CVE-2025-22034

{"id": "CVE-2025-22034", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-04-16T15:15:56.013", "references": [{"url": "https://git.kernel.org/stable/c/2e877ff3492267def06dd50cb165dc9ab8838e7d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/48d28417c66cce2f3b0ba773fcb6695a56eff220", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8977752c8056a6a094a279004a49722da15bace3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fd900832e8440046627b60697687ab5d04398008", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs\n\nPatch series \"mm: fixes for device-exclusive entries (hmm)\", v2.\n\nDiscussing the PageTail() call in make_device_exclusive_range() with\nWilly, I recently discovered [1] that device-exclusive handling does not\nproperly work with THP, making the hmm-tests selftests fail if THPs are\nenabled on the system.\n\nLooking into more details, I found that hugetlb is not properly fenced,\nand I realized that something that was bugging me for longer -- how\ndevice-exclusive entries interact with mapcounts -- completely breaks\nmigration/swapout/split/hwpoison handling of these folios while they have\ndevice-exclusive PTEs.\n\nThe program below can be used to allocate 1 GiB worth of pages and making\nthem device-exclusive on a kernel with CONFIG_TEST_HMM.\n\nOnce they are device-exclusive, these folios cannot get swapped out\n(proc$pid/smaps_rollup will always indicate 1 GiB RSS no matter how much\none forces memory reclaim), and when having a memory block onlined to\nZONE_MOVABLE, trying to offline it will loop forever and complain about\nfailed migration of a page that should be movable.\n\n# echo offline > /sys/devices/system/memory/memory136/state\n# echo online_movable > /sys/devices/system/memory/memory136/state\n# ./hmm-swap &\n... wait until everything is device-exclusive\n# echo offline > /sys/devices/system/memory/memory136/state\n[ 285.193431][T14882] page: refcount:2 mapcount:0 mapping:0000000000000000\n index:0x7f20671f7 pfn:0x442b6a\n[ 285.196618][T14882] memcg:ffff888179298000\n[ 285.198085][T14882] anon flags: 0x5fff0000002091c(referenced|uptodate|\n dirty|active|owner_2|swapbacked|node=1|zone=3|lastcpupid=0x7ff)\n[ 285.201734][T14882] raw: ...\n[ 285.204464][T14882] raw: ...\n[ 285.207196][T14882] page dumped because: migration failure\n[ 285.209072][T14882] page_owner tracks the page as allocated\n[ 285.210915][T14882] page last allocated via order 0, migratetype\n Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO),\n id 14926, tgid 14926 (hmm-swap), ts 254506295376, free_ts 227402023774\n[ 285.216765][T14882] post_alloc_hook+0x197/0x1b0\n[ 285.218874][T14882] get_page_from_freelist+0x76e/0x3280\n[ 285.220864][T14882] __alloc_frozen_pages_noprof+0x38e/0x2740\n[ 285.223302][T14882] alloc_pages_mpol+0x1fc/0x540\n[ 285.225130][T14882] folio_alloc_mpol_noprof+0x36/0x340\n[ 285.227222][T14882] vma_alloc_folio_noprof+0xee/0x1a0\n[ 285.229074][T14882] __handle_mm_fault+0x2b38/0x56a0\n[ 285.230822][T14882] handle_mm_fault+0x368/0x9f0\n...\n\nThis series fixes all issues I found so far. There is no easy way to fix\nwithout a bigger rework/cleanup. I have a bunch of cleanups on top (some\nprevious sent, some the result of the discussion in v1) that I will send\nout separately once this landed and I get to it.\n\nI wish we could just use some special present PROT_NONE PTEs instead of\nthese (non-present, non-none) fake-swap entries; but that just results in\nthe same problem we keep having (lack of spare PTE bits), and staring at\nother similar fake-swap entries, that ship has sailed.\n\nWith this series, make_device_exclusive() doesn't actually belong into\nmm/rmap.c anymore, but I'll leave moving that for another day.\n\nI only tested this series with the hmm-tests selftests due to lack of HW,\nso I'd appreciate some testing, especially if the interaction between two\nGPUs wanting a device-exclusive entry works as expected.\n\n<program>\n#include <stdio.h>\n#include <fcntl.h>\n#include <stdint.