CVE-2025-37960

In the Linux kernel, the following vulnerability has been resolved:

memblock: Accept allocated memory before use in memblockdoublearray()

When increasing the array size in memblockdoublearray() and the slab is not yet available, a call to memblockfindin_range() is used to reserve/allocate memory. However, the range returned may not have been accepted, which can result in a crash when booting an SNP guest:

RIP: 0010:memcpyorig+0x68/0x130 Code: ... RSP: 0000:ffffffff9cc03ce8 EFLAGS: 00010006 RAX: ff11001ff83e5000 RBX: 0000000000000000 RCX: fffffffffffff000 RDX: 0000000000000bc0 RSI: ffffffff9dba8860 RDI: ff11001ff83e5c00 RBP: 0000000000002000 R08: 0000000000000000 R09: 0000000000002000 R10: 000000207fffe000 R11: 0000040000000000 R12: ffffffff9d06ef78 R13: ff11001ff83e5000 R14: ffffffff9dba7c60 R15: 0000000000000c00 memblockdoublearray+0xff/0x310 memblockaddrange+0x1fb/0x2f0 memblockreserve+0x4f/0xa0 memblockallocrangenid+0xac/0x130 memblockallocinternal+0x53/0xc0 memblockalloctrynid+0x3d/0xa0 swiotlbinitremap+0x149/0x2f0 meminit+0xb/0xb0 mmcoreinit+0x8f/0x350 startkernel+0x17e/0x5d0 x8664startreservations+0x14/0x30 x8664startkernel+0x92/0xa0 secondarystartup64noverify+0x194/0x19b

Mitigate this by calling accept_memory() on the memory range returned before the slab is available.

Prior to v6.12, the acceptmemory() interface used a 'start' and 'end' parameter instead of 'start' and 'size', therefore the acceptmemory() call must be adjusted to specify 'start + size' for 'end' when applying to kernels prior to v6.12.