CVE-2025-38496

If "tryverifyintasklet" is set for dm-verity, DMBUFIOCLIENTNOSLEEP is enabled for dm-bufio. However, when bufio tries to evict buffers, there is a chance to trigger scheduling in spinlock_bh, the following warning is hit:

BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745 inatomic(): 1, irqsdisabled(): 0, nonblock: 0, pid: 123, name: kworker/2:2 preemptcount: 201, expected: 0 RCU nest depth: 0, expected: 0 4 locks held by kworker/2:2/123: #0: ffff88800a2d1548 ((wqcompletion)dmbufiocache){....}-{0:0}, at: processonework+0xe46/0x1970 #1: ffffc90000d97d20 ((workcompletion)(&dmbufioreplacementwork)){....}-{0:0}, at: processonework+0x763/0x1970 #2: ffffffff8555b528 (dmbufioclientslock){....}-{3:3}, at: doglobalcleanup+0x1ce/0x710 #3: ffff88801d5820b8 (&c->spinlock){....}-{2:2}, at: doglobalcleanup+0x2a5/0x710 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 2 UID: 0 PID: 123 Comm: kworker/2:2 Not tainted 6.16.0-rc3-g90548c634bd0 #305 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: dmbufiocache doglobalcleanup Call Trace: <TASK> dumpstacklvl+0x53/0x70 _mightresched+0x360/0x4e0 doglobalcleanup+0x2f5/0x710 processonework+0x7db/0x1970 workerthread+0x518/0xea0 kthread+0x359/0x690 retfromfork+0xf3/0x1b0 retfromforkasm+0x1a/0x30 </TASK>

That can be reproduced by:

veritysetup format --data-block-size=4096 --hash-block-size=4096 /dev/vda /dev/vdb SIZE=$(blockdev --getsz /dev/vda) dmsetup create myverity -r --table "0 $SIZE verity 1 /dev/vda /dev/vdb 4096 4096 <data_blocks> 1 sha256 <root_hash> <salt> 1 tryverifyintasklet" mount /dev/dm-0 /mnt -o ro echo 102400 > /sys/module/dmbufio/parameters/maxcachesize_bytes [read files in /mnt]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

450e8dee51aa6fa1dd0f64073e88235f1a77b035

Fixed

469a39a33a9934af157299bf11c58f6e6cb53f85

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

450e8dee51aa6fa1dd0f64073e88235f1a77b035

Fixed

68860d1ade385eef9fcdbf6552f061283091fdb8

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

450e8dee51aa6fa1dd0f64073e88235f1a77b035

Fixed

3edfdb1d4ef81320dae0caa40bc24baf8c1bbb86

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

450e8dee51aa6fa1dd0f64073e88235f1a77b035

Fixed

b1bf1a782fdf5c482215c0c661b5da98b8e75773

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.21

v6.12.22

v6.12.23

v6.12.24

v6.12.25

v6.12.26

v6.12.27

v6.12.28

v6.12.29

v6.12.3

v6.12.30

v6.12.31

v6.12.32

v6.12.33

v6.12.34

v6.12.35

v6.12.36

v6.12.37

v6.12.38

v6.12.39

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.15.1

v6.15.2

v6.15.3

v6.15.4

v6.15.5

v6.15.6

v6.15.7

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.3

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.59

v6.6.6

v6.6.60

v6.6.61

v6.6.62

v6.6.63

v6.6.64

v6.6.65

v6.6.66

v6.6.67

v6.6.68

v6.6.69

v6.6.7

v6.6.70

v6.6.71

v6.6.72

v6.6.73

v6.6.74

v6.6.75

v6.6.76

v6.6.77

v6.6.78

v6.6.79

v6.6.8

v6.6.80

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.6.85

v6.6.86

v6.6.87

v6.6.88

v6.6.89

v6.6.9

v6.6.90

v6.6.91

v6.6.92

v6.6.93

v6.6.94

v6.6.95

v6.6.96

v6.6.97

v6.6.98

v6.6.99

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1bf1a782fdf5c482215c0c661b5da98b8e75773",
        "id": "CVE-2025-38496-29a92180",
        "deprecated": false,
        "target": {
            "file": "drivers/md/dm-bufio.c"
        },
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "323219390414068463283856188415384372011",
                "338520252223923924316549919479739353767",
                "308697858487507823246165643505724367339",
                "34172731608695445085839923664826652440"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3edfdb1d4ef81320dae0caa40bc24baf8c1bbb86",
        "id": "CVE-2025-38496-46f21cd9",
        "deprecated": false,
        "target": {
            "function": "__evict_many",
            "file": "drivers/md/dm-bufio.c"
        },
        "signature_version": "v1",
        "digest": {
            "length": 456.0,
            "function_hash": "296064634259276918218819897656635767021"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3edfdb1d4ef81320dae0caa40bc24baf8c1bbb86",
        "id": "CVE-2025-38496-8b4ad365",
        "deprecated": false,
        "target": {
            "file": "drivers/md/dm-bufio.c"
        },
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "280380512622805793174653291514634141422",
                "338520252223923924316549919479739353767",
                "67819458036856868796275595890864681251",
                "205594104042950090543362174898669127239"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@469a39a33a9934af157299bf11c58f6e6cb53f85",
        "id": "CVE-2025-38496-91efea41",
        "deprecated": false,
        "target": {
            "file": "drivers/md/dm-bufio.c"
        },
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "280380512622805793174653291514634141422",
                "338520252223923924316549919479739353767",
                "67819458036856868796275595890864681251",
                "205594104042950090543362174898669127239"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@68860d1ade385eef9fcdbf6552f061283091fdb8",
        "id": "CVE-2025-38496-cd4fde61",
        "deprecated": false,
        "target": {
            "file": "drivers/md/dm-bufio.c"
        },
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "280380512622805793174653291514634141422",
                "338520252223923924316549919479739353767",
                "67819458036856868796275595890864681251",
                "205594104042950090543362174898669127239"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@469a39a33a9934af157299bf11c58f6e6cb53f85",
        "id": "CVE-2025-38496-d424f390",
        "deprecated": false,
        "target": {
            "function": "__evict_many",
            "file": "drivers/md/dm-bufio.c"
        },
        "signature_version": "v1",
        "digest": {
            "length": 456.0,
            "function_hash": "296064634259276918218819897656635767021"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@68860d1ade385eef9fcdbf6552f061283091fdb8",
        "id": "CVE-2025-38496-f4eb6990",
        "deprecated": false,
        "target": {
            "function": "__evict_many",
            "file": "drivers/md/dm-bufio.c"
        },
        "signature_version": "v1",
        "digest": {
            "length": 456.0,
            "function_hash": "296064634259276918218819897656635767021"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1bf1a782fdf5c482215c0c661b5da98b8e75773",
        "id": "CVE-2025-38496-fb1e8bc0",
        "deprecated": false,
        "target": {
            "function": "__evict_a_few",
            "file": "drivers/md/dm-bufio.c"
        },
        "signature_version": "v1",
        "digest": {
            "length": 571.0,
            "function_hash": "313485541104238070570330075901431878872"
        },
        "signature_type": "Function"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.6.100

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.40

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.15.8