CVE-2025-22034: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs Patch series "mm: fixes for device-exclusive entries (hmm)", v2. Discussing the PageTail() call in make_device_exclusive_range() with Willy, I recently discovered [1] that device-exclusive handling does not properly work with THP, making the hmm-tests selftests fail if THPs are enabled on the system. Looking into more details, I found that hugetlb is not properly fenced, and I realized that something that was bugging me for longer -- how device-exclusive entries interact with mapcounts -- completely breaks migration/swapout/split/hwpoison handling of these folios while they have device-exclusive PTEs. The program below can be used to allocate 1 GiB worth of pages and making them device-exclusive on a kernel with CONFIG_TEST_HMM. Once they are device-exclusive, these folios cannot get swapped out (proc$pid/smaps_rollup will always indicate 1 GiB RSS no matter how much one forces memory reclaim), and when having a memory block onlined to ZONE_MOVABLE, trying to offline it will loop forever and complain about failed migration of a page that should be movable. # echo offline > /sys/devices/system/memory/memory136/state # echo online_movable > /sys/devices/system/memory/memory136/state # ./hmm-swap & ... wait until everything is device-exclusive # echo offline > /sys/devices/system/memory/memory136/state [ 285.193431][T14882] page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x7f20671f7 pfn:0x442b6a [ 285.196618][T14882] memcg:ffff888179298000 [ 285.198085][T14882] anon flags: 0x5fff0000002091c(referenced|uptodate| dirty|active|owner_2|swapbacked|node=1|zone=3|lastcpupid=0x7ff) [ 285.201734][T14882] raw: ... [ 285.204464][T14882] raw: ... [ 285.207196][T14882] page dumped because: migration failure [ 285.209072][T14882] page_owner tracks the page as allocated [ 285.210915][T14882] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), id 14926, tgid 14926 (hmm-swap), ts 254506295376, free_ts 227402023774 [ 285.216765][T14882] post_alloc_hook+0x197/0x1b0 [ 285.218874][T14882] get_page_from_freelist+0x76e/0x3280 [ 285.220864][T14882] __alloc_frozen_pages_noprof+0x38e/0x2740 [ 285.223302][T14882] alloc_pages_mpol+0x1fc/0x540 [ 285.225130][T14882] folio_alloc_mpol_noprof+0x36/0x340 [ 285.227222][T14882] vma_alloc_folio_noprof+0xee/0x1a0 [ 285.229074][T14882] __handle_mm_fault+0x2b38/0x56a0 [ 285.230822][T14882] handle_mm_fault+0x368/0x9f0 ... This series fixes all issues I found so far. There is no easy way to fix without a bigger rework/cleanup. I have a bunch of cleanups on top (some previous sent, some the result of the discussion in v1) that I will send out separately once this landed and I get to it. I wish we could just use some special present PROT_NONE PTEs instead of these (non-present, non-none) fake-swap entries; but that just results in the same problem we keep having (lack of spare PTE bits), and staring at other similar fake-swap entries, that ship has sailed. With this series, make_device_exclusive() doesn't actually belong into mm/rmap.c anymore, but I'll leave moving that for another day. I only tested this series with the hmm-tests selftests due to lack of HW, so I'd appreciate some testing, especially if the interaction between two GPUs wanting a device-exclusive entry works as expected. <program> #include <stdio.h> #include <fcntl.h> #include <stdint.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <sys/mman.h> #include <sys/ioctl.h> #include <linux/types.h> #include <linux/ioctl.h> #define HMM_DMIRROR_EXCLUSIVE _IOWR('H', 0x05, struct hmm_dmirror_cmd) struct hmm_dmirror_cmd { __u64 addr; __u64 ptr; __u64 npages; __u64 cpages; __u64 faults; }; const size_t size = 1 * 1024 * 1024 * 1024ul; const size_t chunk_size = 2 * 1024 * 1024ul; int m ---truncated---
AI Analysis
Technical Summary
CVE-2025-22034 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically related to the handling of device-exclusive pages in conjunction with huge page support (hugetlb VMAs) and transparent huge pages (THP). The flaw arises because the kernel's device-exclusive memory handling does not correctly manage page migration, swapping, and splitting operations when huge pages are involved. This improper handling leads to scenarios where device-exclusive pages cannot be swapped out, causing persistent high memory usage (e.g., 1 GiB RSS remains constant despite memory reclaim attempts). Additionally, attempts to offline memory zones marked as movable can result in infinite loops due to failed page migration, potentially causing system instability or hangs. The root cause involves the interaction between