CVE-2025-38029

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kasan: avoid sleepable page allocation from atomic context<br /> <br /> apply_to_pte_range() enters the lazy MMU mode and then invokes<br /> kasan_populate_vmalloc_pte() callback on each page table walk iteration. <br /> However, the callback can go into sleep when trying to allocate a single<br /> page, e.g. if an architecutre disables preemption on lazy MMU mode enter.<br /> <br /> On s390 if make arch_enter_lazy_mmu_mode() -&gt; preempt_enable() and<br /> arch_leave_lazy_mmu_mode() -&gt; preempt_disable(), such crash occurs:<br /> <br /> [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321<br /> [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd<br /> [ 0.663358] preempt_count: 1, expected: 0<br /> [ 0.663366] RCU nest depth: 0, expected: 0<br /> [ 0.663375] no locks held by kthreadd/2.<br /> [ 0.663383] Preemption disabled at:<br /> [ 0.663386] [] apply_to_pte_range+0xfa/0x4a0<br /> [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT<br /> [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux)<br /> [ 0.663409] Call Trace:<br /> [ 0.663410] [] dump_stack_lvl+0xe8/0x140<br /> [ 0.663413] [] __might_resched+0x66e/0x700<br /> [ 0.663415] [] __alloc_frozen_pages_noprof+0x370/0x4b0<br /> [ 0.663419] [] alloc_pages_mpol+0x1a0/0x4a0<br /> [ 0.663421] [] alloc_frozen_pages_noprof+0x88/0xc0<br /> [ 0.663424] [] alloc_pages_noprof+0x22/0x120<br /> [ 0.663427] [] get_free_pages_noprof+0x2c/0xc0<br /> [ 0.663429] [] kasan_populate_vmalloc_pte+0x50/0x120<br /> [ 0.663433] [] apply_to_pte_range+0x118/0x4a0<br /> [ 0.663435] [] apply_to_pmd_range+0x194/0x3e0<br /> [ 0.663437] [] __apply_to_page_range+0x2fe/0x7a0<br /> [ 0.663440] [] apply_to_page_range+0x28/0x40<br /> [ 0.663442] [] kasan_populate_vmalloc+0x82/0xa0<br /> [ 0.663445] [] alloc_vmap_area+0x34c/0xc10<br /> [ 0.663448] [] __get_vm_area_node+0x186/0x2a0<br /> [ 0.663451] [] __vmalloc_node_range_noprof+0x116/0x310<br /> [ 0.663454] [] __vmalloc_node_noprof+0xd0/0x110<br /> [ 0.663457] [] alloc_thread_stack_node+0xf8/0x330<br /> [ 0.663460] [] dup_task_struct+0x66/0x4d0<br /> [ 0.663463] [] copy_process+0x280/0x4b90<br /> [ 0.663465] [] kernel_clone+0xd0/0x4b0<br /> [ 0.663467] [] kernel_thread+0xbe/0xe0<br /> [ 0.663469] [] kthreadd+0x50e/0x7f0<br /> [ 0.663472] [] __ret_from_fork+0x8a/0xf0<br /> [ 0.663475] [] ret_from_fork+0xa/0x38<br /> <br /> Instead of allocating single pages per-PTE, bulk-allocate the shadow<br /> memory prior to applying kasan_populate_vmalloc_pte() callback on a page<br /> range.