CVE-2025-38241

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38241
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38241.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38241
Downstream
Published
2025-07-09T10:42:24.777Z
Modified
2025-11-20T09:13:54.632782Z
Summary
mm/shmem, swap: fix softlockup with mTHP swapin
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/shmem, swap: fix softlockup with mTHP swapin

Following softlockup can be easily reproduced on my test machine with:

echo always > /sys/kernel/mm/transparent_hugepage/hugepages-64kB/enabled swapon /dev/zram0 # zram0 is a 48G swap device mkdir -p /sys/fs/cgroup/memory/test echo 1G > /sys/fs/cgroup/test/memory.max echo $BASHPID > /sys/fs/cgroup/test/cgroup.procs while true; do dd if=/dev/zero of=/tmp/test.img bs=1M count=5120 cat /tmp/test.img > /dev/null rm /tmp/test.img done

Then after a while: watchdog: BUG: soft lockup - CPU#0 stuck for 763s! [cat:5787] Modules linked in: zram virtiofs CPU: 0 UID: 0 PID: 5787 Comm: cat Kdump: loaded Tainted: G L 6.15.0.orig-gf3021d9246bc-dirty #118 PREEMPT(voluntary)· Tainted: [L]=SOFTLOCKUP Hardware name: Red Hat KVM/RHEL-AV, BIOS 0.0.0 02/06/2015 RIP: 0010:mpolsharedpolicylookup+0xd/0x70 Code: e9 b8 b4 ff ff 31 c0 c3 cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 41 54 55 53 <48> 8b 1f 48 85 db 74 41 4c 8d 67 08 48 89 fb 48 89 f5 4c 89 e7 e8 RSP: 0018:ffffc90002b1fc28 EFLAGS: 00000202 RAX: 00000000001c20ca RBX: 0000000000724e1e RCX: 0000000000000001 RDX: ffff888118e214c8 RSI: 0000000000057d42 RDI: ffff888118e21518 RBP: 000000000002bec8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000bf4 R11: 0000000000000000 R12: 0000000000000001 R13: 00000000001c20ca R14: 00000000001c20ca R15: 0000000000000000 FS: 00007f03f995c740(0000) GS:ffff88a07ad9a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f03f98f1000 CR3: 0000000144626004 CR4: 0000000000770eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> shmemallocfolio+0x31/0xc0 shmemswapinfolio+0x309/0xcf0 ? filemapgetentry+0x117/0x1e0 ? xasload+0xd/0xb0 ? filemapgetentry+0x101/0x1e0 shmemgetfoliogfp+0x2ed/0x5b0 shmemfilereaditer+0x7f/0x2e0 vfsread+0x252/0x330 ksysread+0x68/0xf0 dosyscall64+0x4c/0x1c0 entrySYSCALL64afterhwframe+0x76/0x7e RIP: 0033:0x7f03f9a46991 Code: 00 48 8b 15 81 14 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d 35 97 10 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec RSP: 002b:00007fff3c52bd28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007f03f9a46991 RDX: 0000000000040000 RSI: 00007f03f98ba000 RDI: 0000000000000003 RBP: 00007fff3c52bd50 R08: 0000000000000000 R09: 00007f03f9b9a380 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000 R13: 00007f03f98ba000 R14: 0000000000000003 R15: 0000000000000000 </TASK>

The reason is simple, readahead brought some order 0 folio in swap cache, and the swapin mTHP folio being allocated is in conflict with it, so swapcacheprepare fails and causes shmemswapallocfolio to return -EEXIST, and shmem simply retries again and again causing this loop.

Fix it by applying a similar fix for anon mTHP swapin.

The performance change is very slight, time of swapin 10g zero folios with shmem (test for 12 times): Before: 2.47s After: 2.48s

[kasong@tencent.com: add comment]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1dd44c0af4fa1e80a4e82faa10cbf5d22da40362
Fixed
1283dfc1e0cd52cf525c2cb1b59a6f9183aab7ca
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1dd44c0af4fa1e80a4e82faa10cbf5d22da40362
Fixed
a05dd8ae5cbb1cb45f349922cfea4f548a5e5d6f

Affected versions

v6.*

v6.13
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.15.3
v6.15.4
v6.16-rc1
v6.16-rc2

