CVE-2025-21664: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21664 affects the Linux kernel's device mapper thin provisioning module (dm-thin). The vulnerability was discovered on January 21, 2025, and involves a race condition in the get_first_thin() function. The issue occurs when the function performs list operations that are not properly synchronized in RCU-safe code, potentially leading to system crashes (Kernel Git).

The vulnerability stems from improper list handling in the get_first_thin() function within the dm-thin module. The function incorrectly relies on a list_empty() -> list_first() sequence in RCU-safe code, where each function performs its own READ_ONCE() of the list head. This can result in a race condition where list_empty() sees a valid list entry, but the subsequent list_first() sees a different view of list head state after modification. The issue manifests as a GP fault in the process_deferred_bios path, accompanied by a refcount_t saturation warning and a UBSAN error for out-of-bounds CPUID access in the queued spinlock (Kernel Git).

When exploited, this vulnerability can cause a system crash due to a GP fault in the process_deferred_bios path. The issue occurs when the thin_dtr call removes a thin_c from the active thins list at a critical moment, leading to dereferencing invalid memory addresses and potential system instability (Kernel Git).

The issue has been fixed by modifying the get_first_thin() function to use list_first_or_null_rcu() instead of the previous list_empty() -> list_first() sequence. This new implementation performs a single READ_ONCE() and returns NULL if the list is empty. The fix has been tested against the devicemapper test suite's thin-provisioning suites for delete and suspend operations with no regressions observed. Fixed versions are available in Linux kernel 6.1.128-1 for Debian bookworm and later versions (Debian Security).