CVE-2025-38066

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-38066
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38066.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38066
Downstream
Published
2025-06-18T09:33:44.877Z
Modified
2026-05-15T11:53:46.170479129Z
Summary
dm cache: prevent BUG_ON by blocking retries on failed device resumes
Details

In the Linux kernel, the following vulnerability has been resolved:

dm cache: prevent BUG_ON by blocking retries on failed device resumes

A cache device failing to resume due to mapping errors should not be retried, as the failure leaves a partially initialized policy object. Repeating the resume operation risks triggering BUG_ON when reloading cache mappings into the incomplete policy object.

Reproduce steps:

  1. create a cache metadata consisting of 512 or more cache blocks, with some mappings stored in the first array block of the mapping array. Here we use cache_restore v1.0 to build the metadata.

cat <<EOF >> cmeta.xml <superblock uuid="" block_size="128" nr_cache_blocks="512" \ policy="smq" hint_width="4"> <mappings> <mapping cache_block="0" origin_block="0" dirty="false"/> </mappings> </superblock> EOF dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" cache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2 dmsetup remove cmeta

  1. wipe the second array block of the mapping array to simulate data degradations.

mappingroot=$(dd if=/dev/sdc bs=1c count=8 skip=192 \ 2>/dev/null | hexdump -e '1/8 "%u\n"') ablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mappingroot+2056)) \ 2>/dev/null | hexdump -e '1/8 "%u\n"') dd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock

  1. try bringing up the cache device. The resume is expected to fail due to the broken array block.

dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dmsetup create cache --notable dmsetup load cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" dmsetup resume cache

  1. try resuming the cache again. An unexpected BUG_ON is triggered while loading cache mappings.

dmsetup resume cache

Kernel logs:

(snip) ------------[ cut here ]------------ kernel BUG at drivers/md/dm-cache-policy-smq.c:752! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3 RIP: 0010:smqloadmapping+0x3e5/0x570

Fix by disallowing resume operations for devices that failed the initial attempt.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38066.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
5.4.294
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.238
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.185
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.141
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.93
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.31
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.14.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38066.json"