CVE-2025-38066 Information

Jun 19, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

dm cache: prevent BUG_ON by blocking retries on failed device resumes

A cache device failing to resume due to mapping errors should not be retried as the failure leaves a partially initialized policy object. Repeating the resume operation risks triggering BUG_ON when reloading cache mappings into the incomplete policy object.

Reproduce steps:

  1. create a cache metadata consisting of 512 or more cache blocks with some mappings stored in the first array block of the mapping array. Here we use cache_restore v1.0 to build the metadata.

cat «EOF » cmeta.xml <superblock uuid=\ block_size=\128\ nr_cache_blocks=\512\
policy=\smq\ hint_width=\4> <mapping cache_block=�\ origin_block=�\ dirty= alse/> EOF dmsetup create cmeta –table �8192 linear /dev/sdc 0\ncache_restore -i cmeta.xml -o /dev/mapper/cmeta –metadata-version=2 dmsetup remove cmeta

  1. wipe the second array block of the mapping array to simulate data degradations.

mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192
2>/dev/null | hexdump -e ‘1/8 %u\n') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096mapping_root+2056))
2>/dev/null | hexdump -e ‘1/8 %u\n') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock

  1. try bringing up the cache device. The resume is expected to fail due to the broken array block.

dmsetup create cmeta –table �8192 linear /dev/sdc 0\ndmsetup create cdata –table 5536 linear /dev/sdc 8192\ndmsetup create corig –table *4288 linear /dev/sdc 262144\ndmsetup create cache –notable dmsetup load cache –table *4288 cache /dev/mapper/cmeta
/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\ndmsetup resume cache

  1. try resuming the cache again. An unexpected BUG_ON is triggered while loading cache mappings.

dmsetup resume cache

Kernel logs:

(snip) ————[ cut here ]———— kernel BUG at drivers/md/dm-cache-policy-smq.c:752! Oops: invalid opcode: 0000 [1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 3 RIP: 0010:smq_load_mapping+0x3e5/0x570

Fix by disallowing resume operations for devices that failed the initial attempt.

Reference

https://git.kernel.org/stable/c/00586b78eeb7c626a14ca13453a1631f88a7cf36 https://git.kernel.org/stable/c/025c8f477625eb39006ded650e7d027bcfb20e79 https://git.kernel.org/stable/c/3986ef4a9b6a0d9c28bc325d8713beba5e67586f https://git.kernel.org/stable/c/5da692e2262b8f81993baa9592f57d12c2703dea https://git.kernel.org/stable/c/c5356a5e80442131e2714d0d26bb110590e4e568 https://git.kernel.org/stable/c/c614584c2a66b538f469089ac089457a34590c14 https://git.kernel.org/stable/c/cc80a5cc520939d0a7d071cc4ae4b3c55ef171d0 https://git.kernel.org/stable/c/f3128e3074e8af565cc6a66fe3384a56df87f803

CNNVD-202506-2199 (Published: 2025-06-18)

Share on: