{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38066","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.980Z","datePublished":"2025-06-18T09:33:44.877Z","dateUpdated":"2026-05-11T21:20:36.681Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:20:36.681Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: prevent BUG_ON by blocking retries on failed device resumes\n\nA cache device failing to resume due to mapping errors should not be\nretried, as the failure leaves a partially initialized policy object.\nRepeating the resume operation risks triggering BUG_ON when reloading\ncache mappings into the incomplete policy object.\n\nReproduce steps:\n\n1. create a cache metadata consisting of 512 or more cache blocks,\n   with some mappings stored in the first array block of the mapping\n   array. Here we use cache_restore v1.0 to build the metadata.\n\ncat <<EOF >> cmeta.xml\n<superblock uuid=\"\" block_size=\"128\" nr_cache_blocks=\"512\" \\\npolicy=\"smq\" hint_width=\"4\">\n  <mappings>\n    <mapping cache_block=\"0\" origin_block=\"0\" dirty=\"false\"/>\n  </mappings>\n</superblock>\nEOF\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ncache_restore -i cmeta.xml -o /dev/mapper/cmeta --metadata-version=2\ndmsetup remove cmeta\n\n2. wipe the second array block of the mapping array to simulate\n   data degradations.\n\nmapping_root=$(dd if=/dev/sdc bs=1c count=8 skip=192 \\\n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')\nablock=$(dd if=/dev/sdc bs=1c count=8 skip=$((4096*mapping_root+2056)) \\\n2>/dev/null | hexdump -e '1/8 \"%u\\n\"')\ndd if=/dev/zero of=/dev/sdc bs=4k count=1 seek=$ablock\n\n3. try bringing up the cache device. The resume is expected to fail\n   due to the broken array block.\n\ndmsetup create cmeta --table \"0 8192 linear /dev/sdc 0\"\ndmsetup create cdata --table \"0 65536 linear /dev/sdc 8192\"\ndmsetup create corig --table \"0 524288 linear /dev/sdc 262144\"\ndmsetup create cache --notable\ndmsetup load cache --table \"0 524288 cache /dev/mapper/cmeta \\\n/dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0\"\ndmsetup resume cache\n\n4. try resuming the cache again. An unexpected BUG_ON is triggered\n   while loading cache mappings.\n\ndmsetup resume cache\n\nKernel logs:\n\n(snip)\n------------[ cut here ]------------\nkernel BUG at drivers/md/dm-cache-policy-smq.c:752!\nOops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 332 Comm: dmsetup Not tainted 6.13.4 #3\nRIP: 0010:smq_load_mapping+0x3e5/0x570\n\nFix by disallowing resume operations for devices that failed the\ninitial attempt."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/dm-cache-target.c"],"versions":[{"version":"66a636356647a9be8885c2ce2948de126577698a","lessThan":"c614584c2a66b538f469089ac089457a34590c14","status":"affected","versionType":"git"},{"version":"66a636356647a9be8885c2ce2948de126577698a","lessThan":"c5356a5e80442131e2714d0d26bb110590e4e568","status":"affected","versionType":"git"},{"version":"66a636356647a9be8885c2ce2948de126577698a","lessThan":"025c8f477625eb39006ded650e7d027bcfb20e79","status":"affected","versionType":"git"},{"version":"66a636356647a9be8885c2ce2948de126577698a","lessThan":"00586b78eeb7c626a14ca13453a1631f88a7cf36","status":"affected","versionType":"git"},{"version":"66a636356647a9be8885c2ce2948de126577698a","lessThan":"3986ef4a9b6a0d9c28bc325d8713beba5e67586f","status":"affected","versionType":"git"},{"version":"66a636356647a9be8885c2ce2948de126577698a","lessThan":"cc80a5cc520939d0a7d071cc4ae4b3c55ef171d0","status":"affected","versionType":"git"},{"version":"66a636356647a9be8885c2ce2948de126577698a","lessThan":"f3128e3074e8af565cc6a66fe3384a56df87f803","status":"affected","versionType":"git"},{"version":"66a636356647a9be8885c2ce2948de126577698a","lessThan":"5da692e2262b8f81993baa9592f57d12c2703dea","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/dm-cache-target.c"],"versions":[{"version":"4.2","status":"affected"},{"version":"0","lessThan":"4.2","status":"unaffected","versionType":"semver"},{"version":"5.4.294","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.238","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.185","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.141","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.93","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.31","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.14.9","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"5.4.294"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"5.10.238"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"5.15.185"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.1.141"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.6.93"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.12.31"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.14.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2","versionEndExcluding":"6.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c614584c2a66b538f469089ac089457a34590c14"},{"url":"https://git.kernel.org/stable/c/c5356a5e80442131e2714d0d26bb110590e4e568"},{"url":"https://git.kernel.org/stable/c/025c8f477625eb39006ded650e7d027bcfb20e79"},{"url":"https://git.kernel.org/stable/c/00586b78eeb7c626a14ca13453a1631f88a7cf36"},{"url":"https://git.kernel.org/stable/c/3986ef4a9b6a0d9c28bc325d8713beba5e67586f"},{"url":"https://git.kernel.org/stable/c/cc80a5cc520939d0a7d071cc4ae4b3c55ef171d0"},{"url":"https://git.kernel.org/stable/c/f3128e3074e8af565cc6a66fe3384a56df87f803"},{"url":"https://git.kernel.org/stable/c/5da692e2262b8f81993baa9592f57d12c2703dea"}],"title":"dm cache: prevent BUG_ON by blocking retries on failed device resumes","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:33:34.607Z"}}]}}