CVE-2025-39725

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list<br /> <br /> In shrink_folio_list(), the hwpoisoned folio may be large folio, which<br /> can&amp;#39;t be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one()<br /> must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then<br /> retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of<br /> pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a<br /> WARN_ON_ONCE due to the page isn&amp;#39;t in swapcache.<br /> <br /> Since UCE is rare in real world, and race with reclaimation is more rare,<br /> just skipping the hwpoisoned large folio is enough. memory_failure() will<br /> handle it if the UCE is triggered again.<br /> <br /> This happens when memory reclaim for large folio races with<br /> memory_failure(), and will lead to kernel panic. The race is as<br /> follows:<br /> <br /> cpu0 cpu1<br /> shrink_folio_list memory_failure<br /> TestSetPageHWPoison<br /> unmap_poisoned_folio<br /> --&gt; trigger BUG_ON due to<br /> unmap_poisoned_folio couldn&amp;#39;t<br /> handle large folio<br /> <br /> [tujinjiang@huawei.com: add comment to unmap_poisoned_folio()]