CVE-2025-38256
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38256
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38256.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38256
- Downstream
- Related
- Published
- 2025-07-09T10:42:33Z
- Modified
- 2025-10-18T03:15:46.369682Z
- Summary
- io_uring/rsrc: fix folio unpinning
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
io_uring/rsrc: fix folio unpinning
syzbot complains about an unmapping failure:
[ 108.070381][ T14] kernel BUG at mm/gup.c:71! [ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025 [ 108.127458][ T14] Workqueue: iouexit ioringexitwork [ 108.174205][ T14] Call trace: [ 108.175649][ T14] sanitycheckpinnedpages+0x7cc/0x7d0 (P) [ 108.178138][ T14] unpinuserpage+0x80/0x10c [ 108.180189][ T14] ioreleaseubuf+0x84/0xf8 [ 108.182196][ T14] iofreersrcnode+0x250/0x57c [ 108.184345][ T14] iorsrcdatafree+0x148/0x298 [ 108.186493][ T14] iosqebuffersunregister+0x84/0xa0 [ 108.188991][ T14] ioringctxfree+0x48/0x480 [ 108.191057][ T14] ioringexitwork+0x764/0x7d8 [ 108.193207][ T14] processonework+0x7e8/0x155c [ 108.195431][ T14] workerthread+0x958/0xed8 [ 108.197561][ T14] kthread+0x5fc/0x75c [ 108.199362][ T14] retfrom_fork+0x10/0x20
We can pin a tail page of a folio, but then iouring will try to unpin the head page of the folio. While it should be fine in terms of keeping the page actually alive, mm folks say it's wrong and triggers a debug warning. Use unpinuserfolio() instead of unpinuser_page*.
[axboe: adapt to current tree, massage commit message]
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda8edbb424b1391b077407c75d8f5d2ede77aa70dFixed53fd75f25b223878b5fff14932e3a22f42b54f77
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda8edbb424b1391b077407c75d8f5d2ede77aa70dFixed11e7b7369e655e6131387b174218d7fa9557b3da
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda8edbb424b1391b077407c75d8f5d2ede77aa70dFixed5afb4bf9fc62d828647647ec31745083637132e4
Affected versions
v6.*
v6.11
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.15.3
v6.15.4
Database specific
vanir_signatures
[
{
"digest": {
"function_hash": "181111156485689551434459780285724852557",
"length": 180.0
},
"id": "CVE-2025-38256-0be31e8e",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5afb4bf9fc62d828647647ec31745083637132e4",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "io_release_ubuf",
"file": "io_uring/rsrc.c"
},
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"28435573379094907220921296254475994278",
"286006299645288550721669377785221114719",
"221880866990703402406435047058117878228",
"71821278077278446985793992443648893195",
"209475154296256415221741930192321161298",
"226204248589159457613170245255336266559",
"38161043798711375781564932828522777390",
"245058111404921041599663641265836699501",
"158567935608478037912563849127835184549",
"264422558850821392003718543604729647990"
],
"threshold": 0.9
},
"id": "CVE-2025-38256-0c2781fe",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5afb4bf9fc62d828647647ec31745083637132e4",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "io_uring/rsrc.c"
},
"signature_type": "Line"
},
{
"digest": {
"function_hash": "181111156485689551434459780285724852557",
"length": 180.0
},
"id": "CVE-2025-38256-2ea9e394",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@11e7b7369e655e6131387b174218d7fa9557b3da",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "io_release_ubuf",
"file": "io_uring/rsrc.c"
},
"signature_type": "Function"
},
{
"digest": {
"function_hash": "195875582958458936226590885370562509172",
"length": 1696.0
},
"id": "CVE-2025-38256-3f40a9fb",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5afb4bf9fc62d828647647ec31745083637132e4",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "io_sqe_buffer_register",
"file": "io_uring/rsrc.c"
},
"signature_type": "Function"
},
{
"digest": {
"function_hash": "195875582958458936226590885370562509172",
"length": 1696.0
},
"id": "CVE-2025-38256-8fe97493",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@11e7b7369e655e6131387b174218d7fa9557b3da",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "io_sqe_buffer_register",
"file": "io_uring/rsrc.c"
},
"signature_type": "Function"
},
{
"digest": {
"function_hash": "289269127785144808034587924707192505241",
"length": 1366.0
},
"id": "CVE-2025-38256-9c833114",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@53fd75f25b223878b5fff14932e3a22f42b54f77",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "io_sqe_buffer_register",
"file": "io_uring/rsrc.c"
},
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"28435573379094907220921296254475994278",
"286006299645288550721669377785221114719",
"221880866990703402406435047058117878228",
"71821278077278446985793992443648893195",
"209475154296256415221741930192321161298",
"226204248589159457613170245255336266559",
"38161043798711375781564932828522777390",
"245058111404921041599663641265836699501",
"158567935608478037912563849127835184549",
"264422558850821392003718543604729647990"
],
"threshold": 0.9
},
"id": "CVE-2025-38256-d356aa5e",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@11e7b7369e655e6131387b174218d7fa9557b3da",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "io_uring/rsrc.c"
},
"signature_type": "Line"
},
{
"digest": {
"function_hash": "36801918295005863177319417566008493439",
"length": 378.0
},
"id": "CVE-2025-38256-dd617385",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@53fd75f25b223878b5fff14932e3a22f42b54f77",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "io_buffer_unmap",
"file": "io_uring/rsrc.c"
},
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"62728724653960466981884740501851178514",
"219044369151988637577887304939137596364",
"305053852565525745878373021622899478123",
"280802230204240508029841310286083904798",
"333758144248522906914277868466931991996",
"95016996835812798667758684559409478354",
"233435613970095737675672922524137309963",
"303192693411776799257612673407479414795",
"189631496445834301328749240881655366743",
"196273984934691475359759965104269404180"
],
"threshold": 0.9
},
"id": "CVE-2025-38256-fe45cb44",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@53fd75f25b223878b5fff14932e3a22f42b54f77",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "io_uring/rsrc.c"
},
"signature_type": "Line"
}
]