{"id":"CVE-2025-39903","summary":"of_numa: fix uninitialized memory nodes causing kernel panic","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nof_numa: fix uninitialized memory nodes causing kernel panic\n\nWhen there are memory-only nodes (nodes without CPUs), these nodes are not\nproperly initialized, causing kernel panic during boot.\n\nof_numa_init\n\tof_numa_parse_cpu_nodes\n\t\tnode_set(nid, numa_nodes_parsed);\n\tof_numa_parse_memory_nodes\n\nIn of_numa_parse_cpu_nodes, numa_nodes_parsed gets updated only for nodes\ncontaining CPUs.  Memory-only nodes should have been updated in\nof_numa_parse_memory_nodes, but they weren't.\n\nSubsequently, when free_area_init() attempts to access NODE_DATA() for\nthese uninitialized memory nodes, the kernel panics due to NULL pointer\ndereference.\n\nThis can be reproduced on ARM64 QEMU with 1 CPU and 2 memory nodes:\n\nqemu-system-aarch64 \\\n-cpu host -nographic \\\n-m 4G -smp 1 \\\n-machine virt,accel=kvm,gic-version=3,iommu=smmuv3 \\\n-object memory-backend-ram,size=2G,id=mem0 \\\n-object memory-backend-ram,size=2G,id=mem1 \\\n-numa node,nodeid=0,memdev=mem0 \\\n-numa node,nodeid=1,memdev=mem1 \\\n-kernel $IMAGE \\\n-hda $DISK \\\n-append \"console=ttyAMA0 root=/dev/vda rw earlycon\"\n\n[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x481fd010]\n[    0.000000] Linux version 6.17.0-rc1-00001-gabb4b3daf18c-dirty (yintirui@local) (gcc (GCC) 12.3.1, GNU ld (GNU Binutils) 2.41) #52 SMP PREEMPT Mon Aug 18 09:49:40 CST 2025\n[    0.000000] KASLR enabled\n[    0.000000] random: crng init done\n[    0.000000] Machine model: linux,dummy-virt\n[    0.000000] efi: UEFI not found.\n[    0.000000] earlycon: pl11 at MMIO 0x0000000009000000 (options '')\n[    0.000000] printk: legacy bootconsole [pl11] enabled\n[    0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT\n[    0.000000] NODE_DATA(0) allocated [mem 0xbfffd9c0-0xbfffffff]\n[    0.000000] node 1 must be removed before remove section 23\n[    0.000000] Zone ranges:\n[    0.000000]   DMA      [mem 0x0000000040000000-0x00000000ffffffff]\n[    0.000000]   DMA32    empty\n[    0.000000]   Normal   [mem 0x0000000100000000-0x000000013fffffff]\n[    0.000000] Movable zone start for each node\n[    0.000000] Early memory node ranges\n[    0.000000]   node   0: [mem 0x0000000040000000-0x00000000bfffffff]\n[    0.000000]   node   1: [mem 0x00000000c0000000-0x000000013fffffff]\n[    0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]\n[    0.000000] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0\n[    0.000000] Mem abort info:\n[    0.000000]   ESR = 0x0000000096000004\n[    0.000000]   EC = 0x25: DABT (current EL), IL = 32 bits\n[    0.000000]   SET = 0, FnV = 0\n[    0.000000]   EA = 0, S1PTW = 0\n[    0.000000]   FSC = 0x04: level 0 translation fault\n[    0.000000] Data abort info:\n[    0.000000]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n[    0.000000]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[    0.000000]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[    0.000000] [00000000000000a0] user address but active_mm is swapper\n[    0.000000] Internal error: Oops: 0000000096000004 [#1]  SMP\n[    0.000000] Modules linked in:\n[    0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 6.17.0-rc1-00001-g760c6dabf762-dirty #54 PREEMPT\n[    0.000000] Hardware name: linux,dummy-virt (DT)\n[    0.000000] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[    0.000000] pc : free_area_init+0x50c/0xf9c\n[    0.000000] lr : free_area_init+0x5c0/0xf9c\n[    0.000000] sp : ffffa02ca0f33c00\n[    0.000000] x29: ffffa02ca0f33cb0 x28: 0000000000000000 x27: 0000000000000000\n[    0.000000] x26: 4ec4ec4ec4ec4ec5 x25: 00000000000c0000 x24: 00000000000c0000\n[    0.000000] x23: 0000000000040000 x22: 0000000000000000 x21: ffffa02ca0f3b368\n[    0.000000] x20: ffffa02ca14c7b98 x19: 0000000000000000 x18: 0000000000000002\n[    0.000000] x17: 000000000000cacc x16: 0000000000000001 x15: 0000000000000001\n[    0.000000] x14: 0000000080000000 x13: 0000000000000018 x12: 0000000000000002\n[    0.0\n---truncated---","modified":"2026-04-02T12:48:12.310884Z","published":"2025-10-01T07:42:50.215Z","related":["SUSE-SU-2025:21080-1","SUSE-SU-2025:21147-1","SUSE-SU-2025:21180-1","openSUSE-SU-2025:20091-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39903.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/c2daa6eb4740720b5bd0e06267d7c93a3eed844e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ee4d098cbc9160f573b5c1b5a51d6158efdb2896"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f3286ad8eeae15fd4bd5c12f9adfe888b26baf62"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39903.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39903"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"767507654c22578ea0b51d181211b2e7714ea7cd"},{"fixed":"c2daa6eb4740720b5bd0e06267d7c93a3eed844e"},{"fixed":"f3286ad8eeae15fd4bd5c12f9adfe888b26baf62"},{"fixed":"ee4d098cbc9160f573b5c1b5a51d6158efdb2896"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39903.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}