High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2025-39883
HighVulnerability Description
In the Linux kernel, the following vulnerability has been resolved:
mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
When I did memory failure tests, below panic occurs:
page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page))
kernel BUG at include/linux/page-flags.h:616!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Call Trace:
<TASK>
unpoison_memory+0x2f3/0x590
simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110
debugfs_attr_write+0x42/0x60
full_proxy_write+0x5b/0x80
vfs_write+0xd5/0x540
ksys_write+0x64/0xe0
do_syscall_64+0xb9/0x1d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f08f0314887
RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887
RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001
RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009
R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00
</TASK>
Modules linked in: hwpoison_inject
---[ end trace 0000000000000000 ]---
RIP: 0010:unpoison_memory+0x2f3/0x590
RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246
RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8
RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0
RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb
R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000
R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe
FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0
Kernel panic - not syncing: Fatal exception
Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
---[ end Kernel panic - not syncing: Fatal exception ]---
The root cause is that unpoison_memory() tries to check the PG_HWPoison
flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is
triggered. This can be reproduced by below steps:
1.Offline memory block:
echo offline > /sys/devices/system/memory/memory12/state
2.Get offlined memory pfn:
page-types -b n -rlN
3.Write pfn to unpoison-pfn
echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn
This scenario can be identified by pfn_to_online_page() returning NULL.
And ZONE_DEVICE pages are never expected, so we can simply fail if
pfn_to_online_page() == NULL to fix the bug.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Known Affected Software
2 configuration(s) from 2 vendor(s)
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
USN-8261-1
USN-8261-1: Linux kernel (Xilinx) vulnerabilities
USN-8163-2
USN-8163-2: Linux kernel (Azure) vulnerabilities
USN-8165-1
USN-8165-1: Linux kernel (Azure FIPS) vulnerabilities
USN-8163-1
USN-8163-1: Linux kernel (Azure FIPS) vulnerabilities
USN-8095-5
USN-8095-5: Linux kernel (Raspberry Pi) vulnerabilities
USN-8141-1
USN-8141-1: Linux kernel (Raspberry Pi) vulnerabilities
USN-8126-1
USN-8126-1: Linux kernel (Azure) vulnerabilities
USN-8125-1
USN-8125-1: Linux kernel (Azure) vulnerabilities
USN-8095-4
USN-8095-4: Linux kernel (AWS) vulnerabilities
USN-8095-3
USN-8095-3: Linux kernel (Real-time) vulnerabilities
References & Resources
-
https://git.kernel.org/stable/c/3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a416baaa9-dc9f-4396-8d5f-8c081fb06d67 Patch
-
https://git.kernel.org/stable/c/63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96416baaa9-dc9f-4396-8d5f-8c081fb06d67 Patch
-
https://git.kernel.org/stable/c/7618fd443aa4cfa553a64cacf5721581653ee7b0416baaa9-dc9f-4396-8d5f-8c081fb06d67 Patch
-
https://git.kernel.org/stable/c/8e01ea186a52c90694c08a9ff57bea1b0e78256a416baaa9-dc9f-4396-8d5f-8c081fb06d67 Patch
-
https://git.kernel.org/stable/c/99f7048957f5ae3cee1c01189147e73a9a96de02416baaa9-dc9f-4396-8d5f-8c081fb06d67 Patch
-
https://git.kernel.org/stable/c/d613f53c83ec47089c4e25859d5e8e0359f6f8da416baaa9-dc9f-4396-8d5f-8c081fb06d67 Patch
-
https://git.kernel.org/stable/c/e4ec6def5643a1c9511115b3884eb879572294c6416baaa9-dc9f-4396-8d5f-8c081fb06d67 Patch
-
https://git.kernel.org/stable/c/fb65803ccff37cf9123c50c1c02efd1ed73c4ed5416baaa9-dc9f-4396-8d5f-8c081fb06d67 Patch
-
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlaf854a3a-2127-422b-91ae-364da2661108 Third Party Advisory Mailing List
Severity Details
Weakness Type (CWE)
Out-of-bounds Read
- Description
- The product reads data past the end, or before the beginning, of the intended buffer.
- Typical Severity
- High
- Abstraction Level
- Base
Key Information
- Published Date
- September 23, 2025
