Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-22034

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/04/2025
Last modified:
31/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs<br /> <br /> Patch series "mm: fixes for device-exclusive entries (hmm)", v2.<br /> <br /> Discussing the PageTail() call in make_device_exclusive_range() with<br /> Willy, I recently discovered [1] that device-exclusive handling does not<br /> properly work with THP, making the hmm-tests selftests fail if THPs are<br /> enabled on the system.<br /> <br /> Looking into more details, I found that hugetlb is not properly fenced,<br /> and I realized that something that was bugging me for longer -- how<br /> device-exclusive entries interact with mapcounts -- completely breaks<br /> migration/swapout/split/hwpoison handling of these folios while they have<br /> device-exclusive PTEs.<br /> <br /> The program below can be used to allocate 1 GiB worth of pages and making<br /> them device-exclusive on a kernel with CONFIG_TEST_HMM.<br /> <br /> Once they are device-exclusive, these folios cannot get swapped out<br /> (proc$pid/smaps_rollup will always indicate 1 GiB RSS no matter how much<br /> one forces memory reclaim), and when having a memory block onlined to<br /> ZONE_MOVABLE, trying to offline it will loop forever and complain about<br /> failed migration of a page that should be movable.<br /> <br /> # echo offline &gt; /sys/devices/system/memory/memory136/state<br /> # echo online_movable &gt; /sys/devices/system/memory/memory136/state<br /> # ./hmm-swap &amp;<br /> ... wait until everything is device-exclusive<br /> # echo offline &gt; /sys/devices/system/memory/memory136/state<br /> [ 285.193431][T14882] page: refcount:2 mapcount:0 mapping:0000000000000000<br /> index:0x7f20671f7 pfn:0x442b6a<br /> [ 285.196618][T14882] memcg:ffff888179298000<br /> [ 285.198085][T14882] anon flags: 0x5fff0000002091c(referenced|uptodate|<br /> dirty|active|owner_2|swapbacked|node=1|zone=3|lastcpupid=0x7ff)<br /> [ 285.201734][T14882] raw: ...<br /> [ 285.204464][T14882] raw: ...<br /> [ 285.207196][T14882] page dumped because: migration failure<br /> [ 285.209072][T14882] page_owner tracks the page as allocated<br /> [ 285.210915][T14882] page last allocated via order 0, migratetype<br /> Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO),<br /> id 14926, tgid 14926 (hmm-swap), ts 254506295376, free_ts 227402023774<br /> [ 285.216765][T14882] post_alloc_hook+0x197/0x1b0<br /> [ 285.218874][T14882] get_page_from_freelist+0x76e/0x3280<br /> [ 285.220864][T14882] __alloc_frozen_pages_noprof+0x38e/0x2740<br /> [ 285.223302][T14882] alloc_pages_mpol+0x1fc/0x540<br /> [ 285.225130][T14882] folio_alloc_mpol_noprof+0x36/0x340<br /> [ 285.227222][T14882] vma_alloc_folio_noprof+0xee/0x1a0<br /> [ 285.229074][T14882] __handle_mm_fault+0x2b38/0x56a0<br /> [ 285.230822][T14882] handle_mm_fault+0x368/0x9f0<br /> ...<br /> <br /> This series fixes all issues I found so far. There is no easy way to fix<br /> without a bigger rework/cleanup. I have a bunch of cleanups on top (some<br /> previous sent, some the result of the discussion in v1) that I will send<br /> out separately once this landed and I get to it.<br /> <br /> I wish we could just use some special present PROT_NONE PTEs instead of<br /> these (non-present, non-none) fake-swap entries; but that just results in<br /> the same problem we keep having (lack of spare PTE bits), and staring at<br /> other similar fake-swap entries, that ship has sailed.<br /> <br /> With this series, make_device_exclusive() doesn&amp;#39;t actually belong into<br /> mm/rmap.c anymore, but I&amp;#39;ll leave moving that for another day.<br /> <br /> I only tested this series with the hmm-tests selftests due to lack of HW,<br /> so I&amp;#39;d appreciate some testing, especially if the interaction between two<br /> GPUs wanting a device-exclusive entry works as expected.<br /> <br /> <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> <br /> #define HMM_DMIRROR_EXCLUSIVE _IOWR(&amp;#39;H&amp;#39;, 0x05, struct hmm_dmirror_cmd)<br /> <br /> struct hmm_dmirror_cmd {<br /> __u64 addr;<br /> __u64 ptr;<br /> __u64 npages;<br /> __u64 cpages;<br /> __u64 faults;<br /> };<br /> <br /> const size_t size = 1 * 1024 * 1024 * 1024ul;<br /> const size_t chunk_size = 2 * 1024 * 1024ul;<br /> <br /> int m<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.10 (including) 6.12.23 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.14 (including) 6.14.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools