Linux Kernel dm Cache Vulnerability Leading to BUG_ON Trigger

A vulnerability in the Linux kernel's dm cache component can cause a BUG_ON error by improperly handling retries on cache devices that fail to resume due to mapping errors. This issue arises because the failure leaves a policy object only partially initialized. When the resume operation is repeated, it can trigger a BUG_ON error by attempting to reload cache mappings into the incomplete policy object. The vulnerability can be reproduced by creating a cache metadata with 512 or more blocks, simulating a mapping error, and then attempting to resume the cache device, which will unexpectedly trigger a BUG_ON error in the kernel.

Impact

The vulnerability can lead to a kernel panic by triggering a BUG_ON error, causing the system to halt and display a critical error message.

Reproduction

To reproduce this vulnerability, first create cache metadata with 512 or more cache blocks, ensuring some mappings are stored in the first block of the mapping array. Use the 'cache_restore' tool to build the metadata, then remove the cache device. Next, simulate a mapping error by wiping the second array block of the mapping array. After that, recreate the cache device and load it with the 'dmsetup' command, specifying the metadata version and cache policy. Finally, attempt to resume the cache device, which will trigger the BUG_ON error in the kernel logs.

Remediation

The vulnerability has been addressed in the Linux kernel by disallowing resume operations for cache devices that failed their initial resume attempt.