CVE-2025-38496

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38496
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38496.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38496
Downstream
Published
2025-07-28T12:15:31Z
Modified
2025-07-29T14:49:59.133204Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

dm-bufio: fix sched in atomic context

If "tryverifyintasklet" is set for dm-verity, DMBUFIOCLIENTNOSLEEP is enabled for dm-bufio. However, when bufio tries to evict buffers, there is a chance to trigger scheduling in spinlock_bh, the following warning is hit:

BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745 inatomic(): 1, irqsdisabled(): 0, nonblock: 0, pid: 123, name: kworker/2:2 preemptcount: 201, expected: 0 RCU nest depth: 0, expected: 0 4 locks held by kworker/2:2/123: #0: ffff88800a2d1548 ((wqcompletion)dmbufiocache){....}-{0:0}, at: processonework+0xe46/0x1970 #1: ffffc90000d97d20 ((workcompletion)(&dmbufioreplacementwork)){....}-{0:0}, at: processonework+0x763/0x1970 #2: ffffffff8555b528 (dmbufioclientslock){....}-{3:3}, at: doglobalcleanup+0x1ce/0x710 #3: ffff88801d5820b8 (&c->spinlock){....}-{2:2}, at: doglobalcleanup+0x2a5/0x710 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 2 UID: 0 PID: 123 Comm: kworker/2:2 Not tainted 6.16.0-rc3-g90548c634bd0 #305 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: dmbufiocache doglobalcleanup Call Trace: <TASK> dumpstacklvl+0x53/0x70 _mightresched+0x360/0x4e0 doglobalcleanup+0x2f5/0x710 processonework+0x7db/0x1970 workerthread+0x518/0xea0 kthread+0x359/0x690 retfromfork+0xf3/0x1b0 retfromforkasm+0x1a/0x30 </TASK>

That can be reproduced by:

veritysetup format --data-block-size=4096 --hash-block-size=4096 /dev/vda /dev/vdb SIZE=$(blockdev --getsz /dev/vda) dmsetup create myverity -r --table "0 $SIZE verity 1 /dev/vda /dev/vdb 4096 4096 <data_blocks> 1 sha256 <root_hash> <salt> 1 tryverifyintasklet" mount /dev/dm-0 /mnt -o ro echo 102400 > /sys/module/dmbufio/parameters/maxcachesize_bytes [read files in /mnt]

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.12.38-1
6.13~rc6-1~exp1
6.13~rc7-1~exp1
6.13.2-1~exp1
6.13.3-1~exp1
6.13.4-1~exp1
6.13.5-1~exp1
6.13.6-1~exp1
6.13.7-1~exp1
6.13.8-1~exp1
6.13.9-1~exp1
6.13.10-1~exp1
6.13.11-1~exp1
6.14.3-1~exp1
6.14.5-1~exp1
6.14.6-1~exp1
6.15~rc7-1~exp1
6.15-1~exp1
6.15.1-1~exp1
6.15.2-1~exp1
6.15.3-1~exp1
6.15.4-1~exp1
6.15.5-1~exp1
6.15.6-1~exp1
6.16~rc7-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}