CVE-2025-38066
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-06-18

Last updated on: 2025-12-17

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: dm cache: prevent BUG_ON by blocking retries on failed device resumes A cache device failing to resume due to mapping errors should not be retried, as the failure leaves a partially initialized policy object. Repeating the resume operation risks triggering BUG_ON when reloading cache mappings into the incomplete policy object. Reproduce steps: 1. create a cache metadata consisting of 512 or more cache blocks, with some mappings stored in the first array block of the mapping array. Here we use cache_restore v1.0 to build the metadata. cat <<EOF >> cmeta.xml <superblock uuid="" block_size="128" nr_cache_blocks="512" \ policy="smq" hint_width="4"> <mappings> <mapping cache_block="0" origin_block="0" dirty="false"/> </mappings> </superblock> EOF dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2 dmsetup remove cmeta 2. wipe the second array block of the mapping array to simulate data degradations. mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock 3. try bringing up the cache device. The resume is expected to fail due to the broken array block. dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dmsetup create cache --notable dmsetup load cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" dmsetup resume cache 4. try resuming the cache again. An unexpected BUG_ON is triggered while loading cache mappings. dmsetup resume cache Kernel logs: (snip) ------------[ cut here ]------------ kernel BUG at drivers/md/dm-cache-policy-smq.c:752! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3 RIP: 0010:smq_load_mapping+0x3e5/0x570 Fix by disallowing resume operations for devices that failed the initial attempt.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-18
Last Modified
2025-12-17
Generated
2026-05-07
AI Q&A
2025-06-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38066
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel to 5.4.294 (exc)
linux linux_kernel From 5.5 (inc) to 5.10.238 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.185 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.141 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.93 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.31 (exc)
linux linux_kernel From 6.13 (inc) to 6.14.9 (exc)
debian debian_linux 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's device mapper cache (dm cache) where a cache device that fails to resume due to mapping errors can cause a kernel BUG_ON error. When a cache device resume operation fails, it leaves a partially initialized policy object. If the system retries the resume operation, it risks triggering a BUG_ON error because the cache mappings are reloaded into this incomplete policy object. The issue arises from retrying resume operations on devices that have already failed, which can cause kernel crashes.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash (trigger a BUG_ON), leading to system instability or downtime. If a cache device fails to resume and the system retries the operation, it can cause a kernel panic, potentially disrupting services and requiring a system reboot to recover. This can impact system availability and reliability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to resume a cache device that has corrupted or partially initialized cache metadata, which may trigger a kernel BUG_ON error. The provided reproduce steps include commands such as 'dmsetup create', 'cache_restore', and 'dmsetup resume' to simulate the failure. Monitoring kernel logs for BUG_ON messages related to dm-cache, specifically errors like 'kernel BUG at drivers/md/dm-cache-policy-smq.c' and 'Oops: invalid opcode', can indicate the presence of this issue.


What immediate steps should I take to mitigate this vulnerability?

The fix for this vulnerability is to disallow resume operations for cache devices that failed the initial resume attempt. Therefore, the immediate mitigation step is to ensure that the system or kernel version includes the patch that blocks retries on failed device resumes to prevent triggering BUG_ON. Until patched, avoid resuming cache devices that have experienced resume failures due to mapping errors.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart