CVE-2025-39899

Summary

In the Linux kernel, the following vulnerability has been resolved:

mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE

With CONFIG_HIGHPTE on 32-bit ARM, move_pages_pte() maps PTE pages using kmap_local_page(), which requires unmapping in Last-In-First-Out order.

The current code maps dst_pte first, then src_pte, but unmaps them in the same order (dst_pte, src_pte), violating the LIFO requirement. This causes the warning in kunmap_local_indexed():

WARNING: CPU: 0 PID: 604 at mm/highmem.c:622 kunmap_local_indexed+0x178/0x17c addr != __fix_to_virt(FIX_KMAP_BEGIN + idx)

Fix this by reversing the unmap order to respect LIFO ordering.

This issue follows the same pattern as similar fixes:

  • commit eca6828403b8 ("crypto: skcipher - fix mismatch between mapping and unmapping order")
  • commit 8cf57c6df818 ("nilfs2: eliminate staggered calls to kunmap in nilfs_rename")

Both of which addressed the same fundamental requirement that kmap_local operations must follow LIFO ordering.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxadef440691bab824e39c1b17382322d195e1fab0 < b051f707018967ea8f697d790a1ed8c443f63812affected
LinuxLinuxadef440691bab824e39c1b17382322d195e1fab0 < bd1ee62759d0bd4d6b909731c076c230ac89d61eaffected
LinuxLinuxadef440691bab824e39c1b17382322d195e1fab0 < 9614d8bee66387501f48718fa306e17f2aa3f2f3affected
LinuxLinux6.8affected
LinuxLinux0 < 6.8unaffected
LinuxLinux6.12.46 <= 6.12.*unaffected
LinuxLinux6.16.6 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References