Bug 2460616 (CVE-2026-31467) - CVE-2026-31467 kernel: Linux kernel: Denial of Service in erofs filesystem
Summary: CVE-2026-31467 kernel: Linux kernel: Denial of Service in erofs filesystem
Keywords:
Status: NEW
Alias: CVE-2026-31467
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-22 15:01 UTC by OSIDB Bzimport
Modified: 2026-04-28 18:23 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-22 15:01:29 UTC 
In the Linux kernel, the following vulnerability has been resolved:

erofs: add GFP_NOIO in the bio completion if needed

The bio completion path in the process context (e.g. dm-verity)
will directly call into decompression rather than trigger another
workqueue context for minimal scheduling latencies, which can
then call vm_map_ram() with GFP_KERNEL.

Due to insufficient memory, vm_map_ram() may generate memory
swapping I/O, which can cause submit_bio_wait to deadlock
in some scenarios.

Trimmed down the call stack, as follows:

f2fs_submit_read_io
  submit_bio                      //bio_list is initialized.
    mmc_blk_mq_recovery
      z_erofs_endio
        vm_map_ram
          __pte_alloc_kernel
            __alloc_pages_direct_reclaim
              shrink_folio_list
                __swap_writepage
                  submit_bio_wait  //bio_list is non-NULL, hang!!!

Use memalloc_noio_{save,restore}() to wrap up this path.
Comment 1 Keith Grant 2026-04-22 18:04:09 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042253-CVE-2026-31467-914b@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.