CVE-2025-21807 is a vulnerability identified in the Linux kernel related to the handling of device queue limits within the block subsystem, specifically in the sysfs store methods. The vulnerability arises from a potential deadlock condition caused by improper lock ordering when modifying queue limits. In the Linux kernel, the function queue_attr_store() freezes a device queue before invoking the attribute store operation. For attributes that control queue limits, the store operation also locks the queue limits using queue_limits_start_update(). However, certain device drivers, such as the SCSI sd driver, may need to issue commands to hardware to retrieve limit values while holding the queue limits lock. This sequence can lead to an ABBA deadlock if a user attempts to modify a limit (which freezes the device queue) concurrently with the driver revalidating the device queue limits. The deadlock occurs because the queue is frozen before the limits lock is acquired, creating a circular wait condition between the queue freeze and the limits lock. The patch addressing this vulnerability changes the locking order by deferring the queue freeze until after acquiring the limits lock, using the helper queue_limits_commit_update_frozen. Additionally, the patch removes the sysfs lock acquisition for the store_limit method, as it was unnecessary and contributed to complex lock nesting. This fix prevents the deadlock scenario by ensuring proper lock ordering and reducing lock contention. The vulnerability does not have any known exploits in the wild as of the publication date, and no CVSS score has been assigned yet. It affects Linux kernel versions identified by the commit hash 0327ca9d53bfbb0918867313049bba7046900f73. The issue is primarily relevant to systems running Linux kernels with affected versions and using device drivers that interact with block device queue limits, such as SCSI sd drivers.

The potential impact of CVE-2025-21807 on European organizations primarily involves system availability and operational stability. The deadlock condition can cause device queues to freeze indefinitely, leading to blocked I/O operations on affected storage devices. This can result in degraded system performance, application stalls, or even system hangs if critical storage operations are impacted. For organizations relying heavily on Linux-based infrastructure, especially those using SCSI storage devices or other block devices managed by affected drivers, this vulnerability could disrupt business-critical services, data processing, and storage availability. While the vulnerability does not directly expose confidentiality or integrity risks, the availability impact can have significant operational and financial consequences. European enterprises in sectors such as finance, telecommunications, cloud service providers, and public administration, which often deploy Linux servers at scale, may face increased risk of service interruptions if the vulnerability is exploited or triggered inadvertently. The absence of known exploits reduces immediate risk, but the complexity of the issue means that inadvertent deadlocks could occur during routine system management or updates, emphasizing the need for timely patching. Additionally, the vulnerability could complicate incident response and recovery efforts if device queues become unresponsive, potentially increasing downtime and operational costs.

To mitigate CVE-2025-21807, European organizations should prioritize updating their Linux kernel to the patched version that includes the fix for the queue freeze and lock ordering issue. Kernel updates should be tested in staging environments to ensure compatibility with existing hardware and drivers, particularly those managing block devices such as SCSI sd drivers. Organizations should audit their Linux systems to identify affected kernel versions and device drivers, focusing on storage subsystems that rely on queue limits. Implementing monitoring solutions that detect abnormal I/O queue freezes or device unresponsiveness can provide early warning signs of deadlock conditions. System administrators should avoid manual modifications to queue limits on production systems until patches are applied, or perform such operations during maintenance windows with appropriate safeguards. Additionally, reviewing and minimizing custom kernel modules or third-party drivers that interact with block device queues can reduce complexity and potential deadlock risks. For environments using containerization or virtualization on Linux hosts, ensuring that the underlying host kernel is patched is critical, as the vulnerability affects the host's block device management. Finally, maintaining up-to-date documentation and operational procedures for handling device queue issues will facilitate faster response and recovery if deadlocks occur.