CVE-2025-40220
Description
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix livelock in synchronous file put from fuseblk workers
I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server:
# cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
But the /weird/ part is that the fuseblk server threads are waiting for responses from itself:
# cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that:
"By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion).
Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously.
Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands.
Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A livelock in the Linux kernel's FUSE filesystem causes fuseblk server threads to deadlock when handling synchronous file puts during AIO completion.
Description
CVE-2025-40220 describes a livelock vulnerability in the Linux kernel's FUSE (Filesystem in Userspace) implementation, specifically affecting the fuseblk block-based backend. The issue occurs when a file descriptor is closed before outstanding asynchronous I/O (AIO) operations complete, triggering a synchronous file put (fuse_file_put) from within the FUSE server's own worker threads. This leads to a deadlock where the server waits for a response from itself, as observed in the kernel stack traces [1].
Exploitation
The vulnerability is triggered by a specific sequence: a process opens a file on a fuseblk mount, initiates multiple AIO writes, and then closes the file descriptor before the writes finish. The AIO completion routine, executed by the FUSE server, puts the last reference to the file structure, which queues a delayed fput to the server's task. When the server returns to userspace, it processes the delayed fput, which calls fuse_release and then fuse_file_put on the fuse connection's file, ultimately causing the server to send a FUSE request to itself and wait for a reply that never comes [1].
Impact
An attacker with the ability to mount a fuseblk filesystem and trigger this race condition can cause a denial of service (DoS) by hanging the FUSE server threads. The server becomes unresponsive, preventing any further I/O operations on the mount point. This can lead to system instability or service disruption, particularly in environments relying on FUSE-based filesystems like fuse2fs [1].
Mitigation
The fix has been applied to the Linux kernel stable branches. The commit 83b375c6efef addresses the issue by ensuring that synchronous file puts from fuseblk workers do not cause a livelock [1]. Users should update their kernels to include this patch or any subsequent stable release that incorporates it. No workaround is available other than avoiding the specific usage pattern that triggers the bug.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
7548e1f2bac1dcfd1aa3e2b7183b375c6efefbfd17b6138dfb26923512dbef19a1390af4426e5c67deb2eVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- git.kernel.org/stable/c/26e5c67deb2e1f42a951f022fdf5b9f7eb747b01nvd
- git.kernel.org/stable/c/548e1f2bac1d4df91a6138f26bb4ab00323fd948nvd
- git.kernel.org/stable/c/83b375c6efef69b1066ad2d79601221e7892745anvd
- git.kernel.org/stable/c/b26923512dbe57ae4917bafd31396d22a9d1691anvd
- git.kernel.org/stable/c/bfd17b6138df0122a95989457d8e18ce0b86165envd
- git.kernel.org/stable/c/cfd1aa3e2b71f3327cb373c45a897c9028c62b35nvd
- git.kernel.org/stable/c/f19a1390af448d9e193c08e28ea5f727bf3c3049nvd
News mentions
0No linked articles in our index yet.