device-exclusive page table entries (PTEs) and the kernel's page migration and memory reclaim mechanisms. The vulnerability affects the kernel's handling of mapcounts and page fencing for huge pages, which breaks expected behavior for memory migration, swapout, splitting, and hardware poisoning. The issue was discovered during testing with the Heterogeneous Memory Management (HMM) subsystem and device-exclusive memory tests, revealing that device-exclusive entries are not properly fenced when huge pages are used. Exploitation of this vulnerability requires the ability to allocate device-exclusive memory pages, which typically involves privileged access or specific kernel configurations (e.g., CONFIG_TEST_HMM). The vulnerability does not appear to be exploitable remotely or without local access. However, if exploited, it can cause denial of service conditions by preventing memory reclaim and causing system hangs during memory offlining operations. The patch series addressing this vulnerability involves significant rework of the device-exclusive memory handling code, improving the fencing and migration logic for huge pages and ensuring proper interaction with mapcounts. The fix prevents the infinite loops and memory reclaim failures by correctly managing device-exclusive entries in the presence of huge pages and THP. No known exploits are reported in the wild, and the vulnerability was responsibly disclosed and patched in the Linux kernel as of April 2025.
Potential Impact
For European organizations, the impact of CVE-2025-22034 primarily revolves around potential denial of service (DoS) scenarios on Linux systems that utilize device-exclusive memory features, huge pages, and transparent huge pages. Systems running workloads that rely on advanced memory management, such as high-performance computing, virtualization hosts, or GPU-accelerated applications, may be particularly affected. The inability to reclaim memory or offline movable memory zones can lead to resource exhaustion, degraded system performance, or complete system hangs, impacting critical infrastructure and services. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, unpatched systems could face operational disruptions. Although exploitation requires local access and specific kernel configurations, insider threats or compromised privileged accounts could trigger the vulnerability. This risk is heightened in environments with heterogeneous memory architectures or GPU sharing, common in research institutions and industries like automotive, manufacturing, and finance. The vulnerability does not directly expose confidentiality or integrity risks but can indirectly affect availability, which is critical for compliance with European regulations such as GDPR and NIS Directive that mandate service continuity and incident management.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-22034 as soon as they become available for your distribution. Ensure that kernel versions are updated to include the fixes for device-exclusive memory handling and huge page migration. 2. Audit and monitor systems for usage of device-exclusive memory features and huge pages, especially in environments utilizing HMM or GPU sharing, to identify potentially vulnerable configurations. 3. Limit privileged access to systems and restrict the ability to allocate device-exclusive memory to trusted users and processes only. 4. Disable transparent huge pages (THP) or hugetlb support temporarily on critical systems if patching is delayed and if these features are not essential for workload performance. 5. Implement robust monitoring for memory usage anomalies and system logs indicating migration failures or memory offlining issues, enabling early detection of exploitation attempts or system instability. 6. Conduct thorough testing of kernel updates in staging environments, particularly for workloads involving device-exclusive memory and GPUs, to ensure stability before production deployment. 7. Collaborate with hardware and GPU vendors to verify compatibility and support for patched kernel versions, as the vulnerability involves interactions with device-exclusive memory and GPUs.