DEBIAN-CVE-2025-39725
- Source
- https://security-tracker.debian.org/tracker/CVE-2025-39725
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-39725.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-39725
- Upstream
- Published
- 2025-09-05T18:15:50Z
- Modified
- 2025-09-19T07:34:42.597234Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix hwpoisoned large folio handling in shrinkfoliolist In shrinkfoliolist(), the hwpoisoned folio may be large folio, which can't be handled by unmappoisonedfolio(). For THP, trytounmapone() must be passed with TTUSPLITHUGEPMD to split huge PMD first and then retry. Without TTUSPLITHUGEPMD, we will trigger null-ptr deref of pvmw.pte. Even we passed TTUSPLITHUGEPMD, we will trigger a WARNONONCE due to the page isn't in swapcache. Since UCE is rare in real world, and race with reclaimation is more rare, just skipping the hwpoisoned large folio is enough. memoryfailure() will handle it if the UCE is triggered again. This happens when memory reclaim for large folio races with memoryfailure(), and will lead to kernel panic. The race is as follows: cpu0 cpu1 shrinkfoliolist memoryfailure TestSetPageHWPoison unmappoisonedfolio --> trigger BUGON due to unmappoisonedfolio couldn't handle large folio [tujinjiang@huawei.com: add comment to unmappoisonedfolio()]
- References
Affected packages
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.16.3-1