{"id":"CVE-2025-40220","summary":"fuse: fix livelock in synchronous file put from fuseblk workers","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix livelock in synchronous file put from fuseblk workers\n\nI observed a hang when running generic/323 against a fuseblk server.\nThis test opens a file, initiates a lot of AIO writes to that file\ndescriptor, and closes the file descriptor before the writes complete.\nUnsurprisingly, the AIO exerciser threads are mostly stuck waiting for\nresponses from the fuseblk server:\n\n# cat /proc/372265/task/372313/stack\n[\u003c0\u003e] request_wait_answer+0x1fe/0x2a0 [fuse]\n[\u003c0\u003e] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[\u003c0\u003e] fuse_do_getattr+0xfc/0x1f0 [fuse]\n[\u003c0\u003e] fuse_file_read_iter+0xbe/0x1c0 [fuse]\n[\u003c0\u003e] aio_read+0x130/0x1e0\n[\u003c0\u003e] io_submit_one+0x542/0x860\n[\u003c0\u003e] __x64_sys_io_submit+0x98/0x1a0\n[\u003c0\u003e] do_syscall_64+0x37/0xf0\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nBut the /weird/ part is that the fuseblk server threads are waiting for\nresponses from itself:\n\n# cat /proc/372210/task/372232/stack\n[\u003c0\u003e] request_wait_answer+0x1fe/0x2a0 [fuse]\n[\u003c0\u003e] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[\u003c0\u003e] fuse_file_put+0x9a/0xd0 [fuse]\n[\u003c0\u003e] fuse_release+0x36/0x50 [fuse]\n[\u003c0\u003e] __fput+0xec/0x2b0\n[\u003c0\u003e] task_work_run+0x55/0x90\n[\u003c0\u003e] syscall_exit_to_user_mode+0xe9/0x100\n[\u003c0\u003e] do_syscall_64+0x43/0xf0\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe fuseblk server is fuse2fs so there's nothing all that exciting in\nthe server itself.  So why is the fuse server calling fuse_file_put?\nThe commit message for the fstest sheds some light on that:\n\n\"By closing the file descriptor before calling io_destroy, you pretty\nmuch guarantee that the last put on the ioctx will be done in interrupt\ncontext (during I/O completion).\n\nAha.  AIO fgets a new struct file from the fd when it queues the ioctx.\nThe completion of the FUSE_WRITE command from userspace causes the fuse\nserver to call the AIO completion function.  The completion puts the\nstruct file, queuing a delayed fput to the fuse server task.  When the\nfuse server task returns to userspace, it has to run the delayed fput,\nwhich in the case of a fuseblk server, it does synchronously.\n\nSending the FUSE_RELEASE command sychronously from fuse server threads\nis a bad idea because a client program can initiate enough simultaneous\nAIOs such that all the fuse server threads end up in delayed_fput, and\nnow there aren't any threads left to handle the queued fuse commands.\n\nFix this by only using asynchronous fputs when closing files, and leave\na comment explaining why.","modified":"2026-03-31T17:29:27.430762Z","published":"2025-12-04T14:50:44.108Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0350-1","SUSE-SU-2026:0369-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0617-1","SUSE-SU-2026:1078-1","SUSE-SU-2026:20207-1","SUSE-SU-2026:20220-1","SUSE-SU-2026:20228-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20145-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40220.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/26e5c67deb2e1f42a951f022fdf5b9f7eb747b01"},{"type":"WEB","url":"https://git.kernel.org/stable/c/548e1f2bac1d4df91a6138f26bb4ab00323fd948"},{"type":"WEB","url":"https://git.kernel.org/stable/c/83b375c6efef69b1066ad2d79601221e7892745a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b26923512dbe57ae4917bafd31396d22a9d1691a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bfd17b6138df0122a95989457d8e18ce0b86165e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cfd1aa3e2b71f3327cb373c45a897c9028c62b35"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f19a1390af448d9e193c08e28ea5f727bf3c3049"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40220.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40220"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"5a18ec176c934ca1bc9dc61580a5e0e90a9b5733"},{"fixed":"548e1f2bac1d4df91a6138f26bb4ab00323fd948"},{"fixed":"cfd1aa3e2b71f3327cb373c45a897c9028c62b35"},{"fixed":"83b375c6efef69b1066ad2d79601221e7892745a"},{"fixed":"bfd17b6138df0122a95989457d8e18ce0b86165e"},{"fixed":"b26923512dbe57ae4917bafd31396d22a9d1691a"},{"fixed":"f19a1390af448d9e193c08e28ea5f727bf3c3049"},{"fixed":"26e5c67deb2e1f42a951f022fdf5b9f7eb747b01"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"9efe56738fecd591b5bf366a325440f9b457ebd6"},{"last_affected":"5c46eb076e0a1b2c1769287cd6942e4594ade1b1"},{"last_affected":"83e6726210d6c815ce044437106c738eda5ff6f6"},{"last_affected":"23d154c71721fd0fa6199851078f32e6bd765664"},{"last_affected":"ca3edc920f5fd7d8ac040caaf109f925c24620a0"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40220.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.38"},{"fixed":"5.10.246"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.196"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.158"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.115"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.54"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.17.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40220.json"}}],"schema_version":"1.7.5"}