CVE-2025-68807
Description
In the Linux kernel, the following vulnerability has been resolved:
block: fix race between wbt_enable_default and IO submission
When wbt_enable_default() is moved out of queue freezing in elevator_change(), it can cause the wbt inflight counter to become negative (-1), leading to hung tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter is in an inconsistent state.
The issue occurs because wbt_enable_default() could race with IO submission, allowing the counter to be decremented before proper initialization. This manifests as:
rq_wait[0]: inflight: -1 has_waiters: True
rwb_enabled() checks the state, which can be updated exactly between wbt_wait() (rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter will become negative.
And results in hung task warnings like: task:kworker/u24:39 state:D stack:0 pid:14767 Call Trace: rq_qos_wait+0xb4/0x150 wbt_wait+0xa9/0x100 __rq_qos_throttle+0x24/0x40 blk_mq_submit_bio+0x672/0x7b0 ...
Fix this by:
1. Splitting wbt_enable_default() into: - __wbt_enable_default(): Returns true if wbt_init() should be called - wbt_enable_default(): Wrapper for existing callers (no init) - wbt_init_enable_default(): New function that checks and inits WBT
2. Using wbt_init_enable_default() in blk_register_queue() to ensure proper initialization during queue registration
3. Move wbt_init() out of wbt_enable_default() which is only for enabling disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the original lock warning can be avoided.
4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling code since it's no longer needed
This ensures WBT is properly initialized before any IO can be submitted, preventing the counter from going negative.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Linux kernel's wbt_enable_default() causes negative inflight counter, leading to hung tasks during IO submission.
Vulnerability
The vulnerability is a race condition in the Linux kernel's block layer, specifically in the writeback throttle (wbt) initialization. When wbt_enable_default() is called without proper queue freezing, it can race with concurrent IO submission, causing the inflight counter in rq_wait to become negative (-1). This occurs because rwb_enabled() state may be updated between wbt_wait() and wbt_track(), leading to an inconsistent counter value [1].
Exploitation
Exploitation requires local access to the system, as the race involves concurrent IO submission and queue registration. An attacker must be able to trigger IO operations while the block device's queue is being registered or reinitialized. No special privileges beyond normal user access to perform IO are needed; the race window is triggered by normal system operations.
Impact
A successful exploit results in a denial of service (DoS). The negative inflight counter causes tasks in the writeback path to hang indefinitely in wbt_wait() due to has_waiters set to true, leading to hung task warnings and potentially system unresponsiveness. The system may need a reboot to recover.
Mitigation
The fix was applied in the Linux kernel stable tree via commit f55201fb3becff6a903fd29f4d1147cc7e91eb0c. The patch splits wbt_enable_default() into multiple functions to ensure proper initialization before IO can be submitted, and removes the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag. Users should apply the latest kernel updates to mitigate this vulnerability [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.