Home

Description

In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory When I did memory failure tests, below panic occurs: page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) kernel BUG at include/linux/page-flags.h:616! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40 RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 Call Trace: <TASK> unpoison_memory+0x2f3/0x590 simple_attr_write_xsigned.constprop.0.isra.0+0xb3/0x110 debugfs_attr_write+0x42/0x60 full_proxy_write+0x5b/0x80 vfs_write+0xd5/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xb9/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f08f0314887 RSP: 002b:00007ffece710078 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f08f0314887 RDX: 0000000000000009 RSI: 0000564787a30410 RDI: 0000000000000001 RBP: 0000564787a30410 R08: 000000000000fefe R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000009 R13: 00007f08f041b780 R14: 00007f08f0417600 R15: 00007f08f0416a00 </TASK> Modules linked in: hwpoison_inject ---[ end trace 0000000000000000 ]--- RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX: 0000000000000037 RBX: 0000000000000009 RCX: ffff9be25fcdc9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff9be25fcdc9c0 RBP: 0000000000300000 R08: ffffffffb4956f88 R09: 0000000000009ffb R10: 0000000000000284 R11: ffffffffb4926fa0 R12: ffffe6b00c000000 R13: ffff9bdb453dfd00 R14: 0000000000000000 R15: fffffffffffffffe FS: 00007f08f04e4740(0000) GS:ffff9be25fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564787a30410 CR3: 000000010d4e2000 CR4: 00000000000006f0 Kernel panic - not syncing: Fatal exception Kernel Offset: 0x31c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ---[ end Kernel panic - not syncing: Fatal exception ]--- The root cause is that unpoison_memory() tries to check the PG_HWPoison flags of an uninitialized page. So VM_BUG_ON_PAGE(PagePoisoned(page)) is triggered. This can be reproduced by below steps: 1.Offline memory block: echo offline > /sys/devices/system/memory/memory12/state 2.Get offlined memory pfn: page-types -b n -rlN 3.Write pfn to unpoison-pfn echo <pfn> > /sys/kernel/debug/hwpoison/unpoison-pfn This scenario can be identified by pfn_to_online_page() returning NULL. And ZONE_DEVICE pages are never expected, so we can simply fail if pfn_to_online_page() == NULL to fix the bug.

PUBLISHED Reserved 2025-04-16 | Published 2025-09-23 | Updated 2025-11-03 | Assigner Linux

Product status

Default status
unaffected

f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe (git) before 8e01ea186a52c90694c08a9ff57bea1b0e78256a
affected

f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe (git) before fb65803ccff37cf9123c50c1c02efd1ed73c4ed5
affected

f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe (git) before 99f7048957f5ae3cee1c01189147e73a9a96de02
affected

f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe (git) before e4ec6def5643a1c9511115b3884eb879572294c6
affected

f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe (git) before 3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a
affected

f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe (git) before 7618fd443aa4cfa553a64cacf5721581653ee7b0
affected

f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe (git) before 63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96
affected

f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe (git) before d613f53c83ec47089c4e25859d5e8e0359f6f8da
affected

Default status
affected

4.13
affected

Any version before 4.13
unaffected

5.4.300 (semver)
unaffected

5.10.245 (semver)
unaffected

5.15.194 (semver)
unaffected

6.1.153 (semver)
unaffected

6.6.107 (semver)
unaffected

6.12.48 (semver)
unaffected

6.16.8 (semver)
unaffected

6.17 (original_commit_for_fix)
unaffected

References

lists.debian.org/debian-lts-announce/2025/10/msg00008.html

git.kernel.org/...c/8e01ea186a52c90694c08a9ff57bea1b0e78256a

git.kernel.org/...c/fb65803ccff37cf9123c50c1c02efd1ed73c4ed5

git.kernel.org/...c/99f7048957f5ae3cee1c01189147e73a9a96de02

git.kernel.org/...c/e4ec6def5643a1c9511115b3884eb879572294c6

git.kernel.org/...c/3d278e89c2ea62b1aaa4b0d8a9766a35b3a3164a

git.kernel.org/...c/7618fd443aa4cfa553a64cacf5721581653ee7b0

git.kernel.org/...c/63a327a2375a8ce7a47dec5aaa4d8a9ae0a00b96

git.kernel.org/...c/d613f53c83ec47089c4e25859d5e8e0359f6f8da

cve.org (CVE-2025-39883)

nvd.nist.gov (CVE-2025-39883)

Download JSON