{"id":"CVE-2025-68807","summary":"block: fix race between wbt_enable_default and IO submission","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix race between wbt_enable_default and IO submission\n\nWhen wbt_enable_default() is moved out of queue freezing in elevator_change(),\nit can cause the wbt inflight counter to become negative (-1), leading to hung\ntasks in the writeback path. Tasks get stuck in wbt_wait() because the counter\nis in an inconsistent state.\n\nThe issue occurs because wbt_enable_default() could race with IO submission,\nallowing the counter to be decremented before proper initialization. This manifests\nas:\n\n  rq_wait[0]:\n    inflight:             -1\n    has_waiters:        True\n\nrwb_enabled() checks the state, which can be updated exactly between wbt_wait()\n(rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter\nwill become negative.\n\nAnd results in hung task warnings like:\n  task:kworker/u24:39 state:D stack:0 pid:14767\n  Call Trace:\n    rq_qos_wait+0xb4/0x150\n    wbt_wait+0xa9/0x100\n    __rq_qos_throttle+0x24/0x40\n    blk_mq_submit_bio+0x672/0x7b0\n    ...\n\nFix this by:\n\n1. Splitting wbt_enable_default() into:\n   - __wbt_enable_default(): Returns true if wbt_init() should be called\n   - wbt_enable_default(): Wrapper for existing callers (no init)\n   - wbt_init_enable_default(): New function that checks and inits WBT\n\n2. Using wbt_init_enable_default() in blk_register_queue() to ensure\n   proper initialization during queue registration\n\n3. Move wbt_init() out of wbt_enable_default() which is only for enabling\n   disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the\n   original lock warning can be avoided.\n\n4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling\n   code since it's no longer needed\n\nThis ensures WBT is properly initialized before any IO can be submitted,\npreventing the counter from going negative.","modified":"2026-03-20T12:46:29.775206Z","published":"2026-01-13T15:29:14.483Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68807.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/9869d3a6fed381f3b98404e26e1afc75d680cbf9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f55201fb3becff6a903fd29f4d1147cc7e91eb0c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68807.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68807"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"78c271344b6f64ce24c845e54903e09928cf2061"},{"fixed":"f55201fb3becff6a903fd29f4d1147cc7e91eb0c"},{"fixed":"9869d3a6fed381f3b98404e26e1afc75d680cbf9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68807.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.16.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68807.json"}}],"schema_version":"1.7.5"}