/0xb0\\n   sysfs_remove_group+0x4d/0x100\\n   sysfs_remove_groups+0x31/0x60\\n   __kobject_del+0x23/0xf0\\n   kobject_del+0x17/0x40\\n   blk_mq_unregister_hctx+0x5d/0x80\\n   blk_mq_sysfs_unregister_hctxs+0x94/0xd0\\n   blk_mq_update_nr_hw_queues+0x124/0x760\\n   nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]\\n   nullb_device_submit_queues_store+0x92/0x120 [null_blk]\\n\\nkobjct_del() was called unconditionally even if sysfs creation failed.\\nFix it by checkig the kobject creation statusbefore deleting it.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/06c4826b1d900611096e4621e93133db57e13911\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4b97e99b87a773d52699521d40864f3ec888e9a6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4c7ef92f6d4d08a27d676e4c348f4e2922cab3ed\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6e7dadc5763c48eb3b9b91265a21f312599ebb2c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a8c53553f1833cc2d14175d2d72cf37193a01898\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/babc634e9fe2803962dba98a07587e835dbc0731\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cc14ea21c4e658814d737ed4dedde6cd626a15ad\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d5ddd76ee52bdc16e9f8b1e7791291e785dab032\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.