CVE-2025-39910

Summary

In the Linux kernel, the following vulnerability has been resolved:

mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc()

kasan_populate_vmalloc() and its helpers ignore the caller's gfp_mask and always allocate memory using the hardcoded GFP_KERNEL flag. This makes them inconsistent with vmalloc(), which was recently extended to support GFP_NOFS and GFP_NOIO allocations.

Page table allocations performed during shadow population also ignore the external gfp_mask. To preserve the intended semantics of GFP_NOFS and GFP_NOIO, wrap the apply_to_page_range() calls into the appropriate memalloc scope.

xfs calls vmalloc with GFP_NOFS, so this bug could lead to deadlock.

There was a report here https://lkml.kernel.org/r/686ea951.050a0220.385921.0016.GAE@google.com

This patch:

  • Extends kasan_populate_vmalloc() and helpers to take gfp_mask;
  • Passes gfp_mask down to alloc_pages_bulk() and __get_free_page();
  • Enforces GFP_NOFS/NOIO semantics with memalloc_*_save()/restore() around apply_to_page_range();
  • Updates vmalloc.c and percpu allocator call sites accordingly.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux451769ebb7e792c3404db53b3c2a422990de654e < 33b95d90427cb4babf32059e323a6d0c027610feaffected
LinuxLinux451769ebb7e792c3404db53b3c2a422990de654e < 79357cd06d41d0f5a11b17d7c86176e395d10ef2affected
LinuxLinux5.17affected
LinuxLinux0 < 5.17unaffected
LinuxLinux6.16.8 <= 6.16.*unaffected
LinuxLinux6.17 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References