CVE-2025-38447

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/rmap: fix potential out-of-bounds page table access during batched unmap<br /> <br /> As pointed out by David[1], the batched unmap logic in<br /> try_to_unmap_one() may read past the end of a PTE table when a large<br /> folio&amp;#39;s PTE mappings are not fully contained within a single page<br /> table.<br /> <br /> While this scenario might be rare, an issue triggerable from userspace<br /> must be fixed regardless of its likelihood. This patch fixes the<br /> out-of-bounds access by refactoring the logic into a new helper,<br /> folio_unmap_pte_batch().<br /> <br /> The new helper correctly calculates the safe batch size by capping the<br /> scan at both the VMA and PMD boundaries. To simplify the code, it also<br /> supports partial batching (i.e., any number of pages from 1 up to the<br /> calculated safe maximum), as there is no strong reason to special-case<br /> for fully mapped folios.