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-22034: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs Patch series "mm: fixes for device-exclusive entries (hmm)", v2. Discussing the PageTail() call in make_device_exclusive_range() with Willy, I recently discovered [1] that device-exclusive handling does not properly work with THP, making the hmm-tests selftests fail if THPs are enabled on the system. Looking into more details, I found that hugetlb is not properly fenced, and I realized that something that was bugging me for longer -- how device-exclusive entries interact with mapcounts -- completely breaks migration/swapout/split/hwpoison handling of these folios while they have device-exclusive PTEs. The program below can be used to allocate 1 GiB worth of pages and making them device-exclusive on a kernel with CONFIG_TEST_HMM. Once they are device-exclusive, these folios cannot get swapped out (proc$pid/smaps_rollup will always indicate 1 GiB RSS no matter how much one forces memory reclaim), and when having a memory block onlined to ZONE_MOVABLE, trying to offline it will loop forever and complain about failed migration of a page that should be movable. # echo offline > /sys/devices/system/memory/memory136/state # echo online_movable > /sys/devices/system/memory/memory136/state # ./hmm-swap & ... wait until everything is device-exclusive # echo offline > /sys/devices/system/memory/memory136/state [ 285.193431][T14882] page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x7f20671f7 pfn:0x442b6a [ 285.196618][T14882] memcg:ffff888179298000 [ 285.198085][T14882] anon flags: 0x5fff0000002091c(referenced|uptodate| dirty|active|owner_2|swapbacked|node=1|zone=3|lastcpupid=0x7ff) [ 285.201734][T14882] raw: ... [ 285.204464][T14882] raw: ... [ 285.207196][T14882] page dumped because: migration failure [ 285.209072][T14882] page_owner tracks the page as allocated [ 285.210915][T14882] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), id 14926, tgid 14926 (hmm-swap), ts 254506295376, free_ts 227402023774 [ 285.216765][T14882] post_alloc_hook+0x197/0x1b0 [ 285.218874][T14882] get_page_from_freelist+0x76e/0x3280 [ 285.220864][T14882] __alloc_frozen_pages_noprof+0x38e/0x2740 [ 285.223302][T14882] alloc_pages_mpol+0x1fc/0x540 [ 285.225130][T14882] folio_alloc_mpol_noprof+0x36/0x340 [ 285.227222][T14882] vma_alloc_folio_noprof+0xee/0x1a0 [ 285.229074][T14882] __handle_mm_fault+0x2b38/0x56a0 [ 285.230822][T14882] handle_mm_fault+0x368/0x9f0 ... This series fixes all issues I found so far. There is no easy way to fix without a bigger rework/cleanup. I have a bunch of cleanups on top (some previous sent, some the result of the discussion in v1) that I will send out separately once this landed and I get to it. I wish we could just use some special present PROT_NONE PTEs instead of these (non-present, non-none) fake-swap entries; but that just results in the same problem we keep having (lack of spare PTE bits), and staring at other similar fake-swap entries, that ship has sailed. With this series, make_device_exclusive() doesn't actually belong into mm/rmap.c anymore, but I'll leave moving that for another day. I only tested this series with the hmm-tests selftests due to lack of HW, so I'd appreciate some testing, especially if the interaction between two GPUs wanting a device-exclusive entry works as expected. <program> #include <stdio.h> #include <fcntl.h> #include <stdint.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <sys/mman.h> #include <sys/ioctl.h> #include <linux/types.h> #include <linux/ioctl.h> #define HMM_DMIRROR_EXCLUSIVE _IOWR('H', 0x05, struct hmm_dmirror_cmd) struct hmm_dmirror_cmd { __u64 addr; __u64 ptr; __u64 npages; __u64 cpages; __u64 faults; }; const size_t size = 1 * 1024 * 1024 * 1024ul; const size_t chunk_size = 2 * 1024 * 1024ul; int m ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-22034 is a vulnerability identified in the Linux kernel's memory management subsystem, specifically related to the handling of device-exclusive pages in conjunction with huge page support (hugetlb VMAs) and transparent huge pages (THP). The flaw arises because the kernel's device-exclusive memory handling does not correctly manage page migration, swapping, and splitting operations when huge pages are involved. This improper handling leads to scenarios where device-exclusive pages cannot be swapped out, causing persistent high memory usage (e.g., 1 GiB RSS remains constant despite memory reclaim attempts). Additionally, attempts to offline memory zones marked as movable can result in infinite loops due to failed page migration, potentially causing system instability or hangs. The root cause involves the interaction between device-exclusive page table entries (PTEs) and the kernel's page migration and memory reclaim mechanisms. The vulnerability affects the kernel's handling of mapcounts and page fencing for huge pages, which breaks expected behavior for memory migration, swapout, splitting, and hardware poisoning. The issue was discovered during testing with the Heterogeneous Memory Management (HMM) subsystem and device-exclusive memory tests, revealing that device-exclusive entries are not properly fenced when huge pages are used. Exploitation of this vulnerability requires the ability to allocate device-exclusive memory pages, which typically involves privileged access or specific kernel configurations (e.g., CONFIG_TEST_HMM). The vulnerability does not appear to be exploitable remotely or without local access. However, if exploited, it can cause denial of service conditions by preventing memory reclaim and causing system hangs during memory offlining operations. The patch series addressing this vulnerability involves significant rework of the device-exclusive memory handling code, improving the fencing and migration logic for huge pages and ensuring proper interaction with mapcounts. The fix prevents the infinite loops and memory reclaim failures by correctly managing device-exclusive entries in the presence of huge pages and THP. No known exploits are reported in the wild, and the vulnerability was responsibly disclosed and patched in the Linux kernel as of April 2025.
Potential Impact
For European organizations, the impact of CVE-2025-22034 primarily revolves around potential denial of service (DoS) scenarios on Linux systems that utilize device-exclusive memory features, huge pages, and transparent huge pages. Systems running workloads that rely on advanced memory management, such as high-performance computing, virtualization hosts, or GPU-accelerated applications, may be particularly affected. The inability to reclaim memory or offline movable memory zones can lead to resource exhaustion, degraded system performance, or complete system hangs, impacting critical infrastructure and services. Given the widespread use of Linux in European data centers, cloud providers, and enterprise environments, unpatched systems could face operational disruptions. Although exploitation requires local access and specific kernel configurations, insider threats or compromised privileged accounts could trigger the vulnerability. This risk is heightened in environments with heterogeneous memory architectures or GPU sharing, common in research institutions and industries like automotive, manufacturing, and finance. The vulnerability does not directly expose confidentiality or integrity risks but can indirectly affect availability, which is critical for compliance with European regulations such as GDPR and NIS Directive that mandate service continuity and incident management.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-22034 as soon as they become available for your distribution. Ensure that kernel versions are updated to include the fixes for device-exclusive memory handling and huge page migration. 2. Audit and monitor systems for usage of device-exclusive memory features and huge pages, especially in environments utilizing HMM or GPU sharing, to identify potentially vulnerable configurations. 3. Limit privileged access to systems and restrict the ability to allocate device-exclusive memory to trusted users and processes only. 4. Disable transparent huge pages (THP) or hugetlb support temporarily on critical systems if patching is delayed and if these features are not essential for workload performance. 5. Implement robust monitoring for memory usage anomalies and system logs indicating migration failures or memory offlining issues, enabling early detection of exploitation attempts or system instability. 6. Conduct thorough testing of kernel updates in staging environments, particularly for workloads involving device-exclusive memory and GPUs, to ensure stability before production deployment. 7. Collaborate with hardware and GPU vendors to verify compatibility and support for patched kernel versions, as the vulnerability involves interactions with device-exclusive memory and GPUs.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.808Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7ecc
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 7:58:01 PM
Last updated: 7/30/2025, 9:50:34 PM
Views: 16
Related Threats
CVE-2025-8690: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in addix Simple Responsive Slider
MediumCVE-2025-8688: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ebernstein Inline Stock Quotes
MediumCVE-2025-8685: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in emilien Wp chart generator
MediumCVE-2025-8621: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in odn Mosaic Generator
MediumCVE-2025-8568: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in prabode GMap Generator
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.