CVE-2025-38029

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38029
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38029.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38029
Downstream
Published
2025-06-18T10:15:34Z
Modified
2025-08-30T18:01:35Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

kasan: avoid sleepable page allocation from atomic context

applytopterange() enters the lazy MMU mode and then invokes kasanpopulatevmallocpte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter.

On s390 if make archenterlazymmumode() -> preemptenable() and archleavelazymmumode() -> preemptdisable(), such crash occurs:

[ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 0.663348] inatomic(): 1, irqsdisabled(): 0, nonblock: 0, pid: 2, name: kthreadd [ 0.663358] preemptcount: 1, expected: 0 [ 0.663366] RCU nest depth: 0, expected: 0 [ 0.663375] no locks held by kthreadd/2. [ 0.663383] Preemption disabled at: [ 0.663386] [<0002f3284cbb4eda>] applytopterange+0xfa/0x4a0 [ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT [ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux) [ 0.663409] Call Trace: [ 0.663410] [<0002f3284c385f58>] dumpstacklvl+0xe8/0x140 [ 0.663413] [<0002f3284c507b9e>] _mightresched+0x66e/0x700 [ 0.663415] [<0002f3284cc4f6c0>] _allocfrozenpagesnoprof+0x370/0x4b0 [ 0.663419] [<0002f3284ccc73c0>] allocpagesmpol+0x1a0/0x4a0 [ 0.663421] [<0002f3284ccc8518>] allocfrozenpagesnoprof+0x88/0xc0 [ 0.663424] [<0002f3284ccc8572>] allocpagesnoprof+0x22/0x120 [ 0.663427] [<0002f3284cc341ac>] getfreepagesnoprof+0x2c/0xc0 [ 0.663429] [<0002f3284cceba70>] kasanpopulatevmallocpte+0x50/0x120 [ 0.663433] [<0002f3284cbb4ef8>] applytopterange+0x118/0x4a0 [ 0.663435] [<0002f3284cbc7c14>] applytopmdrange+0x194/0x3e0 [ 0.663437] [<0002f3284cbc99be>] _applytopagerange+0x2fe/0x7a0 [ 0.663440] [<0002f3284cbc9e88>] applytopagerange+0x28/0x40 [ 0.663442] [<0002f3284ccebf12>] kasanpopulatevmalloc+0x82/0xa0 [ 0.663445] [<0002f3284cc1578c>] allocvmaparea+0x34c/0xc10 [ 0.663448] [<0002f3284cc1c2a6>] _getvmareanode+0x186/0x2a0 [ 0.663451] [<0002f3284cc1e696>] _vmallocnoderangenoprof+0x116/0x310 [ 0.663454] [<0002f3284cc1d950>] _vmallocnodenoprof+0xd0/0x110 [ 0.663457] [<0002f3284c454b88>] allocthreadstacknode+0xf8/0x330 [ 0.663460] [<0002f3284c458d56>] duptaskstruct+0x66/0x4d0 [ 0.663463] [<0002f3284c45be90>] copyprocess+0x280/0x4b90 [ 0.663465] [<0002f3284c460940>] kernelclone+0xd0/0x4b0 [ 0.663467] [<0002f3284c46115e>] kernelthread+0xbe/0xe0 [ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0 [ 0.663472] [<0002f3284c38c04a>] _retfromfork+0x8a/0xf0 [ 0.663475] [<0002f3284ed57ff2>] retfrom_fork+0xa/0x38

Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasanpopulatevmalloc_pte() callback on a page range.

References

Affected packages