CVE-2025-40134

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dm: fix NULL pointer dereference in __dm_suspend()<br /> <br /> There is a race condition between dm device suspend and table load that<br /> can lead to null pointer dereference. The issue occurs when suspend is<br /> invoked before table load completes:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000054<br /> Oops: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014<br /> RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50<br /> Call Trace:<br /> <br /> blk_mq_quiesce_queue+0x2c/0x50<br /> dm_stop_queue+0xd/0x20<br /> __dm_suspend+0x130/0x330<br /> dm_suspend+0x11a/0x180<br /> dev_suspend+0x27e/0x560<br /> ctl_ioctl+0x4cf/0x850<br /> dm_ctl_ioctl+0xd/0x20<br /> vfs_ioctl+0x1d/0x50<br /> __se_sys_ioctl+0x9b/0xc0<br /> __x64_sys_ioctl+0x19/0x30<br /> x64_sys_call+0x2c4a/0x4620<br /> do_syscall_64+0x9e/0x1b0<br /> <br /> The issue can be triggered as below:<br /> <br /> T1 T2<br /> dm_suspend table_load<br /> __dm_suspend dm_setup_md_queue<br /> dm_mq_init_request_queue<br /> blk_mq_init_allocated_queue<br /> =&gt; q-&gt;mq_ops = set-&gt;ops; (1)<br /> dm_stop_queue / dm_wait_for_completion<br /> =&gt; q-&gt;tag_set NULL pointer! (2)<br /> =&gt; q-&gt;tag_set = set; (3)<br /> <br /> Fix this by checking if a valid table (map) exists before performing<br /> request-based suspend and waiting for target I/O. When map is NULL,<br /> skip these table-dependent suspend steps.<br /> <br /> Even when map is NULL, no I/O can reach any target because there is<br /> no table loaded; I/O submitted in this state will fail early in the<br /> DM layer. Skipping the table-dependent suspend logic in this case<br /> is safe and avoids NULL pointer dereferences.