fkie_cve-2025-21907
Vulnerability from fkie_nvd
Published
2025-04-01 16:15
Modified
2025-04-16 19:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: mm: memory-failure: update ttu flag inside unmap_poisoned_folio Patch series "mm: memory_failure: unmap poisoned folio during migrate properly", v3. Fix two bugs during folio migration if the folio is poisoned. This patch (of 3): Commit 6da6b1d4a7df ("mm/hwpoison: convert TTU_IGNORE_HWPOISON to TTU_HWPOISON") introduce TTU_HWPOISON to replace TTU_IGNORE_HWPOISON in order to stop send SIGBUS signal when accessing an error page after a memory error on a clean folio. However during page migration, anon folio must be set with TTU_HWPOISON during unmap_*(). For pagecache we need some policy just like the one in hwpoison_user_mappings to set this flag. So move this policy from hwpoison_user_mappings to unmap_poisoned_folio to handle this warning properly. Warning will be produced during unamp poison folio with the following log: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 365 at mm/rmap.c:1847 try_to_unmap_one+0x8fc/0xd3c Modules linked in: CPU: 1 UID: 0 PID: 365 Comm: bash Tainted: G W 6.13.0-rc1-00018-gacdb4bbda7ab #42 Tainted: [W]=WARN Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : try_to_unmap_one+0x8fc/0xd3c lr : try_to_unmap_one+0x3dc/0xd3c Call trace: try_to_unmap_one+0x8fc/0xd3c (P) try_to_unmap_one+0x3dc/0xd3c (L) rmap_walk_anon+0xdc/0x1f8 rmap_walk+0x3c/0x58 try_to_unmap+0x88/0x90 unmap_poisoned_folio+0x30/0xa8 do_migrate_range+0x4a0/0x568 offline_pages+0x5a4/0x670 memory_block_action+0x17c/0x374 memory_subsys_offline+0x3c/0x78 device_offline+0xa4/0xd0 state_store+0x8c/0xf0 dev_attr_store+0x18/0x2c sysfs_kf_write+0x44/0x54 kernfs_fop_write_iter+0x118/0x1a8 vfs_write+0x3a8/0x4bc ksys_write+0x6c/0xf8 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x44/0x100 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x30/0xd0 el0t_64_sync_handler+0xc8/0xcc el0t_64_sync+0x198/0x19c ---[ end trace 0000000000000000 ]--- [mawupeng1@huawei.com: unmap_poisoned_folio(): remove shadowed local `mapping', per Miaohe]
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/425c12c076e6fc6b2cb04b9f960319d31dcabc76
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/608cc7deb428f1122ed426060233622ebf667b6e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b81679b1633aa43c0d973adfa816d78c1ed0d032
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: memory-failure: update ttu flag inside unmap_poisoned_folio\n\nPatch series \"mm: memory_failure: unmap poisoned folio during migrate\nproperly\", v3.\n\nFix two bugs during folio migration if the folio is poisoned.\n\n\nThis patch (of 3):\n\nCommit 6da6b1d4a7df (\"mm/hwpoison: convert TTU_IGNORE_HWPOISON to\nTTU_HWPOISON\") introduce TTU_HWPOISON to replace TTU_IGNORE_HWPOISON in\norder to stop send SIGBUS signal when accessing an error page after a\nmemory error on a clean folio.  However during page migration, anon folio\nmust be set with TTU_HWPOISON during unmap_*().  For pagecache we need\nsome policy just like the one in hwpoison_user_mappings to set this flag. \nSo move this policy from hwpoison_user_mappings to unmap_poisoned_folio to\nhandle this warning properly.