CVE-2025-21664 Overview
A race condition vulnerability exists in the Linux kernel's device mapper thin provisioning (dm-thin) subsystem. The flaw occurs in the get_first_thin() function which uses non-RCU-safe list operations, leading to a Time-of-Check Time-of-Use (TOCTOU) race condition that can cause kernel crashes and denial of service.
Critical Impact
Local attackers with low privileges can trigger a kernel crash through the dm-thin subsystem, causing system-wide denial of service on production systems using thin provisioning.
Affected Products
- Linux Kernel versions 3.15 through 6.12.x
- Linux Kernel 6.13-rc1 through 6.13-rc6
- Debian Linux (multiple versions)
Discovery Timeline
- 2025-01-21 - CVE-2025-21664 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-21664
Vulnerability Analysis
The vulnerability resides in the dm-thin (device mapper thin provisioning) subsystem of the Linux kernel. The core issue stems from improper handling of RCU (Read-Copy-Update) protected list operations in the get_first_thin() function. As documented in rculist.h, there is no list_empty_rcu() function because programmers should not rely on a list_empty() followed by list_first() sequence in RCU-safe code.
This pattern is unsafe because each function performs its own READ_ONCE() of the list head. Between these two separate reads, another thread can modify the list state, creating a TOCTOU race condition. In observed production crashes, the list_empty() check saw a valid list entry, but the subsequent list_first() dereferenced a different view of the list head after another thread had modified it.
When this race occurs, the code attempts to convert the list head pointer to a thin_c structure. If the list has become empty (now pointing to itself), the dereferenced pointer actually points to the inside of struct pool, resulting in memory corruption and a General Protection (GP) fault.
Root Cause
The root cause is the non-atomic nature of the list check-and-access pattern in get_first_thin(). The function performs two separate memory reads:
- list_empty() - performs READ_ONCE() on the list head to check if empty
- list_first() - performs another READ_ONCE() to retrieve the first element
Between these two reads, the thin_dtr() destructor function running on another CPU can remove the last thin_c entry from the active_thins list. The destructor then calls synchronize_rcu(), but by this time the first thread has already passed the empty check and proceeds to dereference stale data.
Attack Vector
This vulnerability requires local access and can be triggered through operations that manipulate thin provisioning pools while concurrent deferred bio processing occurs. The attack leverages the race window between the list empty check and list access in the process_deferred_bios code path.
An attacker with access to device mapper operations can repeatedly create and destroy thin devices while triggering bio processing, increasing the probability of hitting the race window. The resulting kernel crash leads to complete system denial of service.
Detection Methods for CVE-2025-21664
Indicators of Compromise
- Kernel panic or GP fault messages originating from process_deferred_bios or dm-thin subsystem functions
- Warning messages about refcount_t being saturated preceding system crashes
- UBSAN errors indicating out-of-bounds CPU ID access in queued spinlock operations
- Kdump analysis showing threads waiting in thin_dtr's synchronize_rcu() call
Detection Strategies
- Monitor kernel logs for GP faults associated with dm-thin or device mapper operations
- Implement crash dump analysis to identify stack traces involving get_first_thin() and process_deferred_bios
- Deploy kernel live patching detection to identify systems running vulnerable kernel versions
- Use SentinelOne's Singularity platform to monitor for anomalous kernel behavior patterns
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture forensic data from exploited systems
- Configure alerting on UBSAN and refcount saturation warnings in kernel logs
- Monitor dm-thin pool operations for unusual creation/deletion patterns
- Track systems using thin provisioning that have not received kernel updates
How to Mitigate CVE-2025-21664
Immediate Actions Required
- Update affected Linux kernel installations to patched versions immediately
- Systems running kernel versions 3.15 through 6.12.x should upgrade to the latest stable release
- For systems unable to immediately patch, consider temporarily disabling thin provisioning if operationally feasible
- Review and apply vendor-specific patches from distribution security advisories
Patch Information
The fix modifies the get_first_thin() function to use list_first_or_null_rcu() instead of the separate list_empty() and list_first() calls. This RCU-safe function performs a single READ_ONCE() operation and atomically returns NULL if the list is empty, eliminating the race window entirely.
Multiple kernel stable branch commits are available:
- Kernel Git Commit 12771050
- Kernel Git Commit 6b305e98
- Kernel Git Commit 802666a4
- Kernel Git Commit 80f130bf
Debian users should refer to the Debian LTS Security Announcements for distribution-specific updates.
Workarounds
- Limit access to device mapper operations to trusted users only
- Reduce concurrent thin device creation/deletion operations during maintenance windows
- Consider migrating workloads from thin provisioning to standard volumes temporarily
- Implement additional access controls around dm-thin management interfaces
# Check current kernel version for vulnerability assessment
uname -r
# List dm-thin devices in use on the system
dmsetup ls --target thin
dmsetup ls --target thin-pool
# Verify kernel module version
modinfo dm_thin_pool | grep -E "^(version|vermagic)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
