{"id":"CVE-2025-40147","summary":"blk-throttle: fix access race during throttle policy activation","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nblk-throttle: fix access race during throttle policy activation\n\nOn repeated cold boots we occasionally hit a NULL pointer crash in\nblk_should_throtl() when throttling is consulted before the throttle\npolicy is fully enabled for the queue. Checking only q-\u003etd != NULL is\ninsufficient during early initialization, so blkg_to_pd() for the\nthrottle policy can still return NULL and blkg_to_tg() becomes NULL,\nwhich later gets dereferenced.\n\n Unable to handle kernel NULL pointer dereference\n at virtual address 0000000000000156\n ...\n pc : submit_bio_noacct+0x14c/0x4c8\n lr : submit_bio_noacct+0x48/0x4c8\n sp : ffff800087f0b690\n x29: ffff800087f0b690 x28: 0000000000005f90 x27: ffff00068af393c0\n x26: 0000000000080000 x25: 000000000002fbc0 x24: ffff000684ddcc70\n x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000\n x20: 0000000000080000 x19: ffff000684ddcd08 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffff80008132a550 x15: 0000ffff98020fff\n x14: 0000000000000000 x13: 1fffe000d11d7021 x12: ffff000688eb810c\n x11: ffff00077ec4bb80 x10: ffff000688dcb720 x9 : ffff80008068ef60\n x8 : 00000a6fb8a86e85 x7 : 000000000000111e x6 : 0000000000000002\n x5 : 0000000000000246 x4 : 0000000000015cff x3 : 0000000000394500\n x2 : ffff000682e35e40 x1 : 0000000000364940 x0 : 000000000000001a\n Call trace:\n  submit_bio_noacct+0x14c/0x4c8\n  verity_map+0x178/0x2c8\n  __map_bio+0x228/0x250\n  dm_submit_bio+0x1c4/0x678\n  __submit_bio+0x170/0x230\n  submit_bio_noacct_nocheck+0x16c/0x388\n  submit_bio_noacct+0x16c/0x4c8\n  submit_bio+0xb4/0x210\n  f2fs_submit_read_bio+0x4c/0xf0\n  f2fs_mpage_readpages+0x3b0/0x5f0\n  f2fs_readahead+0x90/0xe8\n\nTighten blk_throtl_activated() to also require that the throttle policy\nbit is set on the queue:\n\n  return q-\u003etd != NULL &&\n         test_bit(blkcg_policy_throtl.plid, q-\u003eblkcg_pols);\n\nThis prevents blk_should_throtl() from accessing throttle group state\nuntil policy data has been attached to blkgs.","modified":"2026-03-26T04:18:22.183004Z","published":"2025-11-12T10:23:26.556Z","related":["SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","openSUSE-SU-2026:20287-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40147.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/6a0c394300a7b0c05504596685de8a46707171fc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7b4bfd02c934dbbb18814ed012ecb90b58db6935"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bd9fd5be6bc0836820500f68fff144609fbd85a9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40147.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40147"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"a3166c51702bb00b8f8b84022090cbab8f37be1a"},{"fixed":"7b4bfd02c934dbbb18814ed012ecb90b58db6935"},{"fixed":"6a0c394300a7b0c05504596685de8a46707171fc"},{"fixed":"bd9fd5be6bc0836820500f68fff144609fbd85a9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40147.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.10.0"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40147.json"}}],"schema_version":"1.7.5"}