CVE-2025-21869

In the Linux kernel, the following vulnerability has been resolved:

powerpc/code-patching: Disable KASAN report during patching via temporary mm

Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13:

[ 12.028126] ================================================================== [ 12.028198] BUG: KASAN: user-memory-access in copytokernel_nofault+0x8c/0x1a0 [ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1

[ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3 [ 12.028408] Tainted: [T]=RANDSTRUCT [ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV [ 12.028500] Call Trace: [ 12.028536] [c000000008dbf3b0] [c000000001656a48] dumpstacklvl+0xbc/0x110 (unreliable) [ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] printreport+0x6b0/0x708 [ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasanreport+0x164/0x300 [ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasancheckrange+0x314/0x370 [ 12.028784] [c000000008dbf640] [c0000000006e6310] _kasancheckwrite+0x20/0x40 [ 12.028842] [c000000008dbf660] [c000000000578e8c] copytokernelnofault+0x8c/0x1a0 [ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] _patchinstructions+0x194/0x210 [ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patchinstructions+0x150/0x590 [ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpfarchtextcopy+0x6c/0xe0 [ 12.029085] [c000000008dbf800] [c000000000424250] bpfjitbinarypackfinalize+0x40/0xc0 [ 12.029147] [c000000008dbf830] [c000000000115dec] bpfintjitcompile+0x3bc/0x930 [ 12.029206] [c000000008dbf990] [c000000000423720] bpfprogselectruntime+0x1f0/0x280 [ 12.029266] [c000000008dbfa00] [c000000000434b18] bpfprogload+0xbb8/0x1370 [ 12.029324] [c000000008dbfb70] [c000000000436ebc] _sysbpf+0x5ac/0x2e00 [ 12.029379] [c000000008dbfd00] [c00000000043a228] sysbpf+0x28/0x40 [ 12.029435] [c000000008dbfd20] [c000000000038eb4] systemcallexception+0x334/0x610 [ 12.029497] [c000000008dbfe50] [c00000000000c270] systemcallvectoredcommon+0xf0/0x280 [ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8 [ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000 [ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty) [ 12.029735] MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 42004848 XER: 00000000 [ 12.029855] IRQMASK: 0 GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005 GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008 GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000 GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90 GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80 GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8 GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580 [ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8 [ 12.030405] --- interrupt: 3000 [ 12.030444] ==================================================================

Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for Radix MMU") is inspired from x86 but unlike x86 is doesn't disable KASAN reports during patching. This wasn't a problem at the begining because _patchmem() is not instrumented.

Commit 465cabc97b42 ("powerpc/code-patching: introduce patchinstructions()") use copytokernelnofault() to copy several instructions at once. But when using temporary mm the destination is not regular kernel memory but a kind of kernel-like memory located in user address space. ---truncated---