cve/published/2025/CVE-2025-21931.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21931: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio

 Commit b15c87263a69 ("hwpoison, memory_hotplug: allow hwpoisoned pages to
 be offlined) add page poison checks in do_migrate_range in order to make
 offline hwpoisoned page possible by introducing isolate_lru_page and
 try_to_unmap for hwpoisoned page.  However folio lock must be held before
 calling try_to_unmap.  Add it to fix this problem.

 Warning will be produced if folio is not locked during unmap:

   ------------[ cut here ]------------
   kernel BUG at ./include/linux/swapops.h:400!
   Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
   Modules linked in:
   CPU: 4 UID: 0 PID: 411 Comm: bash Tainted: G        W          6.13.0-rc1-00016-g3c434c7ee82a-dirty #41
   Tainted: [W]=WARN
   Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
   pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
   pc : try_to_unmap_one+0xb08/0xd3c
   lr : try_to_unmap_one+0x3dc/0xd3c
   Call trace:
    try_to_unmap_one+0xb08/0xd3c (P)
    try_to_unmap_one+0x3dc/0xd3c (L)
    rmap_walk_anon+0xdc/0x1f8
    rmap_walk+0x3c/0x58
    try_to_unmap+0x88/0x90
    unmap_poisoned_folio+0x30/0xa8
    do_migrate_range+0x4a0/0x568
    offline_pages+0x5a4/0x670
    memory_block_action+0x17c/0x374
    memory_subsys_offline+0x3c/0x78
    device_offline+0xa4/0xd0
    state_store+0x8c/0xf0
    dev_attr_store+0x18/0x2c
    sysfs_kf_write+0x44/0x54
    kernfs_fop_write_iter+0x118/0x1a8
    vfs_write+0x3a8/0x4bc
    ksys_write+0x6c/0xf8
    __arm64_sys_write+0x1c/0x28
    invoke_syscall+0x44/0x100
    el0_svc_common.constprop.0+0x40/0xe0
    do_el0_svc+0x1c/0x28
    el0_svc+0x30/0xd0
    el0t_64_sync_handler+0xc8/0xcc
    el0t_64_sync+0x198/0x19c
   Code: f9407be0 b5fff320 d4210000 17ffff97 (d4210000)
   ---[ end trace 0000000000000000 ]---

 The Linux kernel CVE team has assigned CVE-2025-21931 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.0 with commit b15c87263a69272423771118c653e9a1d0672caa and fixed in 6.1.140 with commit 3926b572fd073491bde13ec42ee08ac1b337bf4d
 	Issue introduced in 5.0 with commit b15c87263a69272423771118c653e9a1d0672caa and fixed in 6.6.92 with commit 93df6da64b004f75d307ed08d3f0f1020280d339
 	Issue introduced in 5.0 with commit b15c87263a69272423771118c653e9a1d0672caa and fixed in 6.12.19 with commit 576a2f4c437c19bec7d05d05b5990f178d2b0f40
 	Issue introduced in 5.0 with commit b15c87263a69272423771118c653e9a1d0672caa and fixed in 6.13.7 with commit 629dfc6ba5431056701d4e44830f3409b989955a
 	Issue introduced in 5.0 with commit b15c87263a69272423771118c653e9a1d0672caa and fixed in 6.14 with commit af288a426c3e3552b62595c6138ec6371a17dbba
 	Issue introduced in 3.16.65 with commit 85ef35ab972b7484f41c3bb2bbc79de212e19129
 	Issue introduced in 4.4.170 with commit 060853fdd434ce620dd1dd7619ede834bd33b9d0
 	Issue introduced in 4.9.150 with commit cb1206e85df291fefde27401190329e26996c54c
 	Issue introduced in 4.14.93 with commit 2c25071bed4b1f9c4cfb10a7914847d7069794bf
 	Issue introduced in 4.19.15 with commit 2c87072a3bf9bbcd747618bb2ccc3cd0da181db6
 	Issue introduced in 4.20.2 with commit a2b977e3d9e4298d28ebe5cfff9e0859b74a7ac7

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21931
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/memory_hotplug.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3926b572fd073491bde13ec42ee08ac1b337bf4d
 	https://git.kernel.org/stable/c/93df6da64b004f75d307ed08d3f0f1020280d339
 	https://git.kernel.org/stable/c/576a2f4c437c19bec7d05d05b5990f178d2b0f40
 	https://git.kernel.org/stable/c/629dfc6ba5431056701d4e44830f3409b989955a
 	https://git.kernel.org/stable/c/af288a426c3e3552b62595c6138ec6371a17dbba
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21931: hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio

	Commit b15c87263a69 ("hwpoison, memory_hotplug: allow hwpoisoned pages to
	be offlined) add page poison checks in do_migrate_range in order to make
	offline hwpoisoned page possible by introducing isolate_lru_page and
	try_to_unmap for hwpoisoned page. However folio lock must be held before
	calling try_to_unmap. Add it to fix this problem.

