2419871 – (CVE-2025-40311) CVE-2025-40311 kernel: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory

Bug 2419871 (CVE-2025-40311) - CVE-2025-40311 kernel: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory

Summary: CVE-2025-40311 kernel: accel/habanalabs: support mapping cb with vmalloc-back...

Keywords:
Status:	NEW
Alias:	CVE-2025-40311
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-08 07:04 UTC by OSIDB Bzimport
Modified:	2025-12-08 23:42 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-08 07:04:55 UTC

In the Linux kernel, the following vulnerability has been resolved:

accel/habanalabs: support mapping cb with vmalloc-backed coherent memory

When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return
addresses from the vmalloc range. If such an address is mapped without
VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the
VM_PFNMAP restriction.

Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP
in the VMA before mapping. This ensures safe mapping and avoids kernel
crashes. The memory is still driver-allocated and cannot be accessed
directly by userspace.

Comment 1 Jon Moroney 2025-12-08 23:37:31 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120821-CVE-2025-40311-34ea@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.