CVE-2025-39725 (GCVE-0-2025-39725)

Vulnerability from cvelistv5 – Published: 2025-09-05 17:27 – Updated: 2025-09-05 17:27
VLAI?
Title
mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list In shrink_folio_list(), the hwpoisoned folio may be large folio, which can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one() must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then retry. Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of pvmw.pte. Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a WARN_ON_ONCE due to the page isn't in swapcache. Since UCE is rare in real world, and race with reclaimation is more rare, just skipping the hwpoisoned large folio is enough. memory_failure() will handle it if the UCE is triggered again. This happens when memory reclaim for large folio races with memory_failure(), and will lead to kernel panic. The race is as follows: cpu0 cpu1 shrink_folio_list memory_failure TestSetPageHWPoison unmap_poisoned_folio --> trigger BUG_ON due to unmap_poisoned_folio couldn't handle large folio [tujinjiang@huawei.com: add comment to unmap_poisoned_folio()]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1c9798bf8145a92abf45aa9d38a6406d9eb8bdf0 , < 656eaddbc952e1baae2f69281c22debe22140312 (git)
Affected: 1b0449544c6482179ac84530b61fc192a6527bfd , < c1101113d45838a823188ae25c61af97552a28ae (git)
Affected: 1b0449544c6482179ac84530b61fc192a6527bfd , < 9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab (git)
Affected: 912e9f0300c3564b72a8808db406e313193a37ad (git)
Create a notification for this product.
    Linux Linux Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.12.41 , ≤ 6.12.* (semver)
Unaffected: 6.15.9 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/memory-failure.c",
            "mm/vmscan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "656eaddbc952e1baae2f69281c22debe22140312",
              "status": "affected",
              "version": "1c9798bf8145a92abf45aa9d38a6406d9eb8bdf0",
              "versionType": "git"
            },
            {
              "lessThan": "c1101113d45838a823188ae25c61af97552a28ae",
              "status": "affected",
              "version": "1b0449544c6482179ac84530b61fc192a6527bfd",
              "versionType": "git"
            },
            {
              "lessThan": "9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab",
              "status": "affected",
              "version": "1b0449544c6482179ac84530b61fc192a6527bfd",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "912e9f0300c3564b72a8808db406e313193a37ad",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/memory-failure.c",
            "mm/vmscan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.41",
                  "versionStartIncluding": "6.12.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.9",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.14.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list\n\nIn shrink_folio_list(), the hwpoisoned folio may be large folio, which\ncan\u0027t be handled by unmap_poisoned_folio().  For THP, try_to_unmap_one()\nmust be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then\nretry.  Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of\npvmw.pte.  Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a\nWARN_ON_ONCE due to the page isn\u0027t in swapcache.\n\nSince UCE is rare in real world, and race with reclaimation is more rare,\njust skipping the hwpoisoned large folio is enough.  memory_failure() will\nhandle it if the UCE is triggered again.\n\nThis happens when memory reclaim for large folio races with\nmemory_failure(), and will lead to kernel panic.  The race is as\nfollows:\n\ncpu0      cpu1\n shrink_folio_list memory_failure\n  TestSetPageHWPoison\n  unmap_poisoned_folio\n  --\u003e trigger BUG_ON due to\n  unmap_poisoned_folio couldn\u0027t\n   handle large folio\n\n[tujinjiang@huawei.com: add comment to unmap_poisoned_folio()]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-05T17:27:18.719Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/656eaddbc952e1baae2f69281c22debe22140312"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1101113d45838a823188ae25c61af97552a28ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab"
        }
      ],
      "title": "mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39725",
    "datePublished": "2025-09-05T17:27:18.719Z",
    "dateReserved": "2025-04-16T07:20:57.117Z",
    "dateUpdated": "2025-09-05T17:27:18.719Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-39725\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-05T18:15:50.320\",\"lastModified\":\"2025-11-25T21:01:10.547\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list\\n\\nIn shrink_folio_list(), the hwpoisoned folio may be large folio, which\\ncan\u0027t be handled by unmap_poisoned_folio().  For THP, try_to_unmap_one()\\nmust be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then\\nretry.  Without TTU_SPLIT_HUGE_PMD, we will trigger null-ptr deref of\\npvmw.pte.  Even we passed TTU_SPLIT_HUGE_PMD, we will trigger a\\nWARN_ON_ONCE due to the page isn\u0027t in swapcache.\\n\\nSince UCE is rare in real world, and race with reclaimation is more rare,\\njust skipping the hwpoisoned large folio is enough.  memory_failure() will\\nhandle it if the UCE is triggered again.\\n\\nThis happens when memory reclaim for large folio races with\\nmemory_failure(), and will lead to kernel panic.  The race is as\\nfollows:\\n\\ncpu0      cpu1\\n shrink_folio_list memory_failure\\n  TestSetPageHWPoison\\n  unmap_poisoned_folio\\n  --\u003e trigger BUG_ON due to\\n  unmap_poisoned_folio couldn\u0027t\\n   handle large folio\\n\\n[tujinjiang@huawei.com: add comment to unmap_poisoned_folio()]\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.12.26\",\"versionEndExcluding\":\"6.12.41\",\"matchCriteriaId\":\"19B129C6-1ABE-4712-8AB0-009FB92F8F2B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.14.5\",\"versionEndExcluding\":\"6.15.9\",\"matchCriteriaId\":\"E63E673B-291A-456D-A515-12B29693073E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D4894DB-CCFE-4602-B1BF-3960B2E19A01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"09709862-E348-4378-8632-5A7813EDDC86\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"415BF58A-8197-43F5-B3D7-D1D63057A26E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"A0517869-312D-4429-80C2-561086E1421C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"85421F4E-C863-4ABF-B4B4-E887CC2F7F92\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"3827F0D4-5FEE-4181-B267-5A45E7CA11FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A9C2DE5-43B8-4D73-BDB5-EA55C7671A52\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/656eaddbc952e1baae2f69281c22debe22140312\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9f1e8cd0b7c4c944e9921b52a6661b5eda2705ab\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c1101113d45838a823188ae25c61af97552a28ae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.