CVE-2025-38029 (GCVE-0-2025-38029)
Vulnerability from cvelistv5
Published
2025-06-18 09:33
Modified
2025-06-18 09:33
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: kasan: avoid sleepable page allocation from atomic context apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter. On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs: [ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd [ 0.663358] preempt_count: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38 Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range.
References
Impacted products
Vendor Product Version
Linux Linux Version: 3c5c3cfb9ef4da957e3357a2bd36f76ee34c0862
Version: 3c5c3cfb9ef4da957e3357a2bd36f76ee34c0862
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/kasan/shadow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6748dd09196248b985cca39eaf651d5317271977",
              "status": "affected",
              "version": "3c5c3cfb9ef4da957e3357a2bd36f76ee34c0862",
              "versionType": "git"
            },
            {
              "lessThan": "b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c",
              "status": "affected",
              "version": "3c5c3cfb9ef4da957e3357a2bd36f76ee34c0862",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/kasan/shadow.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkasan: avoid sleepable page allocation from atomic context\n\napply_to_pte_range() enters the lazy MMU mode and then invokes\nkasan_populate_vmalloc_pte() callback on each page table walk iteration. \nHowever, the callback can go into sleep when trying to allocate a single\npage, e.g.  if an architecutre disables preemption on lazy MMU mode enter.\n\nOn s390 if make arch_enter_lazy_mmu_mode() -\u003e preempt_enable() and\narch_leave_lazy_mmu_mode() -\u003e preempt_disable(), such crash occurs:\n\n[    0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321\n[    0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\n[    0.663358] preempt_count: 1, expected: 0\n[    0.663366] RCU nest depth: 0, expected: 0\n[    0.663375] no locks held by kthreadd/2.\n[    0.663383] Preemption disabled at:\n[    0.663386] [\u003c0002f3284cbb4eda\u003e] apply_to_pte_range+0xfa/0x4a0\n[    0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT\n[    0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux)\n[    0.663409] Call Trace:\n[    0.663410]  [\u003c0002f3284c385f58\u003e] dump_stack_lvl+0xe8/0x140\n[    0.663413]  [\u003c0002f3284c507b9e\u003e] __might_resched+0x66e/0x700\n[    0.663415]  [\u003c0002f3284cc4f6c0\u003e] __alloc_frozen_pages_noprof+0x370/0x4b0\n[    0.663419]  [\u003c0002f3284ccc73c0\u003e] alloc_pages_mpol+0x1a0/0x4a0\n[    0.663421]  [\u003c0002f3284ccc8518\u003e] alloc_frozen_pages_noprof+0x88/0xc0\n[    0.663424]  [\u003c0002f3284ccc8572\u003e] alloc_pages_noprof+0x22/0x120\n[    0.663427]  [\u003c0002f3284cc341ac\u003e] get_free_pages_noprof+0x2c/0xc0\n[    0.663429]  [\u003c0002f3284cceba70\u003e] kasan_populate_vmalloc_pte+0x50/0x120\n[    0.663433]  [\u003c0002f3284cbb4ef8\u003e] apply_to_pte_range+0x118/0x4a0\n[    0.663435]  [\u003c0002f3284cbc7c14\u003e] apply_to_pmd_range+0x194/0x3e0\n[    0.663437]  [\u003c0002f3284cbc99be\u003e] __apply_to_page_range+0x2fe/0x7a0\n[    0.663440]  [\u003c0002f3284cbc9e88\u003e] apply_to_page_range+0x28/0x40\n[    0.663442]  [\u003c0002f3284ccebf12\u003e] kasan_populate_vmalloc+0x82/0xa0\n[    0.663445]  [\u003c0002f3284cc1578c\u003e] alloc_vmap_area+0x34c/0xc10\n[    0.663448]  [\u003c0002f3284cc1c2a6\u003e] __get_vm_area_node+0x186/0x2a0\n[    0.663451]  [\u003c0002f3284cc1e696\u003e] __vmalloc_node_range_noprof+0x116/0x310\n[    0.663454]  [\u003c0002f3284cc1d950\u003e] __vmalloc_node_noprof+0xd0/0x110\n[    0.663457]  [\u003c0002f3284c454b88\u003e] alloc_thread_stack_node+0xf8/0x330\n[    0.663460]  [\u003c0002f3284c458d56\u003e] dup_task_struct+0x66/0x4d0\n[    0.663463]  [\u003c0002f3284c45be90\u003e] copy_process+0x280/0x4b90\n[    0.663465]  [\u003c0002f3284c460940\u003e] kernel_clone+0xd0/0x4b0\n[    0.663467]  [\u003c0002f3284c46115e\u003e] kernel_thread+0xbe/0xe0\n[    0.663469]  [\u003c0002f3284c4e440e\u003e] kthreadd+0x50e/0x7f0\n[    0.663472]  [\u003c0002f3284c38c04a\u003e] __ret_from_fork+0x8a/0xf0\n[    0.663475]  [\u003c0002f3284ed57ff2\u003e] ret_from_fork+0xa/0x38\n\nInstead of allocating single pages per-PTE, bulk-allocate the shadow\nmemory prior to applying kasan_populate_vmalloc_pte() callback on a page\nrange."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:17.632Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6748dd09196248b985cca39eaf651d5317271977"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c"
