CVE-2025-21664

MEDIUM EPSS 11.2%
Published Jan 21, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jan 21, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: dm thin: make get_first_thin use rcu-safe list first function The documentation in rculist.h explains the absence of list_empty_rcu() and cautions programmers against relying on a list_empty() -> list_first() sequence in RCU safe code. This is because each of these functions performs its own READ_ONCE() of the list head. This can lead to a situation where the list_empty() sees a valid list entry, but the subsequent list_first() sees a different view of list head state after a modification. In the case of dm-thin, this author had a production box crash from a GP fault in the process_deferred_bios path. This function saw a valid list head in get_first_thin() but when it subsequently dereferenced that and turned it into a thin_c, it got the inside of the struct pool, since the list was now empty and referring to itself. The kernel on which this occurred printed both a warning about a refcount_t being saturated, and a UBSAN error for an out-of-bounds cpuid access in the queued spinlock, prior to the fault itself. When the resulting kdump was examined, it was possible to see another thread patiently waiting in thin_dtr's synchronize_rcu. The thin_dtr call managed to pull the thin_c out of the active thins list (and have it be the last entry in the active_thins list) at just the wrong moment which lead to this crash. Fortunately, the fix here is straight forward. Switch get_first_thin() function to use list_first_or_null_rcu() which performs just a single READ_ONCE() and returns NULL if the list is already empty. This was run against the devicemapper test suite's thin-provisioning suites for delete and suspend and no regressions were observed.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
11.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 18

VendorProductVersionRange
linuxlinux_kernel*≥3.15.1  –  <5.4.290
linuxlinux_kernel*≥5.5  –  <5.10.234
linuxlinux_kernel*≥5.11  –  <5.15.177
linuxlinux_kernel*≥5.16  –  <6.1.125
linuxlinux_kernel*≥6.2  –  <6.6.72
linuxlinux_kernel*≥6.7  –  <6.12.10
linuxlinux_kernel3.15any
linuxlinux_kernel3.15any
linuxlinux_kernel3.15any
linuxlinux_kernel3.15any
linuxlinux_kernel3.15any
linuxlinux_kernel3.15any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any
linuxlinux_kernel6.13any

References 10

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-265688.html
  • git.kernel.org https://git.kernel.org/stable/c/12771050b6d059eea096993bf2001da9da9fddff
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6b305e98de0d225ccebfb225730a9f560d28ecb0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/802666a40c71a23542c43a3f87e3a2d0f4e8fe45
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/80f130bfad1dab93b95683fc39b87235682b8f72
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cbd0d5ecfa390ac29c5380200147d09c381b2ac6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cd30a3960433ec2db94b3689752fa3c5df44d649
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec037fe8c0d0f6140e3d8a49c7b29cb5582160b8
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/12771050b6d059eea096993bf2001da9da9fddff
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6b305e98de0d225ccebfb225730a9f560d28ecb0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/802666a40c71a23542c43a3f87e3a2d0f4e8fe45
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/80f130bfad1dab93b95683fc39b87235682b8f72
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cbd0d5ecfa390ac29c5380200147d09c381b2ac6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cd30a3960433ec2db94b3689752fa3c5df44d649
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec037fe8c0d0f6140e3d8a49c7b29cb5582160b8
    Patch