CVE-2025-38496
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38496
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38496.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38496
- Downstream
- Related
- Published
- 2025-07-28T11:22:05Z
- Modified
- 2025-10-10T14:53:11.319415Z
- Summary
- dm-bufio: fix sched in atomic context
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
dm-bufio: fix sched in atomic context
If "tryverifyintasklet" is set for dm-verity, DMBUFIOCLIENTNOSLEEP is enabled for dm-bufio. However, when bufio tries to evict buffers, there is a chance to trigger scheduling in spinlock_bh, the following warning is hit:
BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745 inatomic(): 1, irqsdisabled(): 0, nonblock: 0, pid: 123, name: kworker/2:2 preemptcount: 201, expected: 0 RCU nest depth: 0, expected: 0 4 locks held by kworker/2:2/123: #0: ffff88800a2d1548 ((wqcompletion)dmbufiocache){....}-{0:0}, at: processonework+0xe46/0x1970 #1: ffffc90000d97d20 ((workcompletion)(&dmbufioreplacementwork)){....}-{0:0}, at: processonework+0x763/0x1970 #2: ffffffff8555b528 (dmbufioclientslock){....}-{3:3}, at: doglobalcleanup+0x1ce/0x710 #3: ffff88801d5820b8 (&c->spinlock){....}-{2:2}, at: doglobalcleanup+0x2a5/0x710 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 2 UID: 0 PID: 123 Comm: kworker/2:2 Not tainted 6.16.0-rc3-g90548c634bd0 #305 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: dmbufiocache doglobalcleanup Call Trace: <TASK> dumpstacklvl+0x53/0x70 _mightresched+0x360/0x4e0 doglobalcleanup+0x2f5/0x710 processonework+0x7db/0x1970 workerthread+0x518/0xea0 kthread+0x359/0x690 retfromfork+0xf3/0x1b0 retfromforkasm+0x1a/0x30 </TASK>
That can be reproduced by:
veritysetup format --data-block-size=4096 --hash-block-size=4096 /dev/vda /dev/vdb SIZE=$(blockdev --getsz /dev/vda) dmsetup create myverity -r --table "0 $SIZE verity 1 /dev/vda /dev/vdb 4096 4096 <data_blocks> 1 sha256 <root_hash> <salt> 1 tryverifyintasklet" mount /dev/dm-0 /mnt -o ro echo 102400 > /sys/module/dmbufio/parameters/maxcachesize_bytes [read files in /mnt]
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/3edfdb1d4ef81320dae0caa40bc24baf8c1bbb86
- https://git.kernel.org/stable/c/469a39a33a9934af157299bf11c58f6e6cb53f85
- https://git.kernel.org/stable/c/68860d1ade385eef9fcdbf6552f061283091fdb8
- https://git.kernel.org/stable/c/b1bf1a782fdf5c482215c0c661b5da98b8e75773
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced450e8dee51aa6fa1dd0f64073e88235f1a77b035Fixed469a39a33a9934af157299bf11c58f6e6cb53f85
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced450e8dee51aa6fa1dd0f64073e88235f1a77b035Fixed68860d1ade385eef9fcdbf6552f061283091fdb8
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced450e8dee51aa6fa1dd0f64073e88235f1a77b035Fixed3edfdb1d4ef81320dae0caa40bc24baf8c1bbb86
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced450e8dee51aa6fa1dd0f64073e88235f1a77b035Fixedb1bf1a782fdf5c482215c0c661b5da98b8e75773