cve/published/2025/CVE-2025-22015.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22015: mm/migrate: fix shmem xarray update during migration

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/migrate: fix shmem xarray update during migration

 A shmem folio can be either in page cache or in swap cache, but not at the
 same time.  Namely, once it is in swap cache, folio->mapping should be
 NULL, and the folio is no longer in a shmem mapping.

 In __folio_migrate_mapping(), to determine the number of xarray entries to
 update, folio_test_swapbacked() is used, but that conflates shmem in page
 cache case and shmem in swap cache case.  It leads to xarray multi-index
 entry corruption, since it turns a sibling entry to a normal entry during
 xas_store() (see [1] for a userspace reproduction).  Fix it by only using
 folio_test_swapcache() to determine whether xarray is storing swap cache
 entries or not to choose the right number of xarray entries to update.

 [1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/

 Note:
 In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is
 used to get swap_cache address space, but that ignores the shmem folio in
 swap cache case.  It could lead to NULL pointer dereferencing when a
 in-swap-cache shmem folio is split at __xa_store(), since
 !folio_test_anon() is true and folio->mapping is NULL.  But fortunately,
 its caller split_huge_page_to_list_to_order() bails out early with EBUSY
 when folio->mapping is NULL.  So no need to take care of it here.

 The Linux kernel CVE team has assigned CVE-2025-22015 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.71 with commit be72d197b2281e2ee3f28017fc9be1ab17e26d16 and fixed in 6.1.132 with commit 49100c0b070e900f87c8fac3be9b9ef8a30fa673
 	Issue introduced in 6.6.10 with commit 07550b1461d4d0499165e7d6f7718cfd0e440427 and fixed in 6.6.85 with commit 29124ae980e2860f0eec7355949d3d3292ee81da
 	Issue introduced in 6.7 with commit fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c and fixed in 6.12.21 with commit c057ee03f751d6cecf7ee64f52f6545d94082aaa
 	Issue introduced in 6.7 with commit fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c and fixed in 6.13.9 with commit 75cfb92eb63298d717b6b0118f91ba12c4fcfeb5
 	Issue introduced in 6.7 with commit fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c and fixed in 6.14 with commit 60cf233b585cdf1f3c5e52d1225606b86acd08b0

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22015
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/migrate.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/49100c0b070e900f87c8fac3be9b9ef8a30fa673
 	https://git.kernel.org/stable/c/29124ae980e2860f0eec7355949d3d3292ee81da
 	https://git.kernel.org/stable/c/c057ee03f751d6cecf7ee64f52f6545d94082aaa
 	https://git.kernel.org/stable/c/75cfb92eb63298d717b6b0118f91ba12c4fcfeb5
 	https://git.kernel.org/stable/c/60cf233b585cdf1f3c5e52d1225606b86acd08b0
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22015: mm/migrate: fix shmem xarray update during migration

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/migrate: fix shmem xarray update during migration

	A shmem folio can be either in page cache or in swap cache, but not at the
	same time. Namely, once it is in swap cache, folio->mapping should be
	NULL, and the folio is no longer in a shmem mapping.

	In __folio_migrate_mapping(), to determine the number of xarray entries to
	update, folio_test_swapbacked() is used, but that conflates shmem in page
	cache case and shmem in swap cache case. It leads to xarray multi-index
	entry corruption, since it turns a sibling entry to a normal entry during
	xas_store() (see [1] for a userspace reproduction). Fix it by only using
	folio_test_swapcache() to determine whether xarray is storing swap cache
	entries or not to choose the right number of xarray entries to update.

	[1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/

	Note:
	In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is
	used to get swap_cache address space, but that ignores the shmem folio in
	swap cache case. It could lead to NULL pointer dereferencing when a
	in-swap-cache shmem folio is split at __xa_store(), since
	!folio_test_anon() is true and folio->mapping is NULL. But fortunately,
	its caller split_huge_page_to_list_to_order() bails out early with EBUSY
	when folio->mapping is NULL. So no need to take care of it here.

	The Linux kernel CVE team has assigned CVE-2025-22015 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.71 with commit be72d197b2281e2ee3f28017fc9be1ab17e26d16 and fixed in 6.1.132 with commit 49100c0b070e900f87c8fac3be9b9ef8a30fa673
	Issue introduced in 6.6.10 with commit 07550b1461d4d0499165e7d6f7718cfd0e440427 and fixed in 6.6.85 with commit 29124ae980e2860f0eec7355949d3d3292ee81da
	Issue introduced in 6.7 with commit fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c and fixed in 6.12.21 with commit c057ee03f751d6cecf7ee64f52f6545d94082aaa
	Issue introduced in 6.7 with commit fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c and fixed in 6.13.9 with commit 75cfb92eb63298d717b6b0118f91ba12c4fcfeb5
	Issue introduced in 6.7 with commit fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c and fixed in 6.14 with commit 60cf233b585cdf1f3c5e52d1225606b86acd08b0

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22015
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/migrate.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/49100c0b070e900f87c8fac3be9b9ef8a30fa673
	https://git.kernel.org/stable/c/29124ae980e2860f0eec7355949d3d3292ee81da
	https://git.kernel.org/stable/c/c057ee03f751d6cecf7ee64f52f6545d94082aaa
	https://git.kernel.org/stable/c/75cfb92eb63298d717b6b0118f91ba12c4fcfeb5
	https://git.kernel.org/stable/c/60cf233b585cdf1f3c5e52d1225606b86acd08b0