        }
      ],
      "title": "kasan: avoid sleepable page allocation from atomic context",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38029",
    "datePublished": "2025-06-18T09:33:17.632Z",
    "dateReserved": "2025-04-16T04:51:23.978Z",
    "dateUpdated": "2025-06-18T09:33:17.632Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38029\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T10:15:34.970\",\"lastModified\":\"2025-06-18T13:46:52.973\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nkasan: avoid sleepable page allocation from atomic context\\n\\napply_to_pte_range() enters the lazy MMU mode and then invokes\\nkasan_populate_vmalloc_pte() callback on each page table walk iteration. \\nHowever, the callback can go into sleep when trying to allocate a single\\npage, e.g.  if an architecutre disables preemption on lazy MMU mode enter.\\n\\nOn s390 if make arch_enter_lazy_mmu_mode() -\u003e preempt_enable() and\\narch_leave_lazy_mmu_mode() -\u003e preempt_disable(), such crash occurs:\\n\\n[    0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321\\n[    0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\\n[    0.663358] preempt_count: 1, expected: 0\\n[    0.663366] RCU nest depth: 0, expected: 0\\n[    0.663375] no locks held by kthreadd/2.\\n[    0.663383] Preemption disabled at:\\n[    0.663386] [\u003c0002f3284cbb4eda\u003e] apply_to_pte_range+0xfa/0x4a0\\n[    0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT\\n[    0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux)\\n[    0.663409] Call Trace:\\n[    0.663410]  [\u003c0002f3284c385f58\u003e] dump_stack_lvl+0xe8/0x140\\n[    0.663413]  [\u003c0002f3284c507b9e\u003e] __might_resched+0x66e/0x700\\n[    0.663415]  [\u003c0002f3284cc4f6c0\u003e] __alloc_frozen_pages_noprof+0x370/0x4b0\\n[    0.663419]  [\u003c0002f3284ccc73c0\u003e] alloc_pages_mpol+0x1a0/0x4a0\\n[    0.663421]  [\u003c0002f3284ccc8518\u003e] alloc_frozen_pages_noprof+0x88/0xc0\\n[    0.663424]  [\u003c0002f3284ccc8572\u003e] alloc_pages_noprof+0x22/0x120\\n[    0.663427]  [\u003c0002f3284cc341ac\u003e] get_free_pages_noprof+0x2c/0xc0\\n[    0.663429]  [\u003c0002f3284cceba70\u003e] kasan_populate_vmalloc_pte+0x50/0x120\\n[    0.663433]  [\u003c0002f3284cbb4ef8\u003e] apply_to_pte_range+0x118/0x4a0\\n[    0.663435]  [\u003c0002f3284cbc7c14\u003e] apply_to_pmd_range+0x194/0x3e0\\n[    0.663437]  [\u003c0002f3284cbc99be\u003e] __apply_to_page_range+0x2fe/0x7a0\\n[    0.663440]  [\u003c0002f3284cbc9e88\u003e] apply_to_page_range+0x28/0x40\\n[    0.663442]  [\u003c0002f3284ccebf12\u003e] kasan_populate_vmalloc+0x82/0xa0\\n[    0.663445]  [\u003c0002f3284cc1578c\u003e] alloc_vmap_area+0x34c/0xc10\\n[    0.663448]  [\u003c0002f3284cc1c2a6\u003e] __get_vm_area_node+0x186/0x2a0\\n[    0.663451]  [\u003c0002f3284cc1e696\u003e] __vmalloc_node_range_noprof+0x116/0x310\\n[    0.663454]  [\u003c0002f3284cc1d950\u003e] __vmalloc_node_noprof+0xd0/0x110\\n[    0.663457]  [\u003c0002f3284c454b88\u003e] alloc_thread_stack_node+0xf8/0x330\\n[    0.663460]  [\u003c0002f3284c458d56\u003e] dup_task_struct+0x66/0x4d0\\n[    0.663463]  [\u003c0002f3284c45be90\u003e] copy_process+0x280/0x4b90\\n[    0.663465]  [\u003c0002f3284c460940\u003e] kernel_clone+0xd0/0x4b0\\n[    0.663467]  [\u003c0002f3284c46115e\u003e] kernel_thread+0xbe/0xe0\\n[    0.663469]  [\u003c0002f3284c4e440e\u003e] kthreadd+0x50e/0x7f0\\n[    0.663472]  [\u003c0002f3284c38c04a\u003e] __ret_from_fork+0x8a/0xf0\\n[    0.663475]  [\u003c0002f3284ed57ff2\u003e] ret_from_fork+0xa/0x38\\n\\nInstead of allocating single pages per-PTE, bulk-allocate the shadow\\nmemory prior to applying kasan_populate_vmalloc_pte() callback on a page\\nrange.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/6748dd09196248b985cca39eaf651d5317271977\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b6ea95a34cbd014ab6ade4248107b86b0aaf2d6c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.