Database specific

vanir_signatures

[
    {
        "target": {
            "file": "mm/shmem.c"
        },
        "digest": {
            "line_hashes": [
                "227041228162839976948951537521561804270",
                "286513362866142879699331436403846007327",
                "258774402947341789394940013763140574414",
                "230129218774603704697699598009970166566",
                "336980546074957422378308152844568490779",
                "37349725830742852277889573827177106866",
                "220410126469461274973715588786377091613",
                "109623312699035965159836914988513598288",
                "58319904407889719805821896204608247000"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a05dd8ae5cbb1cb45f349922cfea4f548a5e5d6f",
        "deprecated": false,
        "id": "CVE-2025-38241-031d8dd0",
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "mm/memory.c"
        },
        "digest": {
            "line_hashes": [
                "154416911556647060651654407485051537032",
                "12670995189719250600550104448672777036",
                "264039768618296347888841655123888454011",
                "35732625501598515372592928197219545211",
                "261349216468274417229984982627151103858",
                "30582074570845089688956286889961701619",
                "127909906097335254875453813391534050760",
                "257358725006486960369504244560317504811",
                "285091003421784381249487411056022375190",
                "261403175119323949254220751426109307570",
                "337064245806187065444335610588625349184",
                "186662253611281925339992270524835189415",
                "189023709355161388284464518557512884633",
                "116568115319877112175730134928427621496"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a05dd8ae5cbb1cb45f349922cfea4f548a5e5d6f",
        "deprecated": false,
        "id": "CVE-2025-38241-0be4cf76",
        "signature_type": "Line"
    },
    {
        "target": {
            "function": "shmem_swapin_folio",
            "file": "mm/shmem.c"
        },
        "digest": {
            "length": 2935.0,
            "function_hash": "219796812878284470468989518368831704858"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1283dfc1e0cd52cf525c2cb1b59a6f9183aab7ca",
        "deprecated": false,
        "id": "CVE-2025-38241-3f088118",
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "mm/swap.h"
        },
        "digest": {
            "line_hashes": [
                "227841826008759012173160311546020898266",
                "21213273032452451101310405890615843128",
                "221873378639978486605660891445275762104",
                "217189237487714129797199461438217751428",
                "9462010657141354693004125329454933345"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1283dfc1e0cd52cf525c2cb1b59a6f9183aab7ca",
        "deprecated": false,
        "id": "CVE-2025-38241-51a088a1",
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "mm/memory.c"
        },
        "digest": {
            "line_hashes": [
                "154416911556647060651654407485051537032",
                "12670995189719250600550104448672777036",
                "264039768618296347888841655123888454011",
                "35732625501598515372592928197219545211",
                "261349216468274417229984982627151103858",
                "30582074570845089688956286889961701619",
                "127909906097335254875453813391534050760",
                "257358725006486960369504244560317504811",
                "285091003421784381249487411056022375190",
                "261403175119323949254220751426109307570",
                "337064245806187065444335610588625349184",
                "186662253611281925339992270524835189415",
                "189023709355161388284464518557512884633",
                "116568115319877112175730134928427621496"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1283dfc1e0cd52cf525c2cb1b59a6f9183aab7ca",
        "deprecated": false,
        "id": "CVE-2025-38241-5a2ccb5d",
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "mm/swap.h"
        },
        "digest": {
            "line_hashes": [
                "227841826008759012173160311546020898266",
                "21213273032452451101310405890615843128",
                "221873378639978486605660891445275762104",
                "217189237487714129797199461438217751428",
                "5756771543293104730317830126503479913",
                "336919961671277423844086749712564373921"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a05dd8ae5cbb1cb45f349922cfea4f548a5e5d6f",
        "deprecated": false,
        "id": "CVE-2025-38241-80435d5d",
        "signature_type": "Line"
    },
    {
        "target": {
            "file": "mm/shmem.c"
        },
        "digest": {
            "line_hashes": [
                "227041228162839976948951537521561804270",
                "286513362866142879699331436403846007327",
                "258774402947341789394940013763140574414",
                "230129218774603704697699598009970166566",
                "336980546074957422378308152844568490779",
                "37349725830742852277889573827177106866",
                "220410126469461274973715588786377091613",
                "109623312699035965159836914988513598288",
                "58319904407889719805821896204608247000"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1283dfc1e0cd52cf525c2cb1b59a6f9183aab7ca",
        "deprecated": false,
        "id": "CVE-2025-38241-c55d04c6",
        "signature_type": "Line"
    },
    {
        "target": {
            "function": "shmem_swapin_folio",
            "file": "mm/shmem.c"
        },
        "digest": {
            "length": 2967.0,
            "function_hash": "131811568871974332857574020633313414719"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a05dd8ae5cbb1cb45f349922cfea4f548a5e5d6f",
        "deprecated": false,
        "id": "CVE-2025-38241-fa00c0f8",
        "signature_type": "Function"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.15.5