CVE-2025-68807
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-13

Last updated on: 2026-01-14

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: block: fix race between wbt_enable_default and IO submission When wbt_enable_default() is moved out of queue freezing in elevator_change(), it can cause the wbt inflight counter to become negative (-1), leading to hung tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter is in an inconsistent state. The issue occurs because wbt_enable_default() could race with IO submission, allowing the counter to be decremented before proper initialization. This manifests as: rq_wait[0]: inflight: -1 has_waiters: True rwb_enabled() checks the state, which can be updated exactly between wbt_wait() (rq_qos_throttle()) and wbt_track()(rq_qos_track()), then the inflight counter will become negative. And results in hung task warnings like: task:kworker/u24:39 state:D stack:0 pid:14767 Call Trace: rq_qos_wait+0xb4/0x150 wbt_wait+0xa9/0x100 __rq_qos_throttle+0x24/0x40 blk_mq_submit_bio+0x672/0x7b0 ... Fix this by: 1. Splitting wbt_enable_default() into: - __wbt_enable_default(): Returns true if wbt_init() should be called - wbt_enable_default(): Wrapper for existing callers (no init) - wbt_init_enable_default(): New function that checks and inits WBT 2. Using wbt_init_enable_default() in blk_register_queue() to ensure proper initialization during queue registration 3. Move wbt_init() out of wbt_enable_default() which is only for enabling disabled wbt from bfq and iocost, and wbt_init() isn't needed. Then the original lock warning can be avoided. 4. Removing the ELEVATOR_FLAG_ENABLE_WBT_ON_EXIT flag and its handling code since it's no longer needed This ensures WBT is properly initialized before any IO can be submitted, preventing the counter from going negative.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-14
Generated
2026-05-07
AI Q&A
2026-01-14
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68807
EUVD
EUVD-2026-2300
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a race condition in the Linux kernel's block layer involving the writeback throttling (WBT) mechanism. Specifically, when the function wbt_enable_default() is moved out of queue freezing in elevator_change(), it can cause the WBT inflight counter to become negative (-1). This happens because wbt_enable_default() can race with IO submission, allowing the counter to be decremented before it is properly initialized. As a result, tasks get stuck or hung in the writeback path, waiting indefinitely due to the inconsistent state of the counter.


How can this vulnerability impact me? :

This vulnerability can cause tasks in the Linux kernel to hang or become stuck during IO operations, specifically in the writeback path. This can lead to system instability or degraded performance because IO submissions may not proceed correctly, potentially causing delays or hangs in processes that rely on disk IO.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as hung tasks in the writeback path with the inflight counter becoming negative (-1). You can detect it by checking for hung task warnings in kernel logs, specifically messages showing tasks stuck in wbt_wait() and negative inflight counters such as: rq_wait[0]: inflight: -1 has_waiters: True Look for kernel log entries with call traces including rq_qos_wait, wbt_wait, __rq_qos_throttle, and blk_mq_submit_bio. Commands to check kernel logs include: dmesg | grep -i wbt_wait journalctl -k | grep -i wbt_wait or searching for hung task warnings related to block IO submission in system logs.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by ensuring proper initialization of the writeback throttling (WBT) inflight counter before IO submission. Immediate mitigation involves updating the Linux kernel to a version that includes the fix, which splits wbt_enable_default() and moves wbt_init() to be called during queue registration, preventing the inflight counter from becoming negative. Until the patch is applied, monitoring for hung tasks and avoiding heavy IO workloads that trigger the race condition may reduce impact, but the definitive mitigation is applying the kernel update containing the fix.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart