CVE-2025-39883

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory<br /> <br /> When I did memory failure tests, below panic occurs:<br /> <br /> page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))<br /> kernel BUG at include/linux/page-flags.h:616!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40<br /> RIP: 0010:unpoison_memory+0x2f3/0x590<br /> RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246<br /> RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8<br /> RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0<br /> RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb<br /> R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000<br /> R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe<br /> FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> unpoison_memory+0x2f3/0x590<br /> simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110<br /> debugfs_attr_write+0x42/0x60<br /> full_proxy_write+0x5b/0x80<br /> vfs_write+0xd5/0x540<br /> ksys_write+0x64/0xe0<br /> do_syscall_64+0xb9/0x1d0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f08f0314887<br /> RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001<br /> RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887<br /> RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001<br /> RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009<br /> R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00<br /> <br /> Modules linked in: hwpoison_inject<br /> ---[ end trace 0000000000000000 ]---<br /> RIP: 0010:unpoison_memory+0x2f3/0x590<br /> RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246<br /> RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8<br /> RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0<br /> RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb<br /> R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000<br /> R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe<br /> FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0<br /> Kernel panic - not syncing: Fatal exception<br /> Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)<br /> ---[ end Kernel panic - not syncing: Fatal exception ]---<br /> <br /> The root cause is that unpoison_memory() tries to check the PG_HWPoison<br /> flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is<br /> triggered. This can be reproduced by below steps:<br /> <br /> 1.Offline memory block:<br /> <br /> echo offline &gt; /sys/devices/system/memory/memory12/state<br /> <br /> 2.Get offlined memory pfn:<br /> <br /> page-types -b n -rlN<br /> <br /> 3.Write pfn to unpoison-pfn<br /> <br /> echo &gt; /sys/kernel/debug/hwpoison/unpoison-pfn<br /> <br /> This scenario can be identified by pfn_to_online_page() returning NULL. <br /> And ZONE_DEVICE pages are never expected, so we can simply fail if<br /> pfn_to_online_page() == NULL to fix the bug.