CVE-2025-68821
Description
In the Linux kernel, the following vulnerability has been resolved:
fuse: fix readahead reclaim deadlock
Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed") skips allocating ff->release_args if the server does not implement open. However in doing so, fuse_prepare_release() now skips grabbing the reference on the inode, which makes it possible for an inode to be evicted from the dcache while there are inflight readahead requests. This causes a deadlock if the server triggers reclaim while servicing the readahead request and reclaim attempts to evict the inode of the file being read ahead. Since the folio is locked during readahead, when reclaim evicts the fuse inode and fuse_evict_inode() attempts to remove all folios associated with the inode from the page cache (truncate_inode_pages_range()), reclaim will block forever waiting for the lock since readahead cannot relinquish the lock because it is itself blocked in reclaim:
>>> stack_trace(1504735) folio_wait_bit_common (mm/filemap.c:1308:4) folio_lock (./include/linux/pagemap.h:1052:3) truncate_inode_pages_range (mm/truncate.c:336:10) fuse_evict_inode (fs/fuse/inode.c:161:2) evict (fs/inode.c:704:3) dentry_unlink_inode (fs/dcache.c:412:3) __dentry_kill (fs/dcache.c:615:3) shrink_kill (fs/dcache.c:1060:12) shrink_dentry_list (fs/dcache.c:1087:3) prune_dcache_sb (fs/dcache.c:1168:2) super_cache_scan (fs/super.c:221:10) do_shrink_slab (mm/shrinker.c:435:9) shrink_slab (mm/shrinker.c:626:10) shrink_node (mm/vmscan.c:5951:2) shrink_zones (mm/vmscan.c:6195:3) do_try_to_free_pages (mm/vmscan.c:6257:3) do_swap_page (mm/memory.c:4136:11) handle_pte_fault (mm/memory.c:5562:10) handle_mm_fault (mm/memory.c:5870:9) do_user_addr_fault (arch/x86/mm/fault.c:1338:10) handle_page_fault (arch/x86/mm/fault.c:1481:3) exc_page_fault (arch/x86/mm/fault.c:1539:2) asm_exc_page_fault+0x22/0x27
Fix this deadlock by allocating ff->release_args and grabbing the reference on the inode when preparing the file for release even if the server does not implement open. The inode reference will be dropped when the last reference on the fuse file is dropped (see fuse_file_put() -> fuse_release_end()).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A deadlock in the Linux kernel's FUSE filesystem occurs when readahead reclaim triggers inode eviction while a folio is locked, fixed by ensuring release_args allocation and inode reference.
Vulnerability
Description
CVE-2025-68821 is a deadlock vulnerability in the Linux kernel's FUSE (Filesystem in Userspace) filesystem. The root cause is a change in commit e26ee4efbc79 that skips allocating ff->release_args when the FUSE server does not implement the open operation. This optimization inadvertently causes fails to grab a reference on the inode during fuse_prepare_release()`, allowing the inode to be evicted from the dcache while readahead requests are still in flight [1][2][3].
Exploitation
Scenario
The deadlock is triggered when a readahead requests are being processed. During readahead, a folio is locked. If the FUSE server triggers memory reclaim while servicing the readahead request, reclaim may attempt to evict the inode of the file being read ahead. The eviction process calls fuse_evict_inode(), which tries to remove all folios associated with the inode from the page cache via truncate_inode_pages_range(). This operation blocks waiting for the locked folio, while the readahead thread itself is blocked in reclaim, creating a classic deadlock [1][2][3].
Impact
An attacker who can trigger memory reclaim on a system using FUSE (e.g., by exhausting memory or via a local user with sufficient privileges) can cause a system hang or denial of service. The deadlock prevents progress on the affected CPU, potentially leading to a system-wide lockup or unresponsive system. No privilege escalation is involved; the impact is purely availability [1][2][3].
Mitigation
The fix ensures that ff->release_args is allocated and an inode reference is grabbed during fuse_prepare_release() even when the server does not implement open. This prevents premature inode eviction during readahead. The patch has been applied to the stable kernel trees [1][2][3]. Users should update to a kernel version containing the fix.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/4703bc0e8cd3409acb1476a70cb5b7ff943cf39anvd
- git.kernel.org/stable/c/bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50nvd
- git.kernel.org/stable/c/cbbf3f1bb9f834bb2acbb61ddca74363456e19cdnvd
- git.kernel.org/stable/c/cf74785c00b8b1c0c4a9dd74bfa9c22d62e2d99fnvd
- git.kernel.org/stable/c/e0d6de83a4cc22bbac72713f3a58121af36cc411nvd
- git.kernel.org/stable/c/fbba8b00bbe4e4f958a2b0654cc1219a7e6597f6nvd
News mentions
0No linked articles in our index yet.