CVE-2025-37922

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> book3s64/radix : Align section vmemmap start address to PAGE_SIZE<br /> <br /> A vmemmap altmap is a device-provided region used to provide<br /> backing storage for struct pages. For each namespace, the altmap<br /> should belong to that same namespace. If the namespaces are<br /> created unaligned, there is a chance that the section vmemmap<br /> start address could also be unaligned. If the section vmemmap<br /> start address is unaligned, the altmap page allocated from the<br /> current namespace might be used by the previous namespace also.<br /> During the free operation, since the altmap is shared between two<br /> namespaces, the previous namespace may detect that the page does<br /> not belong to its altmap and incorrectly assume that the page is a<br /> normal page. It then attempts to free the normal page, which leads<br /> to a kernel crash.<br /> <br /> Kernel attempted to read user page (18) - exploit attempt? (uid: 0)<br /> BUG: Kernel NULL pointer dereference on read at 0x00000018<br /> Faulting instruction address: 0xc000000000530c7c<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries<br /> CPU: 32 PID: 2104 Comm: ndctl Kdump: loaded Tainted: G W<br /> NIP: c000000000530c7c LR: c000000000530e00 CTR: 0000000000007ffe<br /> REGS: c000000015e57040 TRAP: 0300 Tainted: G W<br /> MSR: 800000000280b033 CR: 84482404<br /> CFAR: c000000000530dfc DAR: 0000000000000018 DSISR: 40000000 IRQMASK: 0<br /> GPR00: c000000000530e00 c000000015e572e0 c000000002c5cb00 c00c000101008040<br /> GPR04: 0000000000000000 0000000000000007 0000000000000001 000000000000001f<br /> GPR08: 0000000000000005 0000000000000000 0000000000000018 0000000000002000<br /> GPR12: c0000000001d2fb0 c0000060de6b0080 0000000000000000 c0000060dbf90020<br /> GPR16: c00c000101008000 0000000000000001 0000000000000000 c000000125b20f00<br /> GPR20: 0000000000000001 0000000000000000 ffffffffffffffff c00c000101007fff<br /> GPR24: 0000000000000001 0000000000000000 0000000000000000 0000000000000000<br /> GPR28: 0000000004040201 0000000000000001 0000000000000000 c00c000101008040<br /> NIP [c000000000530c7c] get_pfnblock_flags_mask+0x7c/0xd0<br /> LR [c000000000530e00] free_unref_page_prepare+0x130/0x4f0<br /> Call Trace:<br /> free_unref_page+0x50/0x1e0<br /> free_reserved_page+0x40/0x68<br /> free_vmemmap_pages+0x98/0xe0<br /> remove_pte_table+0x164/0x1e8<br /> remove_pmd_table+0x204/0x2c8<br /> remove_pud_table+0x1c4/0x288<br /> remove_pagetable+0x1c8/0x310<br /> vmemmap_free+0x24/0x50<br /> section_deactivate+0x28c/0x2a0<br /> __remove_pages+0x84/0x110<br /> arch_remove_memory+0x38/0x60<br /> memunmap_pages+0x18c/0x3d0<br /> devm_action_release+0x30/0x50<br /> release_nodes+0x68/0x140<br /> devres_release_group+0x100/0x190<br /> dax_pmem_compat_release+0x44/0x80 [dax_pmem_compat]<br /> device_for_each_child+0x8c/0x100<br /> [dax_pmem_compat_remove+0x2c/0x50 [dax_pmem_compat]<br /> nvdimm_bus_remove+0x78/0x140 [libnvdimm]<br /> device_remove+0x70/0xd0<br /> <br /> Another issue is that if there is no altmap, a PMD-sized vmemmap<br /> page will be allocated from RAM, regardless of the alignment of<br /> the section start address. If the section start address is not<br /> aligned to the PMD size, a VM_BUG_ON will be triggered when<br /> setting the PMD-sized page to page table.<br /> <br /> In this patch, we are aligning the section vmemmap start address<br /> to PAGE_SIZE. After alignment, the start address will not be<br /> part of the current namespace, and a normal page will be allocated<br /> for the vmemmap mapping of the current section. For the remaining<br /> sections, altmaps will be allocated. During the free operation,<br /> the normal page will be correctly freed.<br /> <br /> In the same way, a PMD_SIZE vmemmap page will be allocated only if<br /> the section start address is PMD_SIZE-aligned; otherwise, it will<br /> fall back to a PAGE-sized vmemmap allocation.<br /> <br /> Without this patch<br /> ==================<br /> NS1 start NS2 start<br /> _________________________________________________________<br /> | NS1 | NS2 |<br /> ---------------------------------------------------------<br /> | Altmap| Altmap | .....|Altmap| Altmap | ...........<br /> | NS1 | NS1 <br /> ---truncated---