HIGH
erofs Decompression Deadlock
CVE-2026-31467
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
KernelScan AI6.7MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: erofs: add GFP_NOIO in the bio completion if needed The bio completion path in the process context (e.g. dm-verity) will directly call into decompression rather than trigger another workqueue context for minimal scheduling latencies, which can then call vm_map_ram() with GFP_KERNEL. Due to insufficient memory, vm_map_ram() may generate memory swapping I/O, which can cause submit_bio_wait to deadlock in some scenarios. Trimmed down the call stack, as follows: f2fs_submit_read_io submit_bio //bio_list is initialized. mmc_blk_mq_recovery z_erofs_endio vm_map_ram __pte_alloc_kernel __alloc_pages_direct_reclaim shrink_folio_list __swap_writepage submit_bio_wait //bio_list is non-NULL, hang!!! Use memalloc_noio_{save,restore}() to wrap up this path.
02KernelScan AI Analysis
Risk summary
Local unprivileged users can trigger a kernel deadlock in EROFS filesystem decompression when memory is low. This causes a system hang requiring reboot. The vulnerability specifically affects systems using EROFS with dm-verity or similar block layer configurations that execute bio completion in process context.
Vulnerability analysis
The root cause is improper memory allocation context in the EROFS decompression path. When dm-verity processes bio completion in process context rather than interrupt context, z_erofs_endio calls vm_map_ram() with GFP_KERNEL allocation. Under memory pressure, this triggers memory reclaim that can initiate swap I/O via submit_bio_wait(). Since the original bio_list is non-NULL from the initial submit_bio() call, this creates a deadlock where the system waits for I/O completion that cannot proceed. The fix wraps the decompression path with memalloc_noio_save/restore() to prevent memory reclaim from triggering I/O operations, breaking the deadlock cycle.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.203 | d6565ea662e1 |
| 6.1 | 6.1.168 | d9d8360cb66e |
| 6.12 | 6.12.80 | 378949f46e89 |
| 6.18 | 6.18.21 | da4046406459 |
| 6.19 | 6.19.11 | e83e20b82859 |
| 6.6 | 6.6.131 | 5c8ecdcfbfb0 |
| mainline | 7.0 | c23df30915f8 |