\n\nWarning will be produced during unamp poison folio with the following log:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 1 PID: 365 at mm/rmap.c:1847 try_to_unmap_one+0x8fc/0xd3c\n  Modules linked in:\n  CPU: 1 UID: 0 PID: 365 Comm: bash Tainted: G        W          6.13.0-rc1-00018-gacdb4bbda7ab #42\n  Tainted: [W]=WARN\n  Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n  pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n  pc : try_to_unmap_one+0x8fc/0xd3c\n  lr : try_to_unmap_one+0x3dc/0xd3c\n  Call trace:\n   try_to_unmap_one+0x8fc/0xd3c (P)\n   try_to_unmap_one+0x3dc/0xd3c (L)\n   rmap_walk_anon+0xdc/0x1f8\n   rmap_walk+0x3c/0x58\n   try_to_unmap+0x88/0x90\n   unmap_poisoned_folio+0x30/0xa8\n   do_migrate_range+0x4a0/0x568\n   offline_pages+0x5a4/0x670\n   memory_block_action+0x17c/0x374\n   memory_subsys_offline+0x3c/0x78\n   device_offline+0xa4/0xd0\n   state_store+0x8c/0xf0\n   dev_attr_store+0x18/0x2c\n   sysfs_kf_write+0x44/0x54\n   kernfs_fop_write_iter+0x118/0x1a8\n   vfs_write+0x3a8/0x4bc\n   ksys_write+0x6c/0xf8\n   __arm64_sys_write+0x1c/0x28\n   invoke_syscall+0x44/0x100\n   el0_svc_common.constprop.0+0x40/0xe0\n   do_el0_svc+0x1c/0x28\n   el0_svc+0x30/0xd0\n   el0t_64_sync_handler+0xc8/0xcc\n   el0t_64_sync+0x198/0x19c\n  ---[ end trace 0000000000000000 ]---\n\n[mawupeng1@huawei.com: unmap_poisoned_folio(): remove shadowed local `mapping\u0027, per Miaohe]"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: fallo de memoria: actualizaci\u00f3n del indicador ttu dentro de unmap_poisoned_folio. Serie de parches \"mm: fallo de memoria: desasignar correctamente un folio envenenado durante la migraci\u00f3n\", v3. Se corrigen dos errores durante la migraci\u00f3n de folios si este est\u00e1 envenenado. Este parche (de 3): El commit 6da6b1d4a7df (\"mm/hwpoison: convertir TTU_IGNORE_HWPOISON en TTU_HWPOISON\") introduce TTU_HWPOISON en lugar de TTU_IGNORE_HWPOISON para detener el env\u00edo de la se\u00f1al SIGBUS al acceder a una p\u00e1gina con error tras un error de memoria en un folio limpio. Sin embargo, durante la migraci\u00f3n de p\u00e1ginas, anon folio debe configurarse con TTU_HWPOISON durante unmap_*(). Para la cach\u00e9 de p\u00e1ginas, necesitamos una pol\u00edtica similar a la de hwpoison_user_mappings para configurar este indicador. Por lo tanto, mueva esta pol\u00edtica de hwpoison_user_mappings a unmap_poisoned_folio para gestionar esta advertencia correctamente. Se producir\u00e1 una advertencia durante el envenenamiento de folio de unamp con el siguiente registro: ------------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU: 1 PID: 365 en mm/rmap.c:1847 try_to_unmap_one+0x8fc/0xd3c M\u00f3dulos vinculados: CPU: 1 UID: 0 PID: 365 Comm: bash Contaminado: GW 6.13.0-rc1-00018-gacdb4bbda7ab #42 Contaminado: [W]=WARN Nombre del hardware: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : try_to_unmap_one+0x8fc/0xd3c lr : try_to_unmap_one+0x3dc/0xd3c Rastreo de llamadas:  try_to_unmap_one+0x8fc/0xd3c (P) try_to_unmap_one+0x3dc/0xd3c (L) rmap_walk_anon+0xdc/0x1f8 rmap_walk+0x3c/0x58 try_to_unmap+0x88/0x90 unmap_poisoned_folio+0x30/0xa8 do_migrate_range+0x4a0/0x568 offline_pages+0x5a4/0x670 memory_block_action+0x17c/0x374 memory_subsys_offline+0x3c/0x78 device_offline+0xa4/0xd0 state_store+0x8c/0xf0 dev_attr_store+0x18/0x2c sysfs_kf_write+0x44/0x54 kernfs_fop_write_iter+0x118/0x1a8 vfs_write+0x3a8/0x4bc ksys_write+0x6c/0xf8 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x44/0x100 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x30/0xd0 el0t_64_sync_handler+0xc8/0xcc el0t_64_sync+0x198/0x19c ---[fin de seguimiento 0000000000000000 ]--- [mawupeng1@huawei.com: unmap_poisoned_folio(): eliminar el \u0027mapeo\u0027 local sombreado, seg\u00fan Miaohe] Enlace: https://lkml.kernel.org/r/20250219060653.3849083-1-mawupeng1@huawei.com"
    }
  ],
  "id": "CVE-2025-21907",
  "lastModified": "2025-04-16T19:15:53.203",
  "metrics": {},
  "published": "2025-04-01T16:15:21.217",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/425c12c076e6fc6b2cb04b9f960319d31dcabc76"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/608cc7deb428f1122ed426060233622ebf667b6e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b81679b1633aa43c0d973adfa816d78c1ed0d032"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.