CVE-2025-38029 in Linuxinfo

Summary

by MITRE • 06/18/2025

In the Linux kernel, the following vulnerability has been resolved:

kasan: avoid sleepable page allocation from atomic context

apply_to_pte_range() enters the lazy MMU mode and then invokes kasan_populate_vmalloc_pte() callback on each page table walk iteration. However, the callback can go into sleep when trying to allocate a single page, e.g. if an architecutre disables preemption on lazy MMU mode enter.

On s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and arch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs:

[ 0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321
[ 0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd
[ 0.663358] preempt_count: 1, expected: 0
[ 0.663366] RCU nest depth: 0, expected: 0
[ 0.663375] no locks held by kthreadd/2.
[ 0.663383] Preemption disabled at:
[ 0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0
[ 0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT
[ 0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux)
[ 0.663409] Call Trace:
[ 0.663410] [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140
[ 0.663413] [<0002f3284c507b9e>] __might_resched+0x66e/0x700
[ 0.663415] [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0
[ 0.663419] [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0
[ 0.663421] [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0
[ 0.663424] [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120
[ 0.663427] [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0
[ 0.663429] [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120
[ 0.663433] [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0
[ 0.663435] [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0
[ 0.663437] [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0
[ 0.663440] [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40
[ 0.663442] [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0
[ 0.663445] [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10
[ 0.663448] [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0
[ 0.663451] [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310
[ 0.663454] [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110
[ 0.663457] [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330
[ 0.663460] [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0
[ 0.663463] [<0002f3284c45be90>] copy_process+0x280/0x4b90
[ 0.663465] [<0002f3284c460940>] kernel_clone+0xd0/0x4b0
[ 0.663467] [<0002f3284c46115e>] kernel_thread+0xbe/0xe0
[ 0.663469] [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0
[ 0.663472] [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0
[ 0.663475] [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38

Instead of allocating single pages per-PTE, bulk-allocate the shadow memory prior to applying kasan_populate_vmalloc_pte() callback on a page range.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/02/2026

The vulnerability described in CVE-2025-38029 resides within the Linux kernel's memory safety enforcement mechanisms, specifically involving the Kernel Address Sanitizer (KASAN) subsystem. This flaw manifests when the kasan_populate_vmalloc_pte() callback attempts to perform page allocation within an atomic context, which is strictly prohibited in kernel space to prevent potential deadlocks and system instability. The issue arises during the execution of apply_to_pte_range(), a function that enters lazy MMU mode and iterates through page table entries, invoking the KASAN callback for each entry. On certain architectures like s390, the lazy MMU mode implementation involves preempt_disable() and preempt_enable() calls that create an environment where sleeping functions cannot be safely invoked, leading to a kernel oops and system crash.

The technical root cause stems from the improper handling of memory allocation within atomic contexts, violating fundamental kernel design principles that mandate non-blocking operations in atomic sections. The call trace demonstrates that the allocation path leads through multiple kernel functions including __alloc_frozen_pages_noprof, alloc_pages_mpol, and ultimately kasan_populate_vmalloc_pte, which attempts to allocate memory while the system is in an atomic context. This scenario is particularly problematic on s390 architecture where the lazy MMU mode explicitly disables preemption, making any sleepable allocation fatal. The kernel's atomic context detection mechanism correctly identifies the violation, as evidenced by the BUG message indicating in_atomic(): 1 and preempt_count: 1, confirming that the system is operating in an atomic context where sleeping functions are not permitted.

The operational impact of this vulnerability is severe, as it can lead to immediate system crashes during critical kernel initialization phases, particularly when creating new processes or allocating virtual memory areas. The crash occurs during the early boot process when kthreadd attempts to create thread stacks, indicating that this vulnerability affects fundamental kernel operations essential for system stability. This issue directly relates to CWE-367, which addresses the hazard of time-of-check to time-of-use (TOCTOU) flaws and improper handling of atomic contexts. The vulnerability presents a clear threat to system reliability and availability, as it can cause complete system hangs or crashes during normal operation, particularly when virtual memory management is being initialized or modified.

The mitigation strategy implemented in the fix involves changing the memory allocation approach from per-PTE allocation to bulk allocation of shadow memory before invoking the kasan_populate_vmalloc_pte() callback. This change ensures that all necessary memory is pre-allocated in a safe context before entering the atomic section, thereby eliminating the risk of sleepable allocations during page table walks. This approach aligns with ATT&CK technique T1068, which involves privilege escalation through kernel vulnerabilities, as the fix prevents exploitation of this atomic context violation that could otherwise be leveraged to gain unauthorized system access. The solution effectively addresses the underlying architectural mismatch between KASAN's memory management requirements and the atomic constraints imposed by lazy MMU mode on specific architectures, providing a robust fix that maintains both security and system stability. This remediation strategy ensures that memory allocation occurs outside of atomic contexts, preventing the kernel from entering a state where it cannot properly handle the allocation request, thus maintaining system integrity and preventing potential denial-of-service conditions.

Responsible

Linux

Reservation

04/16/2025

Disclosure

06/18/2025

Moderation

accepted

CPE

ready

EPSS

0.00137

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!