Acknowledged
Created: Jun 19, 2025
Updated: Jun 20, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]dm cache: prevent BUG_ON by blocking retries on failed device resumes[EOL][EOL]A cache device failing to resume due to mapping errors should not be[EOL]retried, as the failure leaves a partially initialized policy object.[EOL]Repeating the resume operation risks triggering BUG_ON when reloading[EOL]cache mappings into the incomplete policy object.[EOL][EOL]Reproduce steps:[EOL][EOL]1. create a cache metadata consisting of 512 or more cache blocks,[EOL] with some mappings stored in the first array block of the mapping[EOL] array. Here we use cache_restore v1.0 to build the metadata.[EOL][EOL]cat <<EOF >> cmeta.xml[EOL]<superblock uuid="" block_size="128" nr_cache_blocks="512" policy="smq" hint_width="4">[EOL] <mappings>[EOL] <mapping cache_block="0" origin_block="0" dirty="false"/>[EOL] </mappings>[EOL]</superblock>[EOL]EOF[EOL]dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"[EOL]cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2[EOL]dmsetup remove cmeta[EOL][EOL]2. wipe the second array block of the mapping array to simulate[EOL] data degradations.[EOL][EOL]mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 2>/dev/null ( hexdump -e '1/8 "%u[EOL)"')EOL]ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) 2>/dev/null ( hexdump -e '1/8 "%u[EOL)"')EOL]dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock[EOL][EOL]3. try bringing up the cache device. The resume is expected to fail[EOL] due to the broken array block.[EOL][EOL]dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"[EOL]dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"[EOL]dmsetup create corig --table "0 524288 linear /dev/sdc 262144"[EOL]dmsetup create cache --notable[EOL]dmsetup load cache --table "0 524288 cache /dev/mapper/cmeta /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"[EOL]dmsetup resume cache[EOL][EOL]4. try resuming the cache again. An unexpected BUG_ON is triggered[EOL] while loading cache mappings.[EOL][EOL]dmsetup resume cache[EOL][EOL]Kernel logs:[EOL][EOL](snip)[EOL]------------[ cut here ]------------[EOL]kernel BUG at drivers/md/dm-cache-policy-smq.c:752![EOL]Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI[EOL]CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3[EOL]RIP: 0010:smq_load_mapping+0x3e5/0x570[EOL][EOL]Fix by disallowing resume operations for devices that failed the[EOL]initial attempt.
CREATE(Triage):(User=lchen-cn) [CVE-2025-38066 (https://nvd.nist.gov/vuln/detail/CVE-2025-38066)
