CVE-2025-37958

In the Linux kernel, the following vulnerability has been resolved:

mm/huge_memory: fix dereferencing invalid pmd migration entry

When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry and return early. In this context, there is no need to use pmdtoswpentry and pfnswapentryto_page to verify the equality of the target folio. Since the PMD migration entry is locked, it cannot be served as the target.

Mailing list discussion and explanation from Hugh Dickins: "An anonvma lookup points to a location which may contain the folio of interest, but might instead contain another folio: and weeding out those other folios is precisely what the "folio != pmdfolio((*pmd)" check (and the "risk of replacing the wrong folio" comment a few lines above it) is for."

BUG: unable to handle page fault for address: ffffea60001db008 CPU: 0 UID: 0 PID: 2199114 Comm: tee Not tainted 6.14.0+ #4 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:splithugepmdlocked+0x3b5/0x2b60 Call Trace: <TASK> trytomigrateone+0x28c/0x3730 rmapwalkanon+0x4f6/0x770 unmapfolio+0x196/0x1f0 splithugepagetolisttoorder+0x9f6/0x1560 deferredsplitscan+0xac5/0x12a0 shrinkerdebugfsscanwrite+0x376/0x470 fullproxywrite+0x15c/0x220 vfswrite+0x2fc/0xcb0 ksyswrite+0x146/0x250 dosyscall64+0x6a/0x120 entrySYSCALL64afterhwframe+0x76/0x7e

The bug is found by syzkaller on an internal kernel, then confirmed on upstream.