| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix kernel BUG when userfaultfd_move encounters swapcache\n\nuserfaultfd_move() checks whether the PTE entry is present or a\nswap entry.\n\n- If the PTE entry is present, move_present_pte() handles folio\n migration by setting:\n\n src_folio->index = linear_page_index(dst_vma, dst_addr);\n\n- If the PTE entry is a swap entry, move_swap_pte() simply copies\n the PTE to the new dst_addr.\n\nThis approach is incorrect because, even if the PTE is a swap entry,\nit can still reference a folio that remains in the swap cache.\n\nThis creates a race window between steps 2 and 4.\n 1. add_to_swap: The folio is added to the swapcache.\n 2. try_to_unmap: PTEs are converted to swap entries.\n 3. pageout: The folio is written back.\n 4. Swapcache is cleared.\nIf userfaultfd_move() occurs in the window between steps 2 and 4,\nafter the swap PTE has been moved to the destination, accessing the\ndestination triggers do_swap_page(), which may locate the folio in\nthe swapcache. However, since the folio's index has not been updated\nto match the destination VMA, do_swap_page() will detect a mismatch.\n\nThis can result in two critical issues depending on the system\nconfiguration.\n\nIf KSM is disabled, both small and large folios can trigger a BUG\nduring the add_rmap operation due to:\n\n page_pgoff(folio, page) != linear_page_index(vma, address)\n\n[ 13.336953] page: refcount:6 mapcount:1 mapping:00000000f43db19c index:0xffffaf150 pfn:0x4667c\n[ 13.337520] head: order:2 mapcount:1 entire_mapcount:0 nr_pages_mapped:1 pincount:0\n[ 13.337716] memcg:ffff00000405f000\n[ 13.337849] anon flags: 0x3fffc0000020459(locked|uptodate|dirty|owner_priv_1|head|swapbacked|node=0|zone=0|lastcpupid=0xffff)\n[ 13.338630] raw: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361\n[ 13.338831] raw: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000\n[ 13.339031] head: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361\n[ 13.339204] head: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000\n[ 13.339375] head: 03fffc0000000202 fffffdffc0199f01 ffffffff00000000 0000000000000001\n[ 13.339546] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000\n[ 13.339736] page dumped because: VM_BUG_ON_PAGE(page_pgoff(folio, page) != linear_page_index(vma, address))\n[ 13.340190] ------------[ cut here ]------------\n[ 13.340316] kernel BUG at mm/rmap.c:1380!\n[ 13.340683] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[ 13.340969] Modules linked in:\n[ 13.341257] CPU: 1 UID: 0 PID: 107 Comm: a.out Not tainted 6.14.0-rc3-gcf42737e247a-dirty #299\n[ 13.341470] Hardware name: linux,dummy-virt (DT)\n[ 13.341671] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 13.341815] pc : __page_check_anon_rmap+0xa0/0xb0\n[ 13.341920] lr : __page_check_anon_rmap+0xa0/0xb0\n[ 13.342018] sp : ffff80008752bb20\n[ 13.342093] x29: ffff80008752bb20 x28: fffffdffc0199f00 x27: 0000000000000001\n[ 13.342404] x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000001\n[ 13.342575] x23: 0000ffffaf0d0000 x22: 0000ffffaf0d0000 x21: fffffdffc0199f00\n[ 13.342731] x20: fffffdffc0199f00 x19: ffff000006210700 x18: 00000000ffffffff\n[ 13.342881] x17: 6c203d2120296567 x16: 6170202c6f696c6f x15: 662866666f67705f\n[ 13.343033] x14: 6567617028454741 x13: 2929737365726464 x12: ffff800083728ab0\n[ 13.343183] x11: ffff800082996bf8 x10: 0000000000000fd7 x9 : ffff80008011bc40\n[ 13.343351] x8 : 0000000000017fe8 x7 : 00000000fffff000 x6 : ffff8000829eebf8\n[ 13.343498] x5 : c0000000fffff000 x4 : 0000000000000000 x3 : 0000000000000000\n[ 13.343645] x2 : 0000000000000000 x1 : ffff0000062db980 x0 : 000000000000005f\n[ 13.343876] Call trace:\n[ 13.344045] __page_check_anon_rmap+0xa0/0xb0 (P)\n[ 13.344234] folio_add_anon_rmap_ptes+0x22c/0x320\n[ 13.344333] do_swap_page+0x1060/0x1400\n[ 13.344417] __handl\n---truncated---" |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "mm/userfaultfd.c" |
| ], |
| "versions": [ |
| { |
| "version": "adef440691bab824e39c1b17382322d195e1fab0", |
| "lessThan": "4e9507246298fd6f1ca7bb42ef01a6e34fb93684", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "adef440691bab824e39c1b17382322d195e1fab0", |
| "lessThan": "b1e11bd86c0943bb7624efebdc384340a50ad683", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "adef440691bab824e39c1b17382322d195e1fab0", |
| "lessThan": "c50f8e6053b0503375c2975bf47f182445aebb4c", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "mm/userfaultfd.c" |
| ], |
| "versions": [ |
| { |
| "version": "6.8", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "6.8", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12.20", |
| "lessThanOrEqual": "6.12.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.13.8", |
| "lessThanOrEqual": "6.13.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.14", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.8", |
| "versionEndExcluding": "6.12.20" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.8", |
| "versionEndExcluding": "6.13.8" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.8", |
| "versionEndExcluding": "6.14" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/4e9507246298fd6f1ca7bb42ef01a6e34fb93684" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/b1e11bd86c0943bb7624efebdc384340a50ad683" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/c50f8e6053b0503375c2975bf47f182445aebb4c" |
| } |
| ], |
| "title": "mm: fix kernel BUG when userfaultfd_move encounters swapcache", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2025-21984", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
