CVE-2025-38066

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm cache: prevent BUG_ON by blocking retries on failed device resumes<br /> <br /> A cache device failing to resume due to mapping errors should not be<br /> retried, as the failure leaves a partially initialized policy object.<br /> Repeating the resume operation risks triggering BUG_ON when reloading<br /> cache mappings into the incomplete policy object.<br /> <br /> Reproduce steps:<br /> <br /> 1. create a cache metadata consisting of 512 or more cache blocks,<br /> with some mappings stored in the first array block of the mapping<br /> array. Here we use cache_restore v1.0 to build the metadata.<br /> <br /> cat cmeta.xml<br /> <br /> <br /> <br /> <br /> <br /> EOF<br /> dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"<br /> cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2<br /> dmsetup remove cmeta<br /> <br /> 2. wipe the second array block of the mapping array to simulate<br /> data degradations.<br /> <br /> mapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \<br /> 2&gt;/dev/null | hexdump -e &amp;#39;1/8 "%u\n"&amp;#39;)<br /> ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \<br /> 2&gt;/dev/null | hexdump -e &amp;#39;1/8 "%u\n"&amp;#39;)<br /> dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock<br /> <br /> 3. try bringing up the cache device. The resume is expected to fail<br /> due to the broken array block.<br /> <br /> dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"<br /> dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"<br /> dmsetup create corig --table "0 524288 linear /dev/sdc 262144"<br /> dmsetup create cache --notable<br /> dmsetup load cache --table "0 524288 cache /dev/mapper/cmeta \<br /> /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"<br /> dmsetup resume cache<br /> <br /> 4. try resuming the cache again. An unexpected BUG_ON is triggered<br /> while loading cache mappings.<br /> <br /> dmsetup resume cache<br /> <br /> Kernel logs:<br /> <br /> (snip)<br /> ------------[ cut here ]------------<br /> kernel BUG at drivers/md/dm-cache-policy-smq.c:752!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI<br /> CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3<br /> RIP: 0010:smq_load_mapping+0x3e5/0x570<br /> <br /> Fix by disallowing resume operations for devices that failed the<br /> initial attempt.