DEBIAN-CVE-2025-21807
In the Linux kernel, the following vulnerability has been resolved: block: fix queue freeze vs limits lock order in sysfs store methods queue_attr_store() always freezes a device queue before calling the attribute store operation. For attributes that control queue limits, the store operation will also lock the queue limits with a call to queue_limits_start_update(). However, some drivers (e.g. SCSI sd) may need to issue commands to a device to obtain limit values from the hardware with the queue limits locked. This creates a potential ABBA deadlock situation if a user attempts to modify a limit (thus freezing the device queue) while the device driver starts a revalidation of the device queue limits. Avoid such deadlock by not freezing the queue before calling the ->store_limit() method in struct queue_sysfs_entry and instead use the queue_limits_commit_update_frozen helper to freeze the queue after taking the limits lock. This also removes taking the sysfs lock for the store_limit method as it doesn't protect anything here, but creates even more nesting. Hopefully it will go away from the actual sysfs methods entirely soon. (commit log adapted from a similar patch from Damien Le Moal)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | linux | 6.17.9-1, 6.14.5-1, 6.14.6-1 |
| Debian:14 | linux | 6.12.43-1, 6.12.43-1~bpo12+1, 6.12.57-1 |
Timeline
- Feb 27, 2025 CVE Published
- Apr 28, 2026 CVE Updated