cve/published/2025/CVE-2025-21907.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.0.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21907: mm: memory-failure: update ttu flag inside unmap_poisoned_folio

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm: memory-failure: update ttu flag inside unmap_poisoned_folio

 Patch series "mm: memory_failure: unmap poisoned folio during migrate
 properly", v3.

 Fix two bugs during folio migration if the folio is poisoned.


 This patch (of 3):

 Commit 6da6b1d4a7df ("mm/hwpoison: convert TTU_IGNORE_HWPOISON to
 TTU_HWPOISON") introduce TTU_HWPOISON to replace TTU_IGNORE_HWPOISON in
 order to stop send SIGBUS signal when accessing an error page after a
 memory error on a clean folio.  However during page migration, anon folio
 must be set with TTU_HWPOISON during unmap_*().  For pagecache we need
 some policy just like the one in hwpoison_user_mappings to set this flag.
 So move this policy from hwpoison_user_mappings to unmap_poisoned_folio to
 handle this warning properly.

 Warning will be produced during unamp poison folio with the following log:

   ------------[ cut here ]------------
   WARNING: CPU: 1 PID: 365 at mm/rmap.c:1847 try_to_unmap_one+0x8fc/0xd3c
   Modules linked in:
   CPU: 1 UID: 0 PID: 365 Comm: bash Tainted: G        W          6.13.0-rc1-00018-gacdb4bbda7ab #42
   Tainted: [W]=WARN
   Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
   pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
   pc : try_to_unmap_one+0x8fc/0xd3c
   lr : try_to_unmap_one+0x3dc/0xd3c
   Call trace:
    try_to_unmap_one+0x8fc/0xd3c (P)
    try_to_unmap_one+0x3dc/0xd3c (L)
    rmap_walk_anon+0xdc/0x1f8
    rmap_walk+0x3c/0x58
    try_to_unmap+0x88/0x90
    unmap_poisoned_folio+0x30/0xa8
    do_migrate_range+0x4a0/0x568
    offline_pages+0x5a4/0x670
    memory_block_action+0x17c/0x374
    memory_subsys_offline+0x3c/0x78
    device_offline+0xa4/0xd0
    state_store+0x8c/0xf0
    dev_attr_store+0x18/0x2c
    sysfs_kf_write+0x44/0x54
    kernfs_fop_write_iter+0x118/0x1a8
    vfs_write+0x3a8/0x4bc
    ksys_write+0x6c/0xf8
    __arm64_sys_write+0x1c/0x28
    invoke_syscall+0x44/0x100
    el0_svc_common.constprop.0+0x40/0xe0
    do_el0_svc+0x1c/0x28
    el0_svc+0x30/0xd0
    el0t_64_sync_handler+0xc8/0xcc
    el0t_64_sync+0x198/0x19c
   ---[ end trace 0000000000000000 ]---

 [mawupeng1@huawei.com: unmap_poisoned_folio(): remove shadowed local `mapping', per Miaohe]

 The Linux kernel CVE team has assigned CVE-2025-21907 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.3 with commit 6da6b1d4a7df8c35770186b53ef65d388398e139 and fixed in 6.12.19 with commit 608cc7deb428f1122ed426060233622ebf667b6e
 	Issue introduced in 6.3 with commit 6da6b1d4a7df8c35770186b53ef65d388398e139 and fixed in 6.13.7 with commit 425c12c076e6fc6b2cb04b9f960319d31dcabc76
 	Issue introduced in 6.3 with commit 6da6b1d4a7df8c35770186b53ef65d388398e139 and fixed in 6.14 with commit b81679b1633aa43c0d973adfa816d78c1ed0d032
 	Issue introduced in 6.1.16 with commit deab8114fb67dcb0e6293b665c3c7083fbadff17
 	Issue introduced in 6.2.3 with commit 6dcf132fe236045bd7f50c008660ea086d09af1f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21907
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/internal.h
 	mm/memory-failure.c
 	mm/memory_hotplug.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/608cc7deb428f1122ed426060233622ebf667b6e
 	https://git.kernel.org/stable/c/425c12c076e6fc6b2cb04b9f960319d31dcabc76
 	https://git.kernel.org/stable/c/b81679b1633aa43c0d973adfa816d78c1ed0d032
	From bippy-1.0.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21907: mm: memory-failure: update ttu flag inside unmap_poisoned_folio

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm: memory-failure: update ttu flag inside unmap_poisoned_folio

	Patch series "mm: memory_failure: unmap poisoned folio during migrate
	properly", v3.

