Message-ID: <2025070333-CVE-2025-38141-560e@gregkh>
Date: Thu,  3 Jul 2025 10:35:58 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38141: dm: fix dm_blk_report_zones

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

dm: fix dm_blk_report_zones

If dm_get_live_table() returned NULL, dm_put_live_table() was never
called. Also, it is possible that md->zone_revalidate_map will change
while calling this function. Only read it once, so that we are always
using the same value. Otherwise we might miss a call to
dm_put_live_table().

Finally, while md->zone_revalidate_map is set and a process is calling
blk_revalidate_disk_zones() to set up the zone append emulation
resources, it is possible that another process, perhaps triggered by
blkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If
blk_revalidate_disk_zones() fails, these resources can be freed while
the other process is still using them, causing a use-after-free error.

blk_revalidate_disk_zones() will only ever be called when initially
setting up the zone append emulation resources, such as when setting up
a zoned dm-crypt table for the first time. Further table swaps will not
set md->zone_revalidate_map or call blk_revalidate_disk_zones().
However it must be called using the new table (referenced by
md->zone_revalidate_map) and the new queue limits while the DM device is
suspended. dm_blk_report_zones() needs some way to distinguish between a
call from blk_revalidate_disk_zones(), which must be allowed to use
md->zone_revalidate_map to access this not yet activated table, and all
other calls to dm_blk_report_zones(), which should not be allowed while
the device is suspended and cannot use md->zone_revalidate_map, since
the zone resources might be freed by the process currently calling
blk_revalidate_disk_zones().

Solve this by tracking the process that sets md->zone_revalidate_map in
dm_revalidate_zones() and only allowing that process to make use of it
in dm_blk_report_zones().

The Linux kernel CVE team has assigned CVE-2025-38141 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 6.10 with commit f211268ed1f9bdf48f06a3ead5f5d88437450579 and fixed in 6.12.34 with commit f9c1bdf24615303d48a2d0fd629c88f3189563aa
	Issue introduced in 6.10 with commit f211268ed1f9bdf48f06a3ead5f5d88437450579 and fixed in 6.15.3 with commit d19bc1b4dd5f322980b1f05f79b2ea4f0db10920
	Issue introduced in 6.10 with commit f211268ed1f9bdf48f06a3ead5f5d88437450579 and fixed in 6.16-rc1 with commit 37f53a2c60d03743e0eacf7a0c01c279776fef4e

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38141
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/md/dm-core.h
	drivers/md/dm-zone.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/f9c1bdf24615303d48a2d0fd629c88f3189563aa
	https://git.kernel.org/stable/c/d19bc1b4dd5f322980b1f05f79b2ea4f0db10920
	https://git.kernel.org/stable/c/37f53a2c60d03743e0eacf7a0c01c279776fef4e

Powered by blists - more mailing lists