VYPR
← All advisories
Medium severity5.5NVD Advisory· Published Jan 21, 2025· Updated May 12, 2026

CVE-2025-21664

CVE-2025-21664

Description

In the Linux kernel, the following vulnerability has been resolved:

dm thin: make get_first_thin use rcu-safe list first function

The documentation in rculist.h explains the absence of list_empty_rcu() and cautions programmers against relying on a list_empty() -> list_first() sequence in RCU safe code. This is because each of these functions performs its own READ_ONCE() of the list head. This can lead to a situation where the list_empty() sees a valid list entry, but the subsequent list_first() sees a different view of list head state after a modification.

In the case of dm-thin, this author had a production box crash from a GP fault in the process_deferred_bios path. This function saw a valid list head in get_first_thin() but when it subsequently dereferenced that and turned it into a thin_c, it got the inside of the struct pool, since the list was now empty and referring to itself. The kernel on which this occurred printed both a warning about a refcount_t being saturated, and a UBSAN error for an out-of-bounds cpuid access in the queued spinlock, prior to the fault itself. When the resulting kdump was examined, it was possible to see another thread patiently waiting in thin_dtr's synchronize_rcu.

The thin_dtr call managed to pull the thin_c out of the active thins list (and have it be the last entry in the active_thins list) at just the wrong moment which lead to this crash.

Fortunately, the fix here is straight forward. Switch get_first_thin() function to use list_first_or_null_rcu() which performs just a single READ_ONCE() and returns NULL if the list is already empty.

This was run against the devicemapper test suite's thin-provisioning suites for delete and suspend and no regressions were observed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in dm-thin's RCU list handling can cause a use-after-free crash when a thin device is removed concurrently with deferred bios processing.

Vulnerability

CVE-2025-21664 is a race condition in the Linux kernel's device-mapper thin provisioning (dm-thin) driver. The get_first_thin() function used a non-atomic sequence of list_empty() followed by list_first(), each performing its own READ_ONCE() of the list head. This created a window where a concurrent removal of a thin device (via thin_dtr) could make the list appear non-empty to the first call but empty to the second, causing list_first() to return a pointer to the list head itself rather than a valid thin_c entry [1][4].

Exploitation

An attacker would need to be able to trigger both the processing of deferred I/O bios and the removal of a thin device simultaneously. This requires local access to the system and the ability to create and remove thin-provisioned logical volumes, typically as root or with appropriate capabilities. The race window is small but was observed in production, leading to a general protection fault [1][2].

Impact

Successful exploitation causes a kernel crash (GP fault), leading to denial of service. The crash is preceded by warnings about a saturated refcount_t and an out-of-bounds cpuid access in a queued spinlock [1]. The attacker does not gain code execution or privilege escalation — only a system hang or panic.

Mitigation

The fix is straightforward: switch get_first_thin() to use list_first_or_null_rcu(), which performs a single READ_ONCE() and returns NULL if the list is empty, eliminating the race [1][4]. The patch was committed to the Linux kernel stable tree as commit 80f130bfad1d and its backports [2][3][4]. Users should apply the latest stable kernel updates from their distribution. The vulnerability also affects Siemens SIMATIC S7-1500 TM MFP GNU/Linux subsystem (all versions) [1].

References
  1. SSA-265688
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

73

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

10

News mentions

0

No linked articles in our index yet.