CVE-2025-38029

In the Linux kernel, the following vulnerability has been resolved:

kasan: avoid sleepable page allocation from atomic context

applytopterange() enters the lazy MMU mode and then invokes kasanpopulatevmallocpte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter.

On s390 if make archenterlazymmumode() -> preemptenable() and archleavelazymmumode() -> preemptdisable(), such crash occurs:

[ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] inatomic(): 1, irqsdisabled(): 0, nonblock: 0, pid: 2, name: kthreadd [ 0.663358] preemptcount: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] applytopterange+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dumpstacklvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] _mightresched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] _allocfrozenpagesnoprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] allocpagesmpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] allocfrozenpagesnoprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] allocpagesnoprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] getfreepagesnoprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasanpopulatevmallocpte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] applytopterange+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] applytopmdrange+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] _applytopagerange+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] applytopagerange+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasanpopulatevmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] allocvmaparea+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] _getvmareanode+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] _vmallocnoderangenoprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] _vmallocnodenoprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] allocthreadstacknode+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] duptaskstruct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copyprocess+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernelclone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernelthread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] _retfromfork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] retfrom_fork+0xa/0x38

Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasanpopulatevmalloc_pte() callback on a page range.