{"id":"CVE-2025-38066","summary":"dm cache: prevent BUG_ON by blocking retries on failed device resumes","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: prevent BUG_ON by blocking retries on failed device resumes\n\nA cache device failing to resume due to mapping errors should not be\nretried, as the failure leaves a partially initialized policy object.\nRepeating the resume operation risks triggering BUG_ON when reloading\ncache mappings into the incomplete policy object.\n\nReproduce steps:\n\n1. create a cache metadata consisting of 512 or more cache blocks,\n   with some mappings stored in the first array block of the mapping\n   array. Here we use cache_restore v1.0 to build the metadata.\n\ncat \u003c\u003cEOF \u003e\u003e cmeta.xml\n\u003csuperblock uuid=\"\" block_size=\"128\" nr_cache_blocks=\"512\" \\\npolicy=\"smq\" hint_width=\"4\"\u003e\n  \u003cmappings\u003e\n    \u003cmapping cache_block=\"0\" origin_block=\"0\" dirty=\"false\"/\u003e\n  \u003c/mappings\u003e\n\u003c/superblock\u003e\nEOF\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ncache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2\ndmsetup remove cmeta\n\n2. wipe the second array block of the mapping array to simulate\n   data degradations.\n\nmapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\\n2\u003e/dev/null | hexdump -e '1/8 \"%u\\n\"')\nablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\\n2\u003e/dev/null | hexdump -e '1/8 \"%u\\n\"')\ndd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock\n\n3. try bringing up the cache device. The resume is expected to fail\n   due to the broken array block.\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndmsetup create cache --notable\ndmsetup load cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\ndmsetup resume cache\n\n4. try resuming the cache again. An unexpected BUG_ON is triggered\n   while loading cache mappings.\n\ndmsetup resume cache\n\nKernel logs:\n\n(snip)\n------------[ cut here ]------------\nkernel BUG at drivers/md/dm-cache-policy-smq.c:752!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3\nRIP: 0010:smq_load_mapping+0x3e5/0x570\n\nFix by disallowing resume operations for devices that failed the\ninitial attempt.","modified":"2026-05-15T11:53:46.170479129Z","published":"2025-06-18T09:33:44.877Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38066.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/00586b78eeb7c626a14ca13453a1631f88a7cf36"},{"type":"WEB","url":"https://git.kernel.org/stable/c/025c8f477625eb39006ded650e7d027bcfb20e79"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3986ef4a9b6a0d9c28bc325d8713beba5e67586f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5da692e2262b8f81993baa9592f57d12c2703dea"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c5356a5e80442131e2714d0d26bb110590e4e568"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c614584c2a66b538f469089ac089457a34590c14"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cc80a5cc520939d0a7d071cc4ae4b3c55ef171d0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f3128e3074e8af565cc6a66fe3384a56df87f803"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38066.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38066"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.2.0"},{"fixed":"5.4.294"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.238"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.185"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.141"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.93"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.31"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.14.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38066.json"}}],"schema_version":"1.7.5"}