CVE-2025-38681

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()<br /> <br /> Memory hot remove unmaps and tears down various kernel page table regions<br /> as required. The ptdump code can race with concurrent modifications of<br /> the kernel page tables. When leaf entries are modified concurrently, the<br /> dump code may log stale or inconsistent information for a VA range, but<br /> this is otherwise not harmful.<br /> <br /> But when intermediate levels of kernel page table are freed, the dump code<br /> will continue to use memory that has been freed and potentially<br /> reallocated for another purpose. In such cases, the ptdump code may<br /> dereference bogus addresses, leading to a number of potential problems.<br /> <br /> To avoid the above mentioned race condition, platforms such as arm64,<br /> riscv and s390 take memory hotplug lock, while dumping kernel page table<br /> via the sysfs interface /sys/kernel/debug/kernel_page_tables.<br /> <br /> Similar race condition exists while checking for pages that might have<br /> been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages<br /> which in turn calls ptdump_check_wx(). Instead of solving this race<br /> condition again, let&amp;#39;s just move the memory hotplug lock inside generic<br /> ptdump_check_wx() which will benefit both the scenarios.<br /> <br /> Drop get_online_mems() and put_online_mems() combination from all existing<br /> platform ptdump code paths.