CVE-2024-40925 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
block: fix request.queuelist usage in flush
Friedrich Weber reported a kernel crash problem and bisected to commit 81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine").
The root cause is that we use "list_move_tail(&rq->queuelist, pending)" in the PREFLUSH/POSTFLUSH sequences. But rq->queuelist.next == xxx since it's popped out from plug->cached_rq in __blk_mq_alloc_requests_batch(). We don't initialize its queuelist just for this first request, although the queuelist of all later popped requests will be initialized.
Fix it by changing to use "list_add_tail(&rq->queuelist, pending)" so rq->queuelist doesn't need to be initialized. It should be ok since rq can't be on any list when PREFLUSH or POSTFLUSH, has no move actually.
Please note the commit 81ada09cc25e ("blk-flush: reuse rq queuelist in flush state machine") also has another requirement that no drivers would touch rq->queuelist after blk_mq_end_request() since we will reuse it to add rq to the post-flush pending list in POSTFLUSH. If this is not true, we will have to revert that commit IMHO.
This updated version adds "list_del_init(&rq->queuelist)" in flush rq callback since the dm layer may submit request of a weird invalid format (REQ_FSEQ_PREFLUSH | REQ_FSEQ_POSTFLUSH), which causes double list_add if without this "list_del_init(&rq->queuelist)". The weird invalid format problem should be fixed in dm layer.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/17/2025
The vulnerability identified as CVE-2024-40925 represents a critical kernel panic issue within the Linux block layer subsystem, specifically affecting the flush state machine implementation. This flaw manifests as a kernel crash occurring during the processing of pre-flush and post-flush operations, where the kernel's handling of request queue lists becomes corrupted due to improper list management. The vulnerability was traced back to commit 81ada09cc25e which introduced a mechanism to reuse request queuelist structures in the flush state machine, creating an inconsistency in how list elements are managed during flush operations.
The core technical flaw resides in the improper handling of the request queuelist data structure during the PREFLUSH and POSTFLUSH sequence processing. When the kernel attempts to move a request queue list using list_move_tail(&rq->queuelist, pending), it encounters a fundamental inconsistency where the queuelist.next pointer contains invalid data because the request queue was previously removed from the plug->cached_rq list during __blk_mq_alloc_requests_batch(). This occurs because only the first request in a batch receives queuelist initialization while subsequent requests in the same batch do not, creating a scenario where the list manipulation operation fails catastrophically.
The fix implemented addresses this by changing the list operation from list_move_tail to list_add_tail, which eliminates the dependency on pre-initialized queuelist structures. This approach is technically sound because during PREFLUSH or POSTFLUSH operations, requests cannot be on any list and therefore do not require the complex move semantics that were causing the corruption. The solution aligns with CWE-691, which addresses insufficient control flow management in kernel code, particularly around list manipulation operations that can lead to memory corruption and system instability.
The operational impact of this vulnerability extends beyond simple kernel crashes to potentially compromise system stability and data integrity in production environments. When triggered, the kernel panic can result in complete system shutdown, data loss, and service disruption for applications relying on block I/O operations. The vulnerability affects all Linux kernel versions that include the problematic commit, making it a widespread concern for system administrators and security teams managing Linux-based infrastructure. This issue particularly impacts storage-intensive applications and systems where flush operations are frequently utilized, such as database servers, file systems, and virtualization platforms.
The mitigation strategy involves applying the kernel patch that replaces the problematic list_move_tail operation with list_add_tail and includes an additional safeguard through list_del_init(&rq->queuelist) in the flush request callback. This dual approach addresses both the primary issue of improper list handling and secondary concerns related to malformed request formats that may originate from device mapper layers. The fix demonstrates adherence to ATT&CK technique T1547.001, which involves persistence through kernel modules, by ensuring proper kernel data structure management and preventing corruption that could lead to privilege escalation or system compromise. System administrators should prioritize patching affected kernels and monitoring for any unusual system behavior that might indicate the vulnerability's exploitation, particularly in environments with high I/O workloads and frequent flush operations.