	Fix two bugs during folio migration if the folio is poisoned.


	This patch (of 3):

	Commit 6da6b1d4a7df ("mm/hwpoison: convert TTU_IGNORE_HWPOISON to
	TTU_HWPOISON") introduce TTU_HWPOISON to replace TTU_IGNORE_HWPOISON in
	order to stop send SIGBUS signal when accessing an error page after a
	memory error on a clean folio. However during page migration, anon folio
	must be set with TTU_HWPOISON during unmap_*(). For pagecache we need
	some policy just like the one in hwpoison_user_mappings to set this flag.
	So move this policy from hwpoison_user_mappings to unmap_poisoned_folio to
	handle this warning properly.

	Warning will be produced during unamp poison folio with the following log:

	------------[ cut here ]------------
	WARNING: CPU: 1 PID: 365 at mm/rmap.c:1847 try_to_unmap_one+0x8fc/0xd3c
	Modules linked in:
	CPU: 1 UID: 0 PID: 365 Comm: bash Tainted: G W 6.13.0-rc1-00018-gacdb4bbda7ab #42
	Tainted: [W]=WARN
	Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
	pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : try_to_unmap_one+0x8fc/0xd3c
	lr : try_to_unmap_one+0x3dc/0xd3c
	Call trace:
	try_to_unmap_one+0x8fc/0xd3c (P)
	try_to_unmap_one+0x3dc/0xd3c (L)
	rmap_walk_anon+0xdc/0x1f8
	rmap_walk+0x3c/0x58
	try_to_unmap+0x88/0x90
	unmap_poisoned_folio+0x30/0xa8
	do_migrate_range+0x4a0/0x568
	offline_pages+0x5a4/0x670
	memory_block_action+0x17c/0x374
	memory_subsys_offline+0x3c/0x78
	device_offline+0xa4/0xd0
	state_store+0x8c/0xf0
	dev_attr_store+0x18/0x2c
	sysfs_kf_write+0x44/0x54
	kernfs_fop_write_iter+0x118/0x1a8
	vfs_write+0x3a8/0x4bc
	ksys_write+0x6c/0xf8
	__arm64_sys_write+0x1c/0x28
	invoke_syscall+0x44/0x100
	el0_svc_common.constprop.0+0x40/0xe0
	do_el0_svc+0x1c/0x28
	el0_svc+0x30/0xd0
	el0t_64_sync_handler+0xc8/0xcc
	el0t_64_sync+0x198/0x19c
	---[ end trace 0000000000000000 ]---

	[mawupeng1@huawei.com: unmap_poisoned_folio(): remove shadowed local `mapping', per Miaohe]

	The Linux kernel CVE team has assigned CVE-2025-21907 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.3 with commit 6da6b1d4a7df8c35770186b53ef65d388398e139 and fixed in 6.12.19 with commit 608cc7deb428f1122ed426060233622ebf667b6e
	Issue introduced in 6.3 with commit 6da6b1d4a7df8c35770186b53ef65d388398e139 and fixed in 6.13.7 with commit 425c12c076e6fc6b2cb04b9f960319d31dcabc76
	Issue introduced in 6.3 with commit 6da6b1d4a7df8c35770186b53ef65d388398e139 and fixed in 6.14 with commit b81679b1633aa43c0d973adfa816d78c1ed0d032
	Issue introduced in 6.1.16 with commit deab8114fb67dcb0e6293b665c3c7083fbadff17
	Issue introduced in 6.2.3 with commit 6dcf132fe236045bd7f50c008660ea086d09af1f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21907
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/internal.h
	mm/memory-failure.c
	mm/memory_hotplug.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/608cc7deb428f1122ed426060233622ebf667b6e
	https://git.kernel.org/stable/c/425c12c076e6fc6b2cb04b9f960319d31dcabc76
	https://git.kernel.org/stable/c/b81679b1633aa43c0d973adfa816d78c1ed0d032