{"id":"CVE-2025-21984","summary":"mm: fix kernel BUG when userfaultfd_move encounters swapcache","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix kernel BUG when userfaultfd_move encounters swapcache\n\nuserfaultfd_move() checks whether the PTE entry is present or a\nswap entry.\n\n- If the PTE entry is present, move_present_pte() handles folio\n  migration by setting:\n\n  src_folio-\u003eindex = linear_page_index(dst_vma, dst_addr);\n\n- If the PTE entry is a swap entry, move_swap_pte() simply copies\n  the PTE to the new dst_addr.\n\nThis approach is incorrect because, even if the PTE is a swap entry,\nit can still reference a folio that remains in the swap cache.\n\nThis creates a race window between steps 2 and 4.\n 1. add_to_swap: The folio is added to the swapcache.\n 2. try_to_unmap: PTEs are converted to swap entries.\n 3. pageout: The folio is written back.\n 4. Swapcache is cleared.\nIf userfaultfd_move() occurs in the window between steps 2 and 4,\nafter the swap PTE has been moved to the destination, accessing the\ndestination triggers do_swap_page(), which may locate the folio in\nthe swapcache. However, since the folio's index has not been updated\nto match the destination VMA, do_swap_page() will detect a mismatch.\n\nThis can result in two critical issues depending on the system\nconfiguration.\n\nIf KSM is disabled, both small and large folios can trigger a BUG\nduring the add_rmap operation due to:\n\n page_pgoff(folio, page) != linear_page_index(vma, address)\n\n[   13.336953] page: refcount:6 mapcount:1 mapping:00000000f43db19c index:0xffffaf150 pfn:0x4667c\n[   13.337520] head: order:2 mapcount:1 entire_mapcount:0 nr_pages_mapped:1 pincount:0\n[   13.337716] memcg:ffff00000405f000\n[   13.337849] anon flags: 0x3fffc0000020459(locked|uptodate|dirty|owner_priv_1|head|swapbacked|node=0|zone=0|lastcpupid=0xffff)\n[   13.338630] raw: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361\n[   13.338831] raw: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000\n[   13.339031] head: 03fffc0000020459 ffff80008507b538 ffff80008507b538 ffff000006260361\n[   13.339204] head: 0000000ffffaf150 0000000000004000 0000000600000000 ffff00000405f000\n[   13.339375] head: 03fffc0000000202 fffffdffc0199f01 ffffffff00000000 0000000000000001\n[   13.339546] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000\n[   13.339736] page dumped because: VM_BUG_ON_PAGE(page_pgoff(folio, page) != linear_page_index(vma, address))\n[   13.340190] ------------[ cut here ]------------\n[   13.340316] kernel BUG at mm/rmap.c:1380!\n[   13.340683] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP\n[   13.340969] Modules linked in:\n[   13.341257] CPU: 1 UID: 0 PID: 107 Comm: a.out Not tainted 6.14.0-rc3-gcf42737e247a-dirty #299\n[   13.341470] Hardware name: linux,dummy-virt (DT)\n[   13.341671] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   13.341815] pc : __page_check_anon_rmap+0xa0/0xb0\n[   13.341920] lr : __page_check_anon_rmap+0xa0/0xb0\n[   13.342018] sp : ffff80008752bb20\n[   13.342093] x29: ffff80008752bb20 x28: fffffdffc0199f00 x27: 0000000000000001\n[   13.342404] x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000001\n[   13.342575] x23: 0000ffffaf0d0000 x22: 0000ffffaf0d0000 x21: fffffdffc0199f00\n[   13.342731] x20: fffffdffc0199f00 x19: ffff000006210700 x18: 00000000ffffffff\n[   13.342881] x17: 6c203d2120296567 x16: 6170202c6f696c6f x15: 662866666f67705f\n[   13.343033] x14: 6567617028454741 x13: 2929737365726464 x12: ffff800083728ab0\n[   13.343183] x11: ffff800082996bf8 x10: 0000000000000fd7 x9 : ffff80008011bc40\n[   13.343351] x8 : 0000000000017fe8 x7 : 00000000fffff000 x6 : ffff8000829eebf8\n[   13.343498] x5 : c0000000fffff000 x4 : 0000000000000000 x3 : 0000000000000000\n[   13.343645] x2 : 0000000000000000 x1 : ffff0000062db980 x0 : 000000000000005f\n[   13.343876] Call trace:\n[   13.344045]  __page_check_anon_rmap+0xa0/0xb0 (P)\n[   13.344234]  folio_add_anon_rmap_ptes+0x22c/0x320\n[   13.344333]  do_swap_page+0x1060/0x1400\n[   13.344417]  __handl\n---truncated---","modified":"2026-04-02T12:45:18.195737Z","published":"2025-04-01T15:47:11.523Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21984.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4e9507246298fd6f1ca7bb42ef01a6e34fb93684"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b1e11bd86c0943bb7624efebdc384340a50ad683"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c50f8e6053b0503375c2975bf47f182445aebb4c"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21984.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21984"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"adef440691bab824e39c1b17382322d195e1fab0"},{"fixed":"4e9507246298fd6f1ca7bb42ef01a6e34fb93684"},{"fixed":"b1e11bd86c0943bb7624efebdc384340a50ad683"},{"fixed":"c50f8e6053b0503375c2975bf47f182445aebb4c"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21984.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}