Krister Johansen

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A vulnerability in the Linux kernel's dm-thin functionality has been resolved. The issue arises from the use of a non-RCU-safe list handling function in the `get first thin()` function, which can lead to a situation where the `list empty()` function sees a valid list entry, but the subsequent `list first()` function sees a different view of the list head state after a modification. This can cause a crash, as seen in a production box where a GP fault occurred in the `process deferred bios` path. The kernel printed warnings about a saturated `refcount t` and a UBSAN error for an out-of-bounds `cpuid` access in the queued spinlock before the fault. The fix involves switching the `get first thin()` function to use `list first or null rcu()`, which performs a single `READ ONCE()` and returns `NULL` if the list is already empty. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.74 or later. As a temporary workaround, consider disabling the `get first thin()` function until a patch is available. Restrict access to the `dm-thin` module to minimize the risk of exploitation. Avoid using the `list first()` function in the affected code path until the issue is resolved.