Vulnerability-Lookup

GHSA-89M4-PMW6-JXQJ

Vulnerability from github – Published: 2026-01-13 18:31 – Updated: 2026-01-13 18:31

Details

In the Linux kernel, the following vulnerability has been resolved:

block: fix race between wbt_enable_default and IO submission

When wbt_enable_default() is moved out of queue freezing in elevator_change(), it can cause the wbt inflight counter to become negative (-1), leading to hung tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter is in an inconsistent state.

The issue occurs because wbt_enable_default() could race with IO submission, allowing the counter to be decremented before proper initialization. This manifests as:

rq_wait[0]: inflight: -1 has_waiters: True

rwb_enabled() checks the state, which can be updated exactly between wbt_wait() (rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter will become negative.

And results in hung task warnings like: task:kworker/u24:39 state:D stack:0 pid:14767 Call Trace: rq_qos_wait+0xb4/0x150 wbt_wait+0xa9/0x100 __rq_qos_throttle+0x24/0x40 blk_mq_submit_bio+0x672/0x7b0 ...

Fix this by:

Splitting wbt_enable_default() into:
__wbt_enable_default(): Returns true if wbt_init() should be called
wbt_enable_default(): Wrapper for existing callers (no init)
wbt_init_enable_default(): New function that checks and inits WBT
Using wbt_init_enable_default() in blk_register_queue() to ensure proper initialization during queue registration
Move wbt_init() out of wbt_enable_default() which is only for enabling disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the original lock warning can be avoided.
Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling code since it's no longer needed

This ensures WBT is properly initialized before any IO can be submitted, preventing the counter from going negative.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-68807"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-13T16:16:02Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix race between wbt_enable_default and IO submission\n\nWhen wbt_enable_default() is moved out of queue freezing in elevator_change(),\nit can cause the wbt inflight counter to become negative (-1), leading to hung\ntasks in the writeback path. Tasks get stuck in wbt_wait() because the counter\nis in an inconsistent state.\n\nThe issue occurs because wbt_enable_default() could race with IO submission,\nallowing the counter to be decremented before proper initialization. This manifests\nas:\n\n  rq_wait[0]:\n    inflight:             -1\n    has_waiters:        True\n\nrwb_enabled() checks the state, which can be updated exactly between wbt_wait()\n(rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter\nwill become negative.\n\nAnd results in hung task warnings like:\n  task:kworker/u24:39 state:D stack:0 pid:14767\n  Call Trace:\n    rq_qos_wait+0xb4/0x150\n    wbt_wait+0xa9/0x100\n    __rq_qos_throttle+0x24/0x40\n    blk_mq_submit_bio+0x672/0x7b0\n    ...\n\nFix this by:\n\n1. Splitting wbt_enable_default() into:\n   - __wbt_enable_default(): Returns true if wbt_init() should be called\n   - wbt_enable_default(): Wrapper for existing callers (no init)\n   - wbt_init_enable_default(): New function that checks and inits WBT\n\n2. Using wbt_init_enable_default() in blk_register_queue() to ensure\n   proper initialization during queue registration\n\n3. Move wbt_init() out of wbt_enable_default() which is only for enabling\n   disabled wbt from bfq and iocost, and wbt_init() isn\u0027t needed. Then the\n   original lock warning can be avoided.\n\n4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling\n   code since it\u0027s no longer needed\n\nThis ensures WBT is properly initialized before any IO can be submitted,\npreventing the counter from going negative.",
  "id": "GHSA-89m4-pmw6-jxqj",
  "modified": "2026-01-13T18:31:04Z",
  "published": "2026-01-13T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68807"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9869d3a6fed381f3b98404e26e1afc75d680cbf9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f55201fb3becff6a903fd29f4d1147cc7e91eb0c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2025-68807 (GCVE-0-2025-68807)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-13 15:29

