CVE-2026-43314: dm: remove fake timeout to avoid leak request

Linux kernel CVE announcements
 help / color / mirror / Atom feed

* CVE-2026-43314: dm: remove fake timeout to avoid leak request
@ 2026-05-08 13:12 Greg Kroah-Hartman
  0 siblings, 0 replies; only message in thread
From: Greg Kroah-Hartman @ 2026-05-08 13:12 UTC (permalink / raw)
  To: linux-cve-announce; +Cc: Greg Kroah-Hartman

From: Greg Kroah-Hartman <gregkh@kernel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

dm: remove fake timeout to avoid leak request

Since commit 15f73f5b3e59 ("blk-mq: move failure injection out of
blk_mq_complete_request"), drivers are responsible for calling
blk_should_fake_timeout() at appropriate code paths and opportunities.

However, the dm driver does not implement its own timeout handler and
relies on the timeout handling of its slave devices.

If an io-timeout-fail error is injected to a dm device, the request
will be leaked and never completed, causing tasks to hang indefinitely.

Reproduce:
1. prepare dm which has iscsi slave device
2. inject io-timeout-fail to dm
   echo 1 >/sys/class/block/dm-0/io-timeout-fail
   echo 100 >/sys/kernel/debug/fail_io_timeout/probability
   echo 10 >/sys/kernel/debug/fail_io_timeout/times
3. read/write dm
4. iscsiadm -m node -u

Result: hang task like below
[  862.243768] INFO: task kworker/u514:2:151 blocked for more than 122 seconds.
[  862.244133]       Tainted: G            E       6.19.0-rc1+ #51
[  862.244337] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[  862.244718] task:kworker/u514:2  state:D stack:0     pid:151   tgid:151   ppid:2      task_flags:0x4288060 flags:0x00080000
[  862.245024] Workqueue: iscsi_ctrl_3:1 __iscsi_unbind_session [scsi_transport_iscsi]
[  862.245264] Call Trace:
[  862.245587]  <TASK>
[  862.245814]  __schedule+0x810/0x15c0
[  862.246557]  schedule+0x69/0x180
[  862.246760]  blk_mq_freeze_queue_wait+0xde/0x120
[  862.247688]  elevator_change+0x16d/0x460
[  862.247893]  elevator_set_none+0x87/0xf0
[  862.248798]  blk_unregister_queue+0x12e/0x2a0
[  862.248995]  __del_gendisk+0x231/0x7e0
[  862.250143]  del_gendisk+0x12f/0x1d0
[  862.250339]  sd_remove+0x85/0x130 [sd_mod]
[  862.250650]  device_release_driver_internal+0x36d/0x530
[  862.250849]  bus_remove_device+0x1dd/0x3f0
[  862.251042]  device_del+0x38a/0x930
[  862.252095]  __scsi_remove_device+0x293/0x360
[  862.252291]  scsi_remove_target+0x486/0x760
[  862.252654]  __iscsi_unbind_session+0x18a/0x3e0 [scsi_transport_iscsi]
[  862.252886]  process_one_work+0x633/0xe50
[  862.253101]  worker_thread+0x6df/0xf10
[  862.253647]  kthread+0x36d/0x720
[  862.254533]  ret_from_fork+0x2a6/0x470
[  862.255852]  ret_from_fork_asm+0x1a/0x30
[  862.256037]  </TASK>

Remove the blk_should_fake_timeout() check from dm, as dm has no
native timeout handling and should not attempt to fake timeouts.

The Linux kernel CVE team has assigned CVE-2026-43314 to this issue.


Affected and fixed versions
===========================

	Fixed in 5.10.252 with commit ece6720de9403260088209b0b92d45e0b49ff856
	Fixed in 5.15.202 with commit 8200fca818c1e2f65bc6cb16d934ff6049302197
	Fixed in 6.1.165 with commit b307b6307f6459841312432bd4bc9519cbac97f5
	Fixed in 6.6.128 with commit 4f9e7ca933a9fbf9912a384b061a00c77332cbf0
	Fixed in 6.12.75 with commit cf2d06c9fd4b6521ea5b7f73c99c64c2c6f5e224
	Fixed in 6.18.16 with commit 6cdb21e0c9fdee484feba14fc9e72e9d07daf9f3
	Fixed in 6.19.6 with commit c8a23d4c995ef4227bd4de64cd3910637ee6162e
	Fixed in 7.0 with commit f3a9c95a15d2f4466acad5c68faeff79ca5e9f47

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-43314
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/md/dm-rq.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/ece6720de9403260088209b0b92d45e0b49ff856
	https://git.kernel.org/stable/c/8200fca818c1e2f65bc6cb16d934ff6049302197
	https://git.kernel.org/stable/c/b307b6307f6459841312432bd4bc9519cbac97f5
	https://git.kernel.org/stable/c/4f9e7ca933a9fbf9912a384b061a00c77332cbf0
	https://git.kernel.org/stable/c/cf2d06c9fd4b6521ea5b7f73c99c64c2c6f5e224
	https://git.kernel.org/stable/c/6cdb21e0c9fdee484feba14fc9e72e9d07daf9f3
	https://git.kernel.org/stable/c/c8a23d4c995ef4227bd4de64cd3910637ee6162e
	https://git.kernel.org/stable/c/f3a9c95a15d2f4466acad5c68faeff79ca5e9f47

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2026-05-08 13:15 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 13:12 CVE-2026-43314: dm: remove fake timeout to avoid leak request Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox