| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025090522-CVE-2025-39725-7881@gregkh> Date: Fri, 5 Sep 2025 19:27:23 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-39725: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list In shrink_folio_list(), the hwpoisoned folio may be large folio, which can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one() must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a WARN_ON_ONCE due to the page isn't in swapcache. Since UCE is rare in real world, and race with reclaimation is more rare, just skipping the hwpoisoned large folio is enough. memory_failure() will handle it if the UCE is triggered again. This happens when memory reclaim for large folio races with memory_failure(), and will lead to kernel panic. The race is as follows: cpu0 cpu1 shrink_folio_list memory_failure TestSetPageHWPoison unmap_poisoned_folio --> trigger BUG_ON due to unmap_poisoned_folio couldn't handle large folio [tujinjiang@...wei.com: add comment to unmap_poisoned_folio()] The Linux kernel CVE team has assigned CVE-2025-39725 to this issue. Affected and fixed versions =========================== Issue introduced in 6.12.26 with commit 1c9798bf8145a92abf45aa9d38a6406d9eb8bdf0 and fixed in 6.12.41 with commit 656eaddbc952e1baae2f69281c22debe22140312 Issue introduced in 6.15 with commit 1b0449544c6482179ac84530b61fc192a6527bfd and fixed in 6.15.9 with commit c1101113d45838a823188ae25c61af97552a28ae Issue introduced in 6.15 with commit 1b0449544c6482179ac84530b61fc192a6527bfd and fixed in 6.16 with commit 9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab Issue introduced in 6.14.5 with commit 912e9f0300c3564b72a8808db406e313193a37ad Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-39725 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: mm/memory-failure.c mm/vmscan.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/656eaddbc952e1baae2f69281c22debe22140312 https://git.kernel.org/stable/c/c1101113d45838a823188ae25c61af97552a28ae https://git.kernel.org/stable/c/9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab
Powered by blists - more mailing lists