CVE-2025-38496 in Linux
Summary
by MITRE • 07/28/2025
In the Linux kernel, the following vulnerability has been resolved:
dm-bufio: fix sched in atomic context
If "try_verify_in_tasklet" is set for dm-verity, DM_BUFIO_CLIENT_NO_SLEEP is enabled for dm-bufio. However, when bufio tries to evict buffers, there is a chance to trigger scheduling in spin_lock_bh, the following warning is hit:
BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 123, name: kworker/2:2 preempt_count: 201, expected: 0 RCU nest depth: 0, expected: 0 4 locks held by kworker/2:2/123: #0: ffff88800a2d1548 ((wq_completion)dm_bufio_cache){....}-{0:0}, at: process_one_work+0xe46/0x1970
#1: ffffc90000d97d20 ((work_completion)(&dm_bufio_replacement_work)){....}-{0:0}, at: process_one_work+0x763/0x1970
#2: ffffffff8555b528 (dm_bufio_clients_lock){....}-{3:3}, at: do_global_cleanup+0x1ce/0x710
#3: ffff88801d5820b8 (&c->spinlock){....}-{2:2}, at: do_global_cleanup+0x2a5/0x710
Preemption disabled at: [<0000000000000000>] 0x0
CPU: 2 UID: 0 PID: 123 Comm: kworker/2:2 Not tainted 6.16.0-rc3-g90548c634bd0 #305 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: dm_bufio_cache do_global_cleanup Call Trace: <TASK> dump_stack_lvl+0x53/0x70 __might_resched+0x360/0x4e0 do_global_cleanup+0x2f5/0x710 process_one_work+0x7db/0x1970 worker_thread+0x518/0xea0 kthread+0x359/0x690 ret_from_fork+0xf3/0x1b0 ret_from_fork_asm+0x1a/0x30 </TASK>
That can be reproduced by:
veritysetup format --data-block-size=4096 --hash-block-size=4096 /dev/vda /dev/vdb SIZE=$(blockdev --getsz /dev/vda) dmsetup create myverity -r --table "0 $SIZE verity 1 /dev/vda /dev/vdb 4096 4096 <data_blocks> 1 sha256 <root_hash> <salt> 1 try_verify_in_tasklet" mount /dev/dm-0 /mnt -o ro echo 102400 > /sys/module/dm_bufio/parameters/max_cache_size_bytes [read files in /mnt]
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/25/2026
The vulnerability described in CVE-2025-38496 resides within the Linux kernel's device mapper buffer cache subsystem, specifically in the dm-bufio component. This issue manifests when dm-verity is configured with the try_verify_in_tasklet option, which triggers the use of DM_BUFIO_CLIENT_NO_SLEEP flag. The root cause involves a scheduling operation being invoked within an atomic context, violating fundamental kernel concurrency principles and potentially leading to system instability or deadlock conditions. The vulnerability occurs during buffer eviction processes when spin_lock_bh is held, creating a scenario where sleeping functions cannot be safely executed.
The technical flaw stems from the improper handling of kernel scheduling primitives within atomic execution contexts. When the dm-bufio subsystem attempts to evict buffers under the constraints of DM_BUFIO_CLIENT_NO_SLEEP, it encounters a situation where a function that may sleep is called while preemption is disabled and interrupts are enabled. The kernel's warning message clearly indicates that in_atomic() returns true, meaning the code is executing in an atomic context, yet a scheduling operation is attempted. This condition violates the kernel's fundamental requirement that atomic contexts must not perform operations that could block or sleep, as such operations would prevent the system from maintaining its real-time constraints and could lead to system hangs.
The operational impact of this vulnerability is significant, particularly in environments utilizing dm-verity for data integrity verification. The vulnerability can be triggered through specific sequence of operations involving dm-verity setup with try_verify_in_tasklet enabled, followed by cache size configuration and file system access. The system may experience kernel oops, system hangs, or unpredictable behavior during buffer management operations. This vulnerability affects systems running kernel versions where dm-bufio is used in conjunction with dm-verity, particularly those implementing storage integrity verification mechanisms. The attack surface is limited to systems using device mapper with verity functionality, but the consequences can be severe as it impacts the core storage subsystem.
Mitigation strategies should focus on avoiding the problematic code path by either disabling the try_verify_in_tasklet option when using dm-verity or ensuring that dm-bufio operations do not occur in atomic contexts. The recommended approach involves updating to a kernel version that includes the fix for this vulnerability, which properly handles the scheduling constraints within the dm-bufio subsystem. System administrators should also monitor for the specific warning messages indicating atomic context violations and consider implementing alternative storage integrity verification mechanisms if the problematic configuration cannot be avoided. The fix implemented in the kernel addresses the core issue by ensuring that buffer eviction operations do not attempt to schedule while holding spin locks in atomic contexts, thereby preventing the kernel from entering an invalid state. This vulnerability aligns with CWE-367, which describes the improper handling of a synchronous operation in an atomic context, and relates to ATT&CK technique T1059.001 for potential system compromise through kernel-level vulnerabilities.