{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40134","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.170Z","datePublished":"2025-11-12T10:23:22.771Z","dateUpdated":"2026-05-11T21:43:24.586Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:43:24.586Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix NULL pointer dereference in __dm_suspend()\n\nThere is a race condition between dm device suspend and table load that\ncan lead to null pointer dereference. The issue occurs when suspend is\ninvoked before table load completes:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000054\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014\nRIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50\nCall Trace:\n  <TASK>\n  blk_mq_quiesce_queue+0x2c/0x50\n  dm_stop_queue+0xd/0x20\n  __dm_suspend+0x130/0x330\n  dm_suspend+0x11a/0x180\n  dev_suspend+0x27e/0x560\n  ctl_ioctl+0x4cf/0x850\n  dm_ctl_ioctl+0xd/0x20\n  vfs_ioctl+0x1d/0x50\n  __se_sys_ioctl+0x9b/0xc0\n  __x64_sys_ioctl+0x19/0x30\n  x64_sys_call+0x2c4a/0x4620\n  do_syscall_64+0x9e/0x1b0\n\nThe issue can be triggered as below:\n\nT1 \t\t\t\t\t\tT2\ndm_suspend\t\t\t\t\ttable_load\n__dm_suspend\t\t\t\t\tdm_setup_md_queue\n\t\t\t\t\t\tdm_mq_init_request_queue\n\t\t\t\t\t\tblk_mq_init_allocated_queue\n\t\t\t\t\t\t=> q->mq_ops = set->ops; (1)\ndm_stop_queue / dm_wait_for_completion\n=> q->tag_set NULL pointer!\t(2)\n\t\t\t\t\t\t=> q->tag_set = set; (3)\n\nFix this by checking if a valid table (map) exists before performing\nrequest-based suspend and waiting for target I/O. When map is NULL,\nskip these table-dependent suspend steps.\n\nEven when map is NULL, no I/O can reach any target because there is\nno table loaded; I/O submitted in this state will fail early in the\nDM layer. Skipping the table-dependent suspend logic in this case\nis safe and avoids NULL pointer dereferences."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/dm.c"],"versions":[{"version":"c4576aed8d85d808cd6443bda58393d525207d01","lessThan":"9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98","status":"affected","versionType":"git"},{"version":"c4576aed8d85d808cd6443bda58393d525207d01","lessThan":"30f95b7eda5966b81cb221bd569c0f095a068cf6","status":"affected","versionType":"git"},{"version":"c4576aed8d85d808cd6443bda58393d525207d01","lessThan":"a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c","status":"affected","versionType":"git"},{"version":"c4576aed8d85d808cd6443bda58393d525207d01","lessThan":"a802901b75e13cc306f1b7ab0f062135c8034e9e","status":"affected","versionType":"git"},{"version":"c4576aed8d85d808cd6443bda58393d525207d01","lessThan":"846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe","status":"affected","versionType":"git"},{"version":"c4576aed8d85d808cd6443bda58393d525207d01","lessThan":"19ca4528666990be376ac3eb6fe667b03db5324d","status":"affected","versionType":"git"},{"version":"c4576aed8d85d808cd6443bda58393d525207d01","lessThan":"331c2dd8ca8bad1a3ac10cce847ffb76158eece4","status":"affected","versionType":"git"},{"version":"c4576aed8d85d808cd6443bda58393d525207d01","lessThan":"8d33a030c566e1f105cd5bf27f37940b6367f3be","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/md/dm.c"],"versions":[{"version":"5.0","status":"affected"},{"version":"0","lessThan":"5.0","status":"unaffected","versionType":"semver"},{"version":"5.4.301","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.246","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.195","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.156","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.112","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.53","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.3","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.4.301"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.10.246"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.15.195"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.1.156"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.6.112"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.12.53"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98"},{"url":"https://git.kernel.org/stable/c/30f95b7eda5966b81cb221bd569c0f095a068cf6"},{"url":"https://git.kernel.org/stable/c/a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c"},{"url":"https://git.kernel.org/stable/c/a802901b75e13cc306f1b7ab0f062135c8034e9e"},{"url":"https://git.kernel.org/stable/c/846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe"},{"url":"https://git.kernel.org/stable/c/19ca4528666990be376ac3eb6fe667b03db5324d"},{"url":"https://git.kernel.org/stable/c/331c2dd8ca8bad1a3ac10cce847ffb76158eece4"},{"url":"https://git.kernel.org/stable/c/8d33a030c566e1f105cd5bf27f37940b6367f3be"}],"title":"dm: fix NULL pointer dereference in __dm_suspend()","x_generator":{"engine":"bippy-1.2.0"}}}}