5.5

CVE-2025-22015

mm/migrate: fix shmem xarray update during migration

In the Linux kernel, the following vulnerability has been resolved:

mm/migrate: fix shmem xarray update during migration

A shmem folio can be either in page cache or in swap cache, but not at the
same time.  Namely, once it is in swap cache, folio->mapping should be
NULL, and the folio is no longer in a shmem mapping.

In __folio_migrate_mapping(), to determine the number of xarray entries to
update, folio_test_swapbacked() is used, but that conflates shmem in page
cache case and shmem in swap cache case.  It leads to xarray multi-index
entry corruption, since it turns a sibling entry to a normal entry during
xas_store() (see [1] for a userspace reproduction).  Fix it by only using
folio_test_swapcache() to determine whether xarray is storing swap cache
entries or not to choose the right number of xarray entries to update.

[1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/

Note:
In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is
used to get swap_cache address space, but that ignores the shmem folio in
swap cache case.  It could lead to NULL pointer dereferencing when a
in-swap-cache shmem folio is split at __xa_store(), since
!folio_test_anon() is true and folio->mapping is NULL.  But fortunately,
its caller split_huge_page_to_list_to_order() bails out early with EBUSY
when folio->mapping is NULL.  So no need to take care of it here.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 6.1.71 < 6.1.132
LinuxLinux Kernel Version >= 6.6.10 < 6.6.85
LinuxLinux Kernel Version >= 6.7.1 < 6.12.21
LinuxLinux Kernel Version >= 6.13 < 6.13.9
LinuxLinux Kernel Version6.7 Update-
LinuxLinux Kernel Version6.7 Updaterc8
LinuxLinux Kernel Version6.14 Updaterc1
LinuxLinux Kernel Version6.14 Updaterc2
LinuxLinux Kernel Version6.14 Updaterc3
LinuxLinux Kernel Version6.14 Updaterc4
LinuxLinux Kernel Version6.14 Updaterc5
LinuxLinux Kernel Version6.14 Updaterc6
LinuxLinux Kernel Version6.14 Updaterc7
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.19% 0.083
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://git.kernel.org/stable/c/49100c0b070e900f87c8fac3be9b9ef8a30fa673
Patch
https://git.kernel.org/stable/c/29124ae980e2860f0eec7355949d3d3292ee81da
Patch
https://git.kernel.org/stable/c/c057ee03f751d6cecf7ee64f52f6545d94082aaa
Patch
https://git.kernel.org/stable/c/75cfb92eb63298d717b6b0118f91ba12c4fcfeb5
Patch
https://git.kernel.org/stable/c/60cf233b585cdf1f3c5e52d1225606b86acd08b0
Patch
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
https://cert-portal.siemens.com/productcert/html/ssa-019113.html