CVE-2025-22015

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/migrate: fix shmem xarray update during migration<br /> <br /> A shmem folio can be either in page cache or in swap cache, but not at the<br /> same time. Namely, once it is in swap cache, folio-&gt;mapping should be<br /> NULL, and the folio is no longer in a shmem mapping.<br /> <br /> In __folio_migrate_mapping(), to determine the number of xarray entries to<br /> update, folio_test_swapbacked() is used, but that conflates shmem in page<br /> cache case and shmem in swap cache case. It leads to xarray multi-index<br /> entry corruption, since it turns a sibling entry to a normal entry during<br /> xas_store() (see [1] for a userspace reproduction). Fix it by only using<br /> folio_test_swapcache() to determine whether xarray is storing swap cache<br /> entries or not to choose the right number of xarray entries to update.<br /> <br /> [1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/<br /> <br /> Note:<br /> In __split_huge_page(), folio_test_anon() &amp;&amp; folio_test_swapcache() is<br /> used to get swap_cache address space, but that ignores the shmem folio in<br /> swap cache case. It could lead to NULL pointer dereferencing when a<br /> in-swap-cache shmem folio is split at __xa_store(), since<br /> !folio_test_anon() is true and folio-&gt;mapping is NULL. But fortunately,<br /> its caller split_huge_page_to_list_to_order() bails out early with EBUSY<br /> when folio-&gt;mapping is NULL. So no need to take care of it here.