This article provides a detailed analysis of CVE-2025-40220, a vulnerability found in the Linux kernel’s fuse (Filesystem in Userspace) implementation. This issue can lead to a livelock situation, particularly when using fuseblk workers. We’ll explore the technical details, potential impact, and steps to mitigate this vulnerability.
Overview
CVE-2025-40220 identifies a flaw in the way the Linux kernel handles file puts within the fuse subsystem, specifically when dealing with asynchronous I/O (AIO) operations in conjunction with fuseblk. This can result in a scenario where fuse server threads become stuck waiting for responses from themselves, effectively halting operations.
Technical Details
The vulnerability occurs due to a synchronous file put operation initiated by fuseblk workers. When a client program initiates numerous concurrent AIO writes to a fuse-mounted file system and closes the file descriptor before all writes complete, the following sequence of events triggers the livelock:
- The client program opens a file and initiates a large number of AIO writes.
- The client closes the file descriptor before all AIO writes are finished.
- The AIO completion handler in the fuse server is triggered upon completion of the FUSE_WRITE command.
- This completion queues a delayed `fput` (file put) operation to the fuse server task.
- When the fuse server task returns to userspace, it executes the delayed `fput` synchronously.
- Since the server is fuseblk, the synchronous `FUSE_RELEASE` command from fuse server threads creates a deadlock, as all server threads end up in the delayed `fput`, with no threads left to handle queued fuse commands.
The core issue lies in the fact that the `FUSE_RELEASE` command is sent synchronously from the fuse server threads when it should be asynchronous. This can happen when `fput` is called in interrupt context.
Example stack traces illustrating the problem:
Client Thread Stack:
[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]
[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]
[<0>] fuse_do_getattr+0xfc/0x1f0 [fuse]
[<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse]
[<0>] aio_read+0x130/0x1e0
[<0>] io_submit_one+0x542/0x860
[<0>] __x64_sys_io_submit+0x98/0x1a0
[<0>] do_syscall_64+0x37/0xf0
[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
Fuse Server Thread Stack:
[<0>] request_wait_answer+0x1fe/0x2a0 [fuse]
[<0>] __fuse_simple_request+0xd3/0x2b0 [fuse]
[<0>] fuse_file_put+0x9a/0xd0 [fuse]
[<0>] fuse_release+0x36/0x50 [fuse]
[<0>] __fput+0xec/0x2b0
[<0>] task_work_run+0x55/0x90
[<0>] syscall_exit_to_user_mode+0xe9/0x100
[<0>] do_syscall_64+0x43/0xf0
[<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53
CVSS Analysis
Currently, there is no CVSS score assigned to CVE-2025-40220. The severity is marked as N/A. However, the potential for a livelock situation, which can lead to denial of service, suggests that it could be classified as having a medium to high severity, depending on the exploitability and impact on the system.
Possible Impact
The primary impact of this vulnerability is a denial of service (DoS). If an attacker can trigger the livelock condition, the fuse server threads become unresponsive, preventing the mounted fuse filesystem from functioning correctly. This could disrupt applications relying on the fuse filesystem and potentially impact overall system stability.
Mitigation or Patch Steps
The vulnerability is resolved by ensuring that only asynchronous `fput` operations are used when closing files. This prevents the fuse server threads from getting stuck in synchronous requests and allows them to continue processing queued commands.
Apply the patch referenced in the Linux kernel commit logs. This patch modifies the code to handle file puts asynchronously in the affected areas. Specifically, ensure that your kernel includes the fix that uses asynchronous `fputs` only when closing files.
