CVE-2025-21664 - Fixing a Race Condition in Linux Kernel's dm-thin with RCU-Safe List Traversal

The Linux kernel is incredible, but like any complex system, it sometimes suffers from subtle bugs—especially around concurrency. One such issue, CVE-2025-21664, affected the device-mapper's thin-provisioning module (dm-thin). This vulnerability was caused by unsafe list traversal under RCU (Read-Copy-Update), leading to potential kernel crashes. This post breaks down what went wrong, the risks, the fix, and how the kernel community improved safety in this critical path. All in simple plain language, step by step.

What is dm-thin and Why Does It Matter?

dm-thin provides thin provisioning—a trick for letting you "promise" more disk space than is physically available, allocating real blocks only as needed. It's a great way to save disk space, but it's used in environments where stability is crucial: enterprise storage, virtual machines, containers, and more.

When something goes wrong here, it can crash the whole kernel—serious business.

The Root Cause: Unsafe List Traversal in RCU Context

The vulnerable code tried to get the first "active thin" device in a way that could race with deletions.

The Classic but Unsafe Pattern (Before the Fix)

if (!list_empty(&pool->active_thins)) {
    struct list_head *first = pool->active_thins.next;
    // ... convert first to struct thin_c* and use it ...
}

Real-World Consequence

- Production crash: A server using dm-thin crashed with a general protection fault in process_deferred_bios().

The Fix: Use RCU-Safe List Traversal

The kernel has special helpers for RCU-safe list operations. Instead of the two-step list_empty() plus list_first(), the fix uses list_first_or_null_rcu():

#include <linux/rculist.h>
// ...

struct thin_c *thin;
thin = list_first_or_null_rcu(&pool->active_thins, struct thin_c, list);
if (thin) {
    // Safe to use thin_c
}

References in the Linux Kernel

- list_empty_rcu Design Advice (kernel.org)
- Device-mapper/Thin-provisioning Source

Official fix

- commit (*Replace FIXED-COMMIT-HASH with the actual commit if known*)

Thread B: Calls thin_dtr() and removes the *last* thin_c from the list.

3. Thread A: Proceeds to access first = pool->active_thins.next;. Now this points to the active_thins's own head.

Thread A: Casts this to struct thin_c*, uses it, and kaboom—touches memory it shouldn't.

This leads to *kernel panic*, *invalid memory access*, and possibly privilege escalation if exploited cleverly.

How to Patch

Update your kernel to any version including or newer than the fix. If building custom kernels, apply the patch from the references above.

Final Thoughts

RCU is a powerful concurrency tool—but requires care even in something as “simple” as walking a list. CVE-2025-21664 is a case study: an innocent double-check leads to kernel crashes, data loss, and reliability headaches.

Stay updated, watch for security advisories, and remember: the Linux kernel gets safer all the time thanks to reports, smart fixes, and widespread testing.


Further Reading
- RCU and list API explained (LWN.net)
- Upstream dm-thin docs

Timeline

Published on: 01/21/2025 13:15:10 UTC
Last modified on: 05/04/2025 07:18:30 UTC