CVE-2025-37928 Overview
A vulnerability has been identified in the Linux kernel's dm-bufio (device mapper buffered I/O) subsystem where the kernel incorrectly attempts to schedule operations while in an atomic context. This issue occurs when CONFIG_DEBUG_ATOMIC_SLEEP and try_verify_in_tasklet are enabled, causing the dm_bufio_lock function to call spin_lock_bh, which then triggers a scheduling attempt during atomic execution in the __scan function.
The bug manifests as a kernel BUG that reports a "sleeping function called from invalid context" at drivers/md/dm-bufio.c:2421. This occurs because the code path attempts to perform operations that may sleep while holding spinlocks with bottom-halves disabled, violating Linux kernel's fundamental scheduling constraints.
Critical Impact
Local attackers with low privileges can exploit this vulnerability to cause system crashes or potentially achieve privilege escalation by corrupting kernel memory state during the race condition window.
Affected Products
- Linux Kernel (multiple versions including 6.15-rc1 through 6.15-rc4)
- Debian Linux 11.0
- Linux kernel versions with dm-bufio subsystem enabled
Discovery Timeline
- May 20, 2025 - CVE CVE-2025-37928 published to NVD
- November 10, 2025 - Last updated in NVD database
Technical Details for CVE-2025-37928
Vulnerability Analysis
This vulnerability represents a classic race condition in the Linux kernel's device mapper buffered I/O subsystem. The root issue stems from improper context handling where code attempts to perform potentially blocking operations while the kernel is in an atomic (non-preemptible) state.
When the shrink_work function executes as part of the dm_bufio_cache workqueue, it acquires a spinlock with bottom-halves disabled via spin_lock_bh. While holding this lock, the code path enters the __scan function which may attempt operations that could sleep or reschedule. This violates a fundamental Linux kernel rule: code running in atomic context must never call functions that might sleep.
The impact includes kernel panics, system instability, and potential memory corruption. An attacker with local access could trigger this condition to cause denial of service or potentially leverage the corrupted kernel state for privilege escalation.
Root Cause
The vulnerability originates from the dm_bufio_lock function which calls spin_lock_bh when try_verify_in_tasklet is enabled. This places the execution context into atomic mode where preemption is disabled (preempt_count: 201). Subsequently, when __scan is invoked through the shrink_work workqueue handler, the kernel detects that a potentially sleeping function is being called from this invalid atomic context.
The kernel reports:
- in_atomic(): 1 - confirming atomic context
- irqs_disabled(): 0 - IRQs are not disabled
- preempt_count: 201, expected: 0 - preemption is disabled when it shouldn't be
- Preemption disabled at shrink_work+0x21c/0x248
Attack Vector
Exploitation requires local access to the system with low-level privileges. An attacker would need to:
- Trigger memory pressure conditions that invoke the dm-bufio cache shrinking mechanism
- Ensure try_verify_in_tasklet is enabled in the kernel configuration
- Race the timing to cause the scheduling conflict during the atomic context window
The vulnerability affects systems running the dm-bufio module, commonly used for device mapper operations including dm-verity and dm-crypt, which are prevalent in Android devices and encrypted storage configurations.
The bug manifests in the call trace starting from worker_thread → process_one_work → shrink_work → __might_resched, ultimately triggering the android_rvh_schedule_bug handler on affected Qualcomm-based Android devices.
Detection Methods for CVE-2025-37928
Indicators of Compromise
- Kernel log messages containing "BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c"
- System crashes or panics involving shrink_work in the call trace
- Kernel oops messages referencing dm_bufio_cache workqueue
- Debug messages showing preempt_count values significantly above expected (e.g., 201 vs 0)
Detection Strategies
- Monitor kernel logs (dmesg) for atomic sleep warnings related to dm-bufio subsystem
- Implement kernel trace monitoring for scheduling anomalies in device mapper paths
- Deploy crash dump analysis tools to capture and analyze kernel panic events involving dm_bufio_lock
- Enable CONFIG_DEBUG_ATOMIC_SLEEP in test environments to proactively identify the vulnerability
Monitoring Recommendations
- Configure syslog alerting for kernel BUG messages containing "dm-bufio" or "atomic context"
- Implement automated kernel log analysis for preemption count violations
- Monitor system stability metrics for unexpected reboots or crashes on systems using dm-crypt or dm-verity
- Use eBPF-based monitoring to track spinlock acquisition patterns in dm-bufio code paths
How to Mitigate CVE-2025-37928
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel git repository
- Disable try_verify_in_tasklet if immediate patching is not possible
- Upgrade to patched kernel versions as soon as available
- Monitor affected systems for signs of exploitation attempts
Patch Information
Multiple patches have been released to address this vulnerability. The fix ensures that scheduling operations are not attempted while in atomic context within the dm-bufio subsystem. Apply one of the following commits based on your kernel version:
- Kernel Commit 69a37b3ba85088fc6b903b8e1db7f0a1d4d0b52d
- Kernel Commit a3d8f0a7f5e8b193db509c7191fefeed3533fc44
- Kernel Commit a99f5bf4f7197009859dbce14c12f8e2ce5a5a69
- Kernel Commit c8c83052283bcf2fdd467a33d1d2bd5ba36e935a
- Kernel Commit f45108257280e0a1cc951ce254853721b40c0812
Debian users should refer to the Debian LTS Security Announcement for distribution-specific packages.
Workarounds
- Disable try_verify_in_tasklet module parameter if your use case permits
- Reduce memory pressure scenarios that trigger dm-bufio cache shrinking
- Isolate systems running vulnerable kernel versions from untrusted local access
- Consider disabling dm-verity verification if not required for your security posture
# Check current kernel version
uname -r
# Verify dm-bufio module status
lsmod | grep dm_bufio
# Check for available kernel updates (Debian/Ubuntu)
apt update && apt list --upgradable | grep linux-image
# Check for available kernel updates (RHEL/CentOS)
yum check-update kernel
# Apply kernel updates (Debian/Ubuntu)
apt upgrade linux-image-$(uname -r | sed 's/[0-9]*\.[0-9]*\.[0-9]*-//')
# Reboot to apply new kernel
shutdown -r now
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
