CVE-2025-40134
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm: fix NULL pointer dereference in __dm_suspend()
There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes:
BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: <TASK> blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0
The issue can be triggered as below:
T1 T2 dm_suspend table_load __dm_suspend dm_setup_md_queue dm_mq_init_request_queue blk_mq_init_allocated_queue => q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer! (2) => q->tag_set = set; (3)
Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps.
Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | c4576aed8d85d808cd6443bda58393d525207d01 < 9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98 | affected |
| Linux | Linux | c4576aed8d85d808cd6443bda58393d525207d01 < 30f95b7eda5966b81cb221bd569c0f095a068cf6 | affected |
| Linux | Linux | c4576aed8d85d808cd6443bda58393d525207d01 < a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c | affected |
| Linux | Linux | c4576aed8d85d808cd6443bda58393d525207d01 < a802901b75e13cc306f1b7ab0f062135c8034e9e | affected |
| Linux | Linux | c4576aed8d85d808cd6443bda58393d525207d01 < 846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe | affected |
| Linux | Linux | c4576aed8d85d808cd6443bda58393d525207d01 < 19ca4528666990be376ac3eb6fe667b03db5324d | affected |
| Linux | Linux | c4576aed8d85d808cd6443bda58393d525207d01 < 331c2dd8ca8bad1a3ac10cce847ffb76158eece4 | affected |
| Linux | Linux | c4576aed8d85d808cd6443bda58393d525207d01 < 8d33a030c566e1f105cd5bf27f37940b6367f3be | affected |
| Linux | Linux | 5.0 | affected |
| Linux | Linux | 0 < 5.0 | unaffected |
| Linux | Linux | 5.4.301 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.246 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.195 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.156 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.112 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.53 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.3 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/9dc43ea6a20ff83fe9a5fe4be47ae0fbf2409b98
- https://git.kernel.org/stable/c/30f95b7eda5966b81cb221bd569c0f095a068cf6
- https://git.kernel.org/stable/c/a0e54bd8d7ea79127fe9920df3ae36f85e79ac7c
- https://git.kernel.org/stable/c/a802901b75e13cc306f1b7ab0f062135c8034e9e
- https://git.kernel.org/stable/c/846cafc4725ca727d94f9c4b5f789c1a7c8fb6fe
- https://git.kernel.org/stable/c/19ca4528666990be376ac3eb6fe667b03db5324d
- https://git.kernel.org/stable/c/331c2dd8ca8bad1a3ac10cce847ffb76158eece4
- https://git.kernel.org/stable/c/8d33a030c566e1f105cd5bf27f37940b6367f3be
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.