2375304 – (CVE-2025-38085) CVE-2025-38085 kernel: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race

Bug 2375304 (CVE-2025-38085) - CVE-2025-38085 kernel: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race

Summary: CVE-2025-38085 kernel: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race

Keywords:
Status:	NEW
Alias:	CVE-2025-38085
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-28 08:01 UTC by OSIDB Bzimport
Modified:	2025-06-30 03:02 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-28 08:01:11 UTC

In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race

huge_pmd_unshare() drops a reference on a page table that may have
previously been shared across processes, potentially turning it into a
normal page table used in another process in which unrelated VMAs can
afterwards be installed.

If this happens in the middle of a concurrent gup_fast(), gup_fast() could
end up walking the page tables of another process.  While I don't see any
way in which that immediately leads to kernel memory corruption, it is
really weird and unexpected.

Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),
just like we do in khugepaged when removing page tables for a THP
collapse.

Comment 1 Avinash Hanwate 2025-06-30 02:54:28 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025062836-CVE-2025-38085-8075@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.