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/mman.h>\n#include <sys/ioctl.h>\n#include <linux/types.h>\n#include <linux/ioctl.h>\n\n#define HMM_DMIRROR_EXCLUSIVE _IOWR('H', 0x05, struct hmm_dmirror_cmd)\n\nstruct hmm_dmirror_cmd {\n\t__u64 addr;\n\t__u64 ptr;\n\t__u64 npages;\n\t__u64 cpages;\n\t__u64 faults;\n};\n\nconst size_t size = 1 * 1024 * 1024 * 1024ul;\nconst size_t chunk_size = 2 * 1024 * 1024ul;\n\nint m\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/gup: rechazo de FOLL_SPLIT_PMD con VMAs hugetlb. Serie de parches \"mm: correcciones para entradas exclusivas de dispositivo (hmm)\", v2. Al hablar con Willy sobre la llamada a PageTail() en make_device_exclusive_range(), descubr\u00ed recientemente [1] que la gesti\u00f3n exclusiva de dispositivo no funciona correctamente con THP, lo que provoca que las autopruebas hmm-tests fallen si las THP est\u00e1n habilitadas en el sistema. Al analizar m\u00e1s a fondo, descubr\u00ed que hugetlb no est\u00e1 correctamente protegido y me di cuenta de que algo que me hab\u00eda estado molestando durante mucho tiempo (la interacci\u00f3n de las entradas exclusivas de dispositivo con mapcounts) interrumpe por completo la gesti\u00f3n de migraci\u00f3n/intercambio/divisi\u00f3n/hwpoison de estos folios mientras tienen PTE exclusivas de dispositivo. El programa a continuaci\u00f3n se puede usar para asignar 1 GiB de p\u00e1ginas y convertirlas en exclusivas de dispositivo en un kernel con CONFIG_TEST_HMM. Una vez que son exclusivos del dispositivo, estos folios no se pueden intercambiar (proc$pid/smaps_rollup siempre indicar\u00e1 1 GiB RSS sin importar cu\u00e1nto se fuerce la recuperaci\u00f3n de memoria) y cuando se tiene un bloque de memoria en l\u00ednea en ZONE_MOVABLE, al intentar desconectarlo se repetir\u00e1 eternamente y se quejar\u00e1 sobre la migraci\u00f3n fallida de una p\u00e1gina que deber\u00eda ser movible. # echo offline &gt; /sys/devices/system/memory/memory136/state # echo online_movable &gt; /sys/devices/system/memory/memory136/state # ./hmm-swap &amp; ... wait until everything is device-exclusive # echo offline &gt; /sys/devices/system/memory/memory136/state [ 285.193431][T14882] page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x7f20671f7 pfn:0x442b6a [ 285.196618][T14882] memcg:ffff888179298000 [ 285.198085][T14882] anon flags: 0x5fff0000002091c(referenced|uptodate| dirty|active|owner_2|swapbacked|node=1|zone=3|lastcpupid=0x7ff) [ 285.201734][T14882] raw: ... [ 285.204464][T14882] raw: ... [ 285.207196][T14882] page dumped because: migration failure [ 285.209072][T14882] page_owner tracks the page as allocated [ 285.210915][T14882] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), id 14926, tgid 14926 (hmm-swap), ts 254506295376, free_ts 227402023774 [ 285.216765][T14882] post_alloc_hook+0x197/0x1b0 [ 285.218874][T14882] get_page_from_freelist+0x76e/0x3280 [ 285.220864][T14882] __alloc_frozen_pages_noprof+0x38e/0x2740 [ 285.223302][T14882] alloc_pages_mpol+0x1fc/0x540 [ 285.225130][T14882] folio_alloc_mpol_noprof+0x36/0x340 [ 285.227222][T14882] vma_alloc_folio_noprof+0xee/0x1a0 [ 285.229074][T14882] __handle_mm_fault+0x2b38/0x56a0 [ 285.230822][T14882] handle_mm_fault+0x368/0x9f0 ... Esta serie corrige todos los problemas que he encontrado hasta ahora. No hay una soluci\u00f3n sencilla sin una revisi\u00f3n o limpieza m\u00e1s profunda. Tengo varias correcciones adicionales (algunas enviadas previamente, otras resultantes de la discusi\u00f3n en la v1) que publicar\u00e9 por separado una vez que est\u00e9 disponible y pueda con ello. Ojal\u00e1 pudi\u00e9ramos usar algunas PTE PROT_NONE presentes especiales en lugar de estas entradas de intercambio falso (no presentes, no ninguna); pero eso solo resulta en el mismo problema que seguimos teniendo (falta de bits de PTE de repuesto), y al observar otras entradas de intercambio falso similares, ese barco ya pas\u00f3. Con esta serie, make_device_exclusive() ya no pertenece a mm/rmap.c, pero lo dejar\u00e9 para otro d\u00eda. Solo prob\u00e9 esta serie con las autopruebas hmm-tests debido a la falta de hardware, as\u00ed que agradecer\u00eda algunas pruebas, especialmente si la interacci\u00f3n entre dos GPU que buscan una entrada de dispositivo exclusivo funciona como se espera. #include #include #include #include #include #include #include #include #include #include #define HMM_DMIRROR_EXCLUSIVE _IOWR('H', 0x05, ---truncado---"}], "lastModified": "2025-10-31T20:07:06.413", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD08468B-6C62-4470-90F6-7F16F10CF3B4", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}