ghsa-3g7h-wv72-q2hf
Vulnerability from github
Published
2025-07-03 09:30
Modified
2025-07-03 09:30
Details

In the Linux kernel, the following vulnerability has been resolved:

dm: limit swapping tables for devices with zone write plugs

dm_revalidate_zones() only allowed new or previously unzoned devices to call blk_revalidate_disk_zones(). If the device was already zoned, disk->nr_zones would always equal md->nr_zones, so dm_revalidate_zones() returned without doing any work. This would make the zoned settings for the device not match the new table. If the device had zone write plug resources, it could run into errors like bdev_zone_is_seq() reading invalid memory because disk->conv_zones_bitmap was the wrong size.

If the device doesn't have any zone write plug resources, calling blk_revalidate_disk_zones() will always correctly update device. If blk_revalidate_disk_zones() fails, it can still overwrite or clear the current disk->nr_zones value. In this case, DM must restore the previous value of disk->nr_zones, so that the zoned settings will continue to match the previous value that it fell back to.

If the device already has zone write plug resources, blk_revalidate_disk_zones() will not correctly update them, if it is called for arbitrary zoned device changes. Since there is not much need for this ability, the easiest solution is to disallow any table reloads that change the zoned settings, for devices that already have zone plug resources. Specifically, if a device already has zone plug resources allocated, it can only switch to another zoned table that also emulates zone append. Also, it cannot change the device size or the zone size. A device can switch to an error target.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38140"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T09:15:28Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: limit swapping tables for devices with zone write plugs\n\ndm_revalidate_zones() only allowed new or previously unzoned devices to\ncall blk_revalidate_disk_zones(). If the device was already zoned,\ndisk-\u003enr_zones would always equal md-\u003enr_zones, so dm_revalidate_zones()\nreturned without doing any work. This would make the zoned settings for\nthe device not match the new table. If the device had zone write plug\nresources, it could run into errors like bdev_zone_is_seq() reading\ninvalid memory because disk-\u003econv_zones_bitmap was the wrong size.\n\nIf the device doesn\u0027t have any zone write plug resources, calling\nblk_revalidate_disk_zones() will always correctly update device.  If\nblk_revalidate_disk_zones() fails, it can still overwrite or clear the\ncurrent disk-\u003enr_zones value. In this case, DM must restore the previous\nvalue of disk-\u003enr_zones, so that the zoned settings will continue to\nmatch the previous value that it fell back to.\n\nIf the device already has zone write plug resources,\nblk_revalidate_disk_zones() will not correctly update them, if it is\ncalled for arbitrary zoned device changes.  Since there is not much need\nfor this ability, the easiest solution is to disallow any table reloads\nthat change the zoned settings, for devices that already have zone plug\nresources.  Specifically, if a device already has zone plug resources\nallocated, it can only switch to another zoned table that also emulates\nzone append.  Also, it cannot change the device size or the zone size. A\ndevice can switch to an error target.",
  "id": "GHSA-3g7h-wv72-q2hf",
  "modified": "2025-07-03T09:30:34Z",
  "published": "2025-07-03T09:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38140"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/121218bef4c1df165181f5cd8fc3a2246bac817e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac8acb0bfd98a1c65f3ca9a3e217a766124eebd8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.