{"id":"CVE-2025-21907","summary":"mm: memory-failure: update ttu flag inside unmap_poisoned_folio","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: memory-failure: update ttu flag inside unmap_poisoned_folio\n\nPatch series \"mm: memory_failure: unmap poisoned folio during migrate\nproperly\", v3.\n\nFix two bugs during folio migration if the folio is poisoned.\n\n\nThis patch (of 3):\n\nCommit 6da6b1d4a7df (\"mm/hwpoison: convert TTU_IGNORE_HWPOISON to\nTTU_HWPOISON\") introduce TTU_HWPOISON to replace TTU_IGNORE_HWPOISON in\norder to stop send SIGBUS signal when accessing an error page after a\nmemory error on a clean folio.  However during page migration, anon folio\nmust be set with TTU_HWPOISON during unmap_*().  For pagecache we need\nsome policy just like the one in hwpoison_user_mappings to set this flag. \nSo move this policy from hwpoison_user_mappings to unmap_poisoned_folio to\nhandle this warning properly.\n\nWarning will be produced during unamp poison folio with the following log:\n\n  ------------[ cut here ]------------\n  WARNING: CPU: 1 PID: 365 at mm/rmap.c:1847 try_to_unmap_one+0x8fc/0xd3c\n  Modules linked in:\n  CPU: 1 UID: 0 PID: 365 Comm: bash Tainted: G        W          6.13.0-rc1-00018-gacdb4bbda7ab #42\n  Tainted: [W]=WARN\n  Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015\n  pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n  pc : try_to_unmap_one+0x8fc/0xd3c\n  lr : try_to_unmap_one+0x3dc/0xd3c\n  Call trace:\n   try_to_unmap_one+0x8fc/0xd3c (P)\n   try_to_unmap_one+0x3dc/0xd3c (L)\n   rmap_walk_anon+0xdc/0x1f8\n   rmap_walk+0x3c/0x58\n   try_to_unmap+0x88/0x90\n   unmap_poisoned_folio+0x30/0xa8\n   do_migrate_range+0x4a0/0x568\n   offline_pages+0x5a4/0x670\n   memory_block_action+0x17c/0x374\n   memory_subsys_offline+0x3c/0x78\n   device_offline+0xa4/0xd0\n   state_store+0x8c/0xf0\n   dev_attr_store+0x18/0x2c\n   sysfs_kf_write+0x44/0x54\n   kernfs_fop_write_iter+0x118/0x1a8\n   vfs_write+0x3a8/0x4bc\n   ksys_write+0x6c/0xf8\n   __arm64_sys_write+0x1c/0x28\n   invoke_syscall+0x44/0x100\n   el0_svc_common.constprop.0+0x40/0xe0\n   do_el0_svc+0x1c/0x28\n   el0_svc+0x30/0xd0\n   el0t_64_sync_handler+0xc8/0xcc\n   el0t_64_sync+0x198/0x19c\n  ---[ end trace 0000000000000000 ]---\n\n[mawupeng1@huawei.com: unmap_poisoned_folio(): remove shadowed local `mapping', per Miaohe]","modified":"2026-04-02T12:45:16.603845Z","published":"2025-04-01T15:40:47.576Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21907.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/425c12c076e6fc6b2cb04b9f960319d31dcabc76"},{"type":"WEB","url":"https://git.kernel.org/stable/c/608cc7deb428f1122ed426060233622ebf667b6e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b81679b1633aa43c0d973adfa816d78c1ed0d032"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21907.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21907"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6da6b1d4a7df8c35770186b53ef65d388398e139"},{"fixed":"608cc7deb428f1122ed426060233622ebf667b6e"},{"fixed":"425c12c076e6fc6b2cb04b9f960319d31dcabc76"},{"fixed":"b81679b1633aa43c0d973adfa816d78c1ed0d032"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"deab8114fb67dcb0e6293b665c3c7083fbadff17"},{"last_affected":"6dcf132fe236045bd7f50c008660ea086d09af1f"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21907.json"}}],"schema_version":"1.7.5"}