	Warning will be produced if folio is not locked during unmap:

	------------[ cut here ]------------
	kernel BUG at ./include/linux/swapops.h:400!
	Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
	Modules linked in:
	CPU: 4 UID: 0 PID: 411 Comm: bash Tainted: G W 6.13.0-rc1-00016-g3c434c7ee82a-dirty #41
	Tainted: [W]=WARN
	Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
	pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : try_to_unmap_one+0xb08/0xd3c
	lr : try_to_unmap_one+0x3dc/0xd3c
	Call trace:
	try_to_unmap_one+0xb08/0xd3c (P)
	try_to_unmap_one+0x3dc/0xd3c (L)
	rmap_walk_anon+0xdc/0x1f8
	rmap_walk+0x3c/0x58
	try_to_unmap+0x88/0x90
	unmap_poisoned_folio+0x30/0xa8
	do_migrate_range+0x4a0/0x568
	offline_pages+0x5a4/0x670
	memory_block_action+0x17c/0x374
	memory_subsys_offline+0x3c/0x78
	device_offline+0xa4/0xd0
	state_store+0x8c/0xf0
	dev_attr_store+0x18/0x2c
	sysfs_kf_write+0x44/0x54
	kernfs_fop_write_iter+0x118/0x1a8
	vfs_write+0x3a8/0x4bc
	ksys_write+0x6c/0xf8
	__arm64_sys_write+0x1c/0x28
	invoke_syscall+0x44/0x100
	el0_svc_common.constprop.0+0x40/0xe0
	do_el0_svc+0x1c/0x28
	el0_svc+0x30/0xd0
	el0t_64_sync_handler+0xc8/0xcc
	el0t_64_sync+0x198/0x19c
	Code: f9407be0 b5fff320 d4210000 17ffff97 (d4210000)
	---[ end trace 0000000000000000 ]---

	The Linux kernel CVE team has assigned CVE-2025-21931 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.0 with commit b15c87263a69272423771118c653e9a1d0672caa and fixed in 6.1.140 with commit 3926b572fd073491bde13ec42ee08ac1b337bf4d
	Issue introduced in 5.0 with commit b15c87263a69272423771118c653e9a1d0672caa and fixed in 6.6.92 with commit 93df6da64b004f75d307ed08d3f0f1020280d339
	Issue introduced in 5.0 with commit b15c87263a69272423771118c653e9a1d0672caa and fixed in 6.12.19 with commit 576a2f4c437c19bec7d05d05b5990f178d2b0f40
	Issue introduced in 5.0 with commit b15c87263a69272423771118c653e9a1d0672caa and fixed in 6.13.7 with commit 629dfc6ba5431056701d4e44830f3409b989955a
	Issue introduced in 5.0 with commit b15c87263a69272423771118c653e9a1d0672caa and fixed in 6.14 with commit af288a426c3e3552b62595c6138ec6371a17dbba
	Issue introduced in 3.16.65 with commit 85ef35ab972b7484f41c3bb2bbc79de212e19129
	Issue introduced in 4.4.170 with commit 060853fdd434ce620dd1dd7619ede834bd33b9d0
	Issue introduced in 4.9.150 with commit cb1206e85df291fefde27401190329e26996c54c
	Issue introduced in 4.14.93 with commit 2c25071bed4b1f9c4cfb10a7914847d7069794bf
	Issue introduced in 4.19.15 with commit 2c87072a3bf9bbcd747618bb2ccc3cd0da181db6
	Issue introduced in 4.20.2 with commit a2b977e3d9e4298d28ebe5cfff9e0859b74a7ac7

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21931
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/memory_hotplug.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3926b572fd073491bde13ec42ee08ac1b337bf4d
	https://git.kernel.org/stable/c/93df6da64b004f75d307ed08d3f0f1020280d339
	https://git.kernel.org/stable/c/576a2f4c437c19bec7d05d05b5990f178d2b0f40
	https://git.kernel.org/stable/c/629dfc6ba5431056701d4e44830f3409b989955a
	https://git.kernel.org/stable/c/af288a426c3e3552b62595c6138ec6371a17dbba