| From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2025-21933: arm: pgtable: fix NULL pointer dereference issue |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| arm: pgtable: fix NULL pointer dereference issue |
| |
| When update_mmu_cache_range() is called by update_mmu_cache(), the vmf |
| parameter is NULL, which will cause a NULL pointer dereference issue in |
| adjust_pte(): |
| |
| Unable to handle kernel NULL pointer dereference at virtual address 00000030 when read |
| Hardware name: Atmel AT91SAM9 |
| PC is at update_mmu_cache_range+0x1e0/0x278 |
| LR is at pte_offset_map_rw_nolock+0x18/0x2c |
| Call trace: |
| update_mmu_cache_range from remove_migration_pte+0x29c/0x2ec |
| remove_migration_pte from rmap_walk_file+0xcc/0x130 |
| rmap_walk_file from remove_migration_ptes+0x90/0xa4 |
| remove_migration_ptes from migrate_pages_batch+0x6d4/0x858 |
| migrate_pages_batch from migrate_pages+0x188/0x488 |
| migrate_pages from compact_zone+0x56c/0x954 |
| compact_zone from compact_node+0x90/0xf0 |
| compact_node from kcompactd+0x1d4/0x204 |
| kcompactd from kthread+0x120/0x12c |
| kthread from ret_from_fork+0x14/0x38 |
| Exception stack(0xc0d8bfb0 to 0xc0d8bff8) |
| |
| To fix it, do not rely on whether 'ptl' is equal to decide whether to hold |
| the pte lock, but decide it by whether CONFIG_SPLIT_PTE_PTLOCKS is |
| enabled. In addition, if two vmas map to the same PTE page, there is no |
| need to hold the pte lock again, otherwise a deadlock will occur. Just |
| add the need_lock parameter to let adjust_pte() know this information. |
| |
| The Linux kernel CVE team has assigned CVE-2025-21933 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.13 with commit fc9c45b71f43cafcc0435dd4c7a2d3b99955a0fa and fixed in 6.13.7 with commit 91d011efe30aedde067ce6d218d521cf99b162e5 |
| Issue introduced in 6.13 with commit fc9c45b71f43cafcc0435dd4c7a2d3b99955a0fa and fixed in 6.14 with commit a564ccfe300fa6a065beda06ab7f3c140d6b4d63 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2025-21933 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| arch/arm/mm/fault-armv.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/91d011efe30aedde067ce6d218d521cf99b162e5 |
| https://git.kernel.org/stable/c/a564ccfe300fa6a065beda06ab7f3c140d6b4d63 |