Title

block: fix race between wbt_enable_default and IO submission

Summary

In the Linux kernel, the following vulnerability has been resolved: block: fix race between wbt_enable_default and IO submission When wbt_enable_default() is moved out of queue freezing in elevator_change(), it can cause the wbt inflight counter to become negative (-1), leading to hung tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter is in an inconsistent state. The issue occurs because wbt_enable_default() could race with IO submission, allowing the counter to be decremented before proper initialization. This manifests as: rq_wait[0]: inflight: -1 has_waiters: True rwb_enabled() checks the state, which can be updated exactly between wbt_wait() (rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter will become negative. And results in hung task warnings like: task:kworker/u24:39 state:D stack:0 pid:14767 Call Trace: rq_qos_wait+0xb4/0x150 wbt_wait+0xa9/0x100 __rq_qos_throttle+0x24/0x40 blk_mq_submit_bio+0x672/0x7b0 ... Fix this by: 1. Splitting wbt_enable_default() into: - __wbt_enable_default(): Returns true if wbt_init() should be called - wbt_enable_default(): Wrapper for existing callers (no init) - wbt_init_enable_default(): New function that checks and inits WBT 2. Using wbt_init_enable_default() in blk_register_queue() to ensure proper initialization during queue registration 3. Move wbt_init() out of wbt_enable_default() which is only for enabling disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the original lock warning can be avoided. 4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling code since it's no longer needed This ensures WBT is properly initialized before any IO can be submitted, preventing the counter from going negative.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f55201fb3becff6a9…
	https://git.kernel.org/stable/c/9869d3a6fed381f3b…

Impacted products

Vendor

Product

Version

Linux

Affected: 78c271344b6f64ce24c845e54903e09928cf2061 , < f55201fb3becff6a903fd29f4d1147cc7e91eb0c (git)
Affected: 78c271344b6f64ce24c845e54903e09928cf2061 , < 9869d3a6fed381f3b98404e26e1afc75d680cbf9 (git)

Linux

Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.18.3 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c",
            "block/blk-sysfs.c",
            "block/blk-wbt.c",
            "block/blk-wbt.h",
            "block/elevator.c",
            "block/elevator.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f55201fb3becff6a903fd29f4d1147cc7e91eb0c",
              "status": "affected",
              "version": "78c271344b6f64ce24c845e54903e09928cf2061",
              "versionType": "git"
            },
            {
              "lessThan": "9869d3a6fed381f3b98404e26e1afc75d680cbf9",
              "status": "affected",
              "version": "78c271344b6f64ce24c845e54903e09928cf2061",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c",
            "block/blk-sysfs.c",
            "block/blk-wbt.c",
            "block/blk-wbt.h",
            "block/elevator.c",
            "block/elevator.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc2",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix race between wbt_enable_default and IO submission\n\nWhen wbt_enable_default() is moved out of queue freezing in elevator_change(),\nit can cause the wbt inflight counter to become negative (-1), leading to hung\ntasks in the writeback path. Tasks get stuck in wbt_wait() because the counter\nis in an inconsistent state.\n\nThe issue occurs because wbt_enable_default() could race with IO submission,\nallowing the counter to be decremented before proper initialization. This manifests\nas:\n\n  rq_wait[0]:\n    inflight:             -1\n    has_waiters:        True\n\nrwb_enabled() checks the state, which can be updated exactly between wbt_wait()\n(rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter\nwill become negative.\n\nAnd results in hung task warnings like:\n  task:kworker/u24:39 state:D stack:0 pid:14767\n  Call Trace:\n    rq_qos_wait+0xb4/0x150\n    wbt_wait+0xa9/0x100\n    __rq_qos_throttle+0x24/0x40\n    blk_mq_submit_bio+0x672/0x7b0\n    ...\n\nFix this by:\n\n1. Splitting wbt_enable_default() into:\n   - __wbt_enable_default(): Returns true if wbt_init() should be called\n   - wbt_enable_default(): Wrapper for existing callers (no init)\n   - wbt_init_enable_default(): New function that checks and inits WBT\n\n2. Using wbt_init_enable_default() in blk_register_queue() to ensure\n   proper initialization during queue registration\n\n3. Move wbt_init() out of wbt_enable_default() which is only for enabling\n   disabled wbt from bfq and iocost, and wbt_init() isn\u0027t needed. Then the\n   original lock warning can be avoided.\n\n4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling\n   code since it\u0027s no longer needed\n\nThis ensures WBT is properly initialized before any IO can be submitted,\npreventing the counter from going negative."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-13T15:29:14.483Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f55201fb3becff6a903fd29f4d1147cc7e91eb0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9869d3a6fed381f3b98404e26e1afc75d680cbf9"
        }
      ],
      "title": "block: fix race between wbt_enable_default and IO submission",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68807",
    "datePublished": "2026-01-13T15:29:14.483Z",
    "dateReserved": "2025-12-24T10:30:51.045Z",
    "dateUpdated": "2026-01-13T15:29:14.483Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-89M4-PMW6-JXQJ

CVE-2025-68807 (GCVE-0-2025-68807)

Tags

Sightings

Nomenclature