cve/published/2025/CVE-2025-21949.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21949: LoongArch: Set hugetlb mmap base address aligned with pmd size

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 LoongArch: Set hugetlb mmap base address aligned with pmd size

 With ltp test case "testcases/bin/hugefork02", there is a dmesg error
 report message such as:

  kernel BUG at mm/hugetlb.c:5550!
  Oops - BUG[#1]:
  CPU: 0 UID: 0 PID: 1517 Comm: hugefork02 Not tainted 6.14.0-rc2+ #241
  Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022
  pc 90000000004eaf1c ra 9000000000485538 tp 900000010edbc000 sp 900000010edbf940
  a0 900000010edbfb00 a1 9000000108d20280 a2 00007fffe9474000 a3 00007ffff3474000
  a4 0000000000000000 a5 0000000000000003 a6 00000000003cadd3 a7 0000000000000000
  t0 0000000001ffffff t1 0000000001474000 t2 900000010ecd7900 t3 00007fffe9474000
  t4 00007fffe9474000 t5 0000000000000040 t6 900000010edbfb00 t7 0000000000000001
  t8 0000000000000005 u0 90000000004849d0 s9 900000010edbfa00 s0 9000000108d20280
  s1 00007fffe9474000 s2 0000000002000000 s3 9000000108d20280 s4 9000000002b38b10
  s5 900000010edbfb00 s6 00007ffff3474000 s7 0000000000000406 s8 900000010edbfa08
     ra: 9000000000485538 unmap_vmas+0x130/0x218
    ERA: 90000000004eaf1c __unmap_hugepage_range+0x6f4/0x7d0
   PRMD: 00000004 (PPLV0 +PIE -PWE)
   EUEN: 00000007 (+FPE +SXE +ASXE -BTE)
   ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
  ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)
  PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)
  Process hugefork02 (pid: 1517, threadinfo=00000000a670eaf4, task=000000007a95fc64)
  Call Trace:
  [<90000000004eaf1c>] __unmap_hugepage_range+0x6f4/0x7d0
  [<9000000000485534>] unmap_vmas+0x12c/0x218
  [<9000000000494068>] exit_mmap+0xe0/0x308
  [<900000000025fdc4>] mmput+0x74/0x180
  [<900000000026a284>] do_exit+0x294/0x898
  [<900000000026aa30>] do_group_exit+0x30/0x98
  [<900000000027bed4>] get_signal+0x83c/0x868
  [<90000000002457b4>] arch_do_signal_or_restart+0x54/0xfa0
  [<90000000015795e8>] irqentry_exit_to_user_mode+0xb8/0x138
  [<90000000002572d0>] tlb_do_page_fault_1+0x114/0x1b4

 The problem is that base address allocated from hugetlbfs is not aligned
 with pmd size. Here add a checking for hugetlbfs and align base address
 with pmd size. After this patch the test case "testcases/bin/hugefork02"
 passes to run.

 This is similar to the commit 7f24cbc9c4d42db8a3c8484d1 ("mm/mmap: teach
 generic_get_unmapped_area{_topdown} to handle hugetlb mappings").

 The Linux kernel CVE team has assigned CVE-2025-21949 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.19 with commit fa96b57c149061f71a70bd6582d995f6424fbbf4 and fixed in 6.13.7 with commit 242b34f48a377afe4b285b472bd0f17744fca8e8
 	Issue introduced in 5.19 with commit fa96b57c149061f71a70bd6582d995f6424fbbf4 and fixed in 6.14 with commit 3109d5ff484b7bc7b955f166974c6776d91f247b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21949
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/loongarch/mm/mmap.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/242b34f48a377afe4b285b472bd0f17744fca8e8
 	https://git.kernel.org/stable/c/3109d5ff484b7bc7b955f166974c6776d91f247b
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21949: LoongArch: Set hugetlb mmap base address aligned with pmd size

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	LoongArch: Set hugetlb mmap base address aligned with pmd size

	With ltp test case "testcases/bin/hugefork02", there is a dmesg error
	report message such as:

	kernel BUG at mm/hugetlb.c:5550!
	Oops - BUG[#1]:
	CPU: 0 UID: 0 PID: 1517 Comm: hugefork02 Not tainted 6.14.0-rc2+ #241
	Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022
	pc 90000000004eaf1c ra 9000000000485538 tp 900000010edbc000 sp 900000010edbf940
	a0 900000010edbfb00 a1 9000000108d20280 a2 00007fffe9474000 a3 00007ffff3474000
	a4 0000000000000000 a5 0000000000000003 a6 00000000003cadd3 a7 0000000000000000
	t0 0000000001ffffff t1 0000000001474000 t2 900000010ecd7900 t3 00007fffe9474000
	t4 00007fffe9474000 t5 0000000000000040 t6 900000010edbfb00 t7 0000000000000001
	t8 0000000000000005 u0 90000000004849d0 s9 900000010edbfa00 s0 9000000108d20280
	s1 00007fffe9474000 s2 0000000002000000 s3 9000000108d20280 s4 9000000002b38b10
	s5 900000010edbfb00 s6 00007ffff3474000 s7 0000000000000406 s8 900000010edbfa08
	ra: 9000000000485538 unmap_vmas+0x130/0x218
	ERA: 90000000004eaf1c __unmap_hugepage_range+0x6f4/0x7d0
	PRMD: 00000004 (PPLV0 +PIE -PWE)
	EUEN: 00000007 (+FPE +SXE +ASXE -BTE)
	ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
	ESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)
	PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)
	Process hugefork02 (pid: 1517, threadinfo=00000000a670eaf4, task=000000007a95fc64)
	Call Trace:
	[<90000000004eaf1c>] __unmap_hugepage_range+0x6f4/0x7d0
	[<9000000000485534>] unmap_vmas+0x12c/0x218
	[<9000000000494068>] exit_mmap+0xe0/0x308
	[<900000000025fdc4>] mmput+0x74/0x180
	[<900000000026a284>] do_exit+0x294/0x898
	[<900000000026aa30>] do_group_exit+0x30/0x98
	[<900000000027bed4>] get_signal+0x83c/0x868
	[<90000000002457b4>] arch_do_signal_or_restart+0x54/0xfa0
	[<90000000015795e8>] irqentry_exit_to_user_mode+0xb8/0x138
	[<90000000002572d0>] tlb_do_page_fault_1+0x114/0x1b4

	The problem is that base address allocated from hugetlbfs is not aligned
	with pmd size. Here add a checking for hugetlbfs and align base address
	with pmd size. After this patch the test case "testcases/bin/hugefork02"
	passes to run.

	This is similar to the commit 7f24cbc9c4d42db8a3c8484d1 ("mm/mmap: teach
	generic_get_unmapped_area{_topdown} to handle hugetlb mappings").

	The Linux kernel CVE team has assigned CVE-2025-21949 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.19 with commit fa96b57c149061f71a70bd6582d995f6424fbbf4 and fixed in 6.13.7 with commit 242b34f48a377afe4b285b472bd0f17744fca8e8
	Issue introduced in 5.19 with commit fa96b57c149061f71a70bd6582d995f6424fbbf4 and fixed in 6.14 with commit 3109d5ff484b7bc7b955f166974c6776d91f247b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21949
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/loongarch/mm/mmap.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/242b34f48a377afe4b285b472bd0f17744fca8e8
	https://git.kernel.org/stable/c/3109d5ff484b7bc7b955f166974c6776d91f247b