CVE-2025-38140: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38140 is a vulnerability discovered in the Linux kernel related to device management (dm) and zone write plugs. The vulnerability was disclosed on July 3, 2025, affecting the Linux kernel's device mapper component. The issue specifically involves the dm_revalidate_zones() function's handling of zoned devices and their table reloads (CVE Mitre, NVD).

The vulnerability occurs when dm_revalidate_zones() only allows new or previously unzoned devices to call blk_revalidate_disk_zones(). For already zoned devices, disk->nr_zones would always equal md->nr_zones, causing dm_revalidate_zones() to return without performing necessary updates. This can lead to mismatched zoned settings and potential invalid memory access through bdev_zone_is_seq() due to incorrectly sized disk->conv_zones_bitmap (Debian Tracker).

When exploited, this vulnerability can cause the zoned settings for the device to mismatch the new table. In devices with zone write plug resources, this can result in errors such as invalid memory access through bdev_zone_is_seq(). Additionally, if blk_revalidate_disk_zones() fails, it may incorrectly modify or clear the current disk->nr_zones value (CVE Mitre).

The implemented solution disallows any table reloads that change the zoned settings for devices that already have zone plug resources. Specifically, devices with allocated zone plug resources can only switch to another zoned table that emulates zone append, without changing the device size or zone size. Devices can still switch to an error target as needed (CVE Mitre).