CVE-2025-37958

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/huge_memory: fix dereferencing invalid pmd migration entry<br /> <br /> When migrating a THP, concurrent access to the PMD migration entry during<br /> a deferred split scan can lead to an invalid address access, as<br /> illustrated below. To prevent this invalid access, it is necessary to<br /> check the PMD migration entry and return early. In this context, there is<br /> no need to use pmd_to_swp_entry and pfn_swap_entry_to_page to verify the<br /> equality of the target folio. Since the PMD migration entry is locked, it<br /> cannot be served as the target.<br /> <br /> Mailing list discussion and explanation from Hugh Dickins: "An anon_vma<br /> lookup points to a location which may contain the folio of interest, but<br /> might instead contain another folio: and weeding out those other folios is<br /> precisely what the "folio != pmd_folio((*pmd)" check (and the "risk of<br /> replacing the wrong folio" comment a few lines above it) is for."<br /> <br /> BUG: unable to handle page fault for address: ffffea60001db008<br /> CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> RIP: 0010:split_huge_pmd_locked+0x3b5/0x2b60<br /> Call Trace:<br /> <br /> try_to_migrate_one+0x28c/0x3730<br /> rmap_walk_anon+0x4f6/0x770<br /> unmap_folio+0x196/0x1f0<br /> split_huge_page_to_list_to_order+0x9f6/0x1560<br /> deferred_split_scan+0xac5/0x12a0<br /> shrinker_debugfs_scan_write+0x376/0x470<br /> full_proxy_write+0x15c/0x220<br /> vfs_write+0x2fc/0xcb0<br /> ksys_write+0x146/0x250<br /> do_syscall_64+0x6a/0x120<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The bug is found by syzkaller on an internal kernel, then confirmed on<br /> upstream.