CVE-2025-22015

A shmem folio can be either in page cache or in swap cache, but not at the same time. Namely, once it is in swap cache, folio->mapping should be NULL, and the folio is no longer in a shmem mapping.

In _foliomigratemapping(), to determine the number of xarray entries to update, foliotestswapbacked() is used, but that conflates shmem in page cache case and shmem in swap cache case. It leads to xarray multi-index entry corruption, since it turns a sibling entry to a normal entry during xasstore() (see [1] for a userspace reproduction). Fix it by only using foliotestswapcache() to determine whether xarray is storing swap cache entries or not to choose the right number of xarray entries to update.

[1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/

Note: In _splithugepage(), foliotestanon() && foliotestswapcache() is used to get swapcache address space, but that ignores the shmem folio in swap cache case. It could lead to NULL pointer dereferencing when a in-swap-cache shmem folio is split at _xastore(), since !foliotestanon() is true and folio->mapping is NULL. But fortunately, its caller splithugepagetolisttoorder() bails out early with EBUSY when folio->mapping is NULL. So no need to take care of it here.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

be72d197b2281e2ee3f28017fc9be1ab17e26d16

Fixed

49100c0b070e900f87c8fac3be9b9ef8a30fa673

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

07550b1461d4d0499165e7d6f7718cfd0e440427

Fixed

29124ae980e2860f0eec7355949d3d3292ee81da

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c

Fixed

c057ee03f751d6cecf7ee64f52f6545d94082aaa

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c

Fixed

75cfb92eb63298d717b6b0118f91ba12c4fcfeb5

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c

Fixed

60cf233b585cdf1f3c5e52d1225606b86acd08b0

Affected versions

v6.*

v6.1.100

v6.1.101

v6.1.102

v6.1.103

v6.1.104

v6.1.105

v6.1.106

v6.1.107

v6.1.108

v6.1.109

v6.1.110

v6.1.111

v6.1.112

v6.1.113

v6.1.114

v6.1.115

v6.1.116

v6.1.117

v6.1.118

v6.1.119

v6.1.120

v6.1.121

v6.1.122

v6.1.123

v6.1.124

v6.1.125

v6.1.126

v6.1.127

v6.1.128

v6.1.129

v6.1.130

v6.1.131

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.78

v6.1.79

v6.1.80

v6.1.81

v6.1.82

v6.1.83

v6.1.84

v6.1.85

v6.1.86

v6.1.87

v6.1.88

v6.1.89

v6.1.90

v6.1.91

v6.1.92

v6.1.93

v6.1.94

v6.1.95

v6.1.96

v6.1.97

v6.1.98

v6.1.99

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.14

v6.12.15

v6.12.16

v6.12.17

v6.12.18

v6.12.19

v6.12.2

v6.12.20

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.2

v6.13.3

v6.13.4

v6.13.5

v6.13.6

v6.13.7

v6.13.8

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.59

v6.6.60

v6.6.61

v6.6.62

v6.6.63

v6.6.64

v6.6.65

v6.6.66

v6.6.67

v6.6.68

v6.6.69

v6.6.70

v6.6.71

v6.6.72

v6.6.73

v6.6.74

v6.6.75

v6.6.76

v6.6.77

v6.6.78

v6.6.79

v6.6.80

v6.6.81

v6.6.82

v6.6.83

v6.6.84

v6.7

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "mm/migrate.c",
            "function": "folio_migrate_mapping"
        },
        "digest": {
            "length": 2088.0,
            "function_hash": "14923251138126787591266845793489643923"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@29124ae980e2860f0eec7355949d3d3292ee81da",
        "signature_version": "v1",
        "id": "CVE-2025-22015-2989e7ec"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "mm/migrate.c"
        },
        "digest": {
            "line_hashes": [
                "37612668259392328594190852947169002078",
                "121280602470159722539462775450936557783",
                "142925461774925487966035682164757878494",
                "97290462430729386282938790464251750422",
                "274541637442175484516827304745207653387",
                "128555236087656153539985504925011928824",
                "192675872259342200560033057107078715253",
                "52114491988426708411157974175991130018",
                "24998623503374693168489341785877135712",
                "222802203856230918907218558150531995318",
                "320941404560494691802971149630446628095",
                "153621442200892052033372588310879214074"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@29124ae980e2860f0eec7355949d3d3292ee81da",
        "signature_version": "v1",
        "id": "CVE-2025-22015-42391fef"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "mm/migrate.c",
            "function": "__folio_migrate_mapping"
        },
        "digest": {
            "length": 2388.0,
            "function_hash": "49494306931211139082726422742379205110"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c057ee03f751d6cecf7ee64f52f6545d94082aaa",
        "signature_version": "v1",
        "id": "CVE-2025-22015-8fbd106a"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "mm/migrate.c"
        },
        "digest": {
            "line_hashes": [
                "125113778028472090664174069581033628678",
                "37629740680160432707877049550942951832",
                "142925461774925487966035682164757878494",
                "97290462430729386282938790464251750422",
                "274541637442175484516827304745207653387",
                "128555236087656153539985504925011928824",
                "192675872259342200560033057107078715253",
                "52114491988426708411157974175991130018",
                "24998623503374693168489341785877135712",
                "222802203856230918907218558150531995318",
                "320941404560494691802971149630446628095",
                "153621442200892052033372588310879214074"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c057ee03f751d6cecf7ee64f52f6545d94082aaa",
        "signature_version": "v1",
        "id": "CVE-2025-22015-92eaf490"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "mm/migrate.c",
            "function": "folio_migrate_mapping"
        },
        "digest": {
            "length": 2063.0,
            "function_hash": "189246379524580923976876462192890086343"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49100c0b070e900f87c8fac3be9b9ef8a30fa673",
        "signature_version": "v1",
        "id": "CVE-2025-22015-cb0975c8"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "mm/migrate.c"
        },
        "digest": {
            "line_hashes": [
                "37612668259392328594190852947169002078",
                "121280602470159722539462775450936557783",
                "142925461774925487966035682164757878494",
                "1958554645348204387113528015978729441",
                "102918657139844465079313186198241105084",
                "123738176857762766292426972244576484874",
                "217484449045451916753400574658486660192",
                "175795204337953749343501060152073310435",
                "254977215484652111907794198192372045964",
                "111954246982197103419918288211500350412",
                "245611243555615940140816568896064473360",
                "24998623503374693168489341785877135712",
                "222802203856230918907218558150531995318",
                "320941404560494691802971149630446628095",
                "153621442200892052033372588310879214074"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49100c0b070e900f87c8fac3be9b9ef8a30fa673",
        "signature_version": "v1",
        "id": "CVE-2025-22015-f48269ec"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.132

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.85

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.21

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.13.9