CVE-2025-40325: Linux Kernel RAID10 DOS Vulnerability

CVE-2025-40325 Overview

CVE-2025-40325 affects the Linux kernel's md/raid10 subsystem. The vulnerability resides in the raid10_handle_discard function, which fails to wait on a barrier before returning a discard bio carrying the REQ_NOWAIT flag. The flaw also produces spurious warning call traces in dmesg for discard bios that legitimately carry REQ_NOWAIT, polluting kernel logs and triggering quality engineering alarms during validation.

Linux kernel maintainers have merged fixes in commits 31d3156efe90, 31ff67982c5f, and 3db440443539 on git.kernel.org. The issue requires local access and impacts availability of RAID10 storage operations.

Critical Impact

Local users issuing discard operations against RAID10 devices can trigger improper barrier handling and noisy warning traces, undermining storage stack reliability and observability.

Affected Products

• Linux Kernel (md/raid10 subsystem) prior to fix commit 31d3156efe909b53ba174861a3da880c688f5edc
• Linux Kernel stable branches patched by commit 3db4404435397a345431b45f57876a3df133f3b4
• Linux Kernel stable branches patched by commit 31ff67982c5fa39c0093b9d9f429fef91c2494b7

Discovery Timeline

• 2025-04-18 - CVE-2025-40325 published to NVD
• 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-40325

Vulnerability Analysis

The vulnerability resides in raid10_handle_discard, the function that processes discard (TRIM/UNMAP) requests on multi-device RAID10 arrays. When a discard bio enters this path with the REQ_NOWAIT flag set, the caller indicates it cannot tolerate blocking. The original implementation returned the bio without first waiting on the raid10 barrier, leaving the request in an inconsistent state relative to in-flight reconfiguration or reshape operations.

The code path additionally emitted a warning call trace whenever a discard bio carried REQ_NOWAIT. Because quality engineering pipelines parse dmesg for warning and error traces, the noise generated false-positive failures during routine storage testing and obscured legitimate kernel issues. The defect is classified under [NVD-CWE-noinfo] pending further categorization.

Root Cause

The root cause is missing synchronization between the REQ_NOWAIT discard return path and the raid10 personality barrier. The wait_barrier call was not invoked before completion, breaking the invariant that discard bios participate in barrier ordering. The unconditional WARN on REQ_NOWAIT discards compounded the problem by treating an expected condition as anomalous.

Attack Vector

Exploitation requires local access with privileges sufficient to issue discard operations against an md RAID10 device. An attacker, or an unprivileged workload using filesystems that propagate REQ_NOWAIT discards, can trigger the unsynchronized return path and cause availability impact on the storage subsystem. The CVSS vector AV:L/AC:L/PR:L/UI:N reflects local, low-complexity access with low privileges. The vulnerability mechanism is described in the upstream kernel commits referenced below; no public proof-of-concept exploit code is available.

See the kernel fix commit 31d3156e and kernel fix commit 3db44044 for the authoritative technical change.

Detection Methods for CVE-2025-40325

Indicators of Compromise

• Warning call traces in dmesg referencing raid10_handle_discard paired with discard bios carrying REQ_NOWAIT.
• Unexpected I/O latency or stalls on md RAID10 arrays during discard-heavy workloads such as fstrim or filesystem mount-time discard.
• Kernel log entries from the md/raid10 subsystem coinciding with reshape, resync, or reconfiguration activity.

Detection Strategies

• Parse /var/log/kern.log and journalctl -k output for raid10 warning traces and correlate them with discard activity.
• Compare running kernel versions against distribution advisories that incorporate commits 31d3156e, 31ff6798, and 3db44044.
• Audit storage stacks for filesystems and block devices issuing REQ_NOWAIT discards on top of md RAID10.

Monitoring Recommendations

• Forward kernel logs from Linux fleets into a centralized analytics platform and alert on raid10_handle_discard warning patterns.
• Track md array health metrics through /proc/mdstat and mdadm --detail to identify availability degradation.
• Monitor block layer counters via iostat and blktrace for anomalous discard completion behavior.

How to Mitigate CVE-2025-40325

Immediate Actions Required

• Inventory all Linux hosts running md/raid10 arrays and identify kernels that predate the upstream fix commits.
• Schedule patching for affected hosts using the stable kernel update provided by your Linux distribution.
• Restrict local shell access on systems hosting RAID10 storage until patches are deployed.

Patch Information

Apply the upstream fixes merged in the following commits on git.kernel.org:

• Commit 31d3156efe90 - mainline fix adding a wait_barrier call before returning a REQ_NOWAIT discard bio.
• Commit 31ff67982c5f - stable backport.
• Commit 3db440443539 - stable backport.

Consult your Linux distribution's security tracker for the exact package version containing these commits and update via the standard package manager.

Workarounds

• Disable filesystem-level discard (nodiscard mount option) on filesystems backed by md RAID10 until kernels are patched.
• Avoid issuing fstrim against RAID10-backed volumes on unpatched systems.
• Where feasible, migrate workloads requiring REQ_NOWAIT discard semantics to patched hosts.

# Verify running kernel and check for the fix commits
uname -r

# Debian/Ubuntu: install the patched kernel package
sudo apt update && sudo apt install --only-upgrade linux-image-generic

# RHEL/CentOS/Rocky: install the patched kernel
sudo dnf update kernel

# Temporary workaround: remount filesystem without discard
sudo mount -o remount,nodiscard /mnt/raid10-volume

# Inspect kernel log for raid10 warning traces
sudo journalctl -k | grep -i raid10_handle_discard