{
  "threat_severity" : "Moderate",
  "public_date" : "2025-06-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel: Denial of Service due to sleepable page allocation in KASAN",
    "id" : "2373378",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2373378"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-663",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nkasan: avoid sleepable page allocation from atomic context\napply_to_pte_range() enters the lazy MMU mode and then invokes\nkasan_populate_vmalloc_pte() callback on each page table walk iteration. \nHowever, the callback can go into sleep when trying to allocate a single\npage, e.g.  if an architecutre disables preemption on lazy MMU mode enter.\nOn s390 if make arch_enter_lazy_mmu_mode() -> preempt_enable() and\narch_leave_lazy_mmu_mode() -> preempt_disable(), such crash occurs:\n[    0.663336] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321\n[    0.663348] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 2, name: kthreadd\n[    0.663358] preempt_count: 1, expected: 0\n[    0.663366] RCU nest depth: 0, expected: 0\n[    0.663375] no locks held by kthreadd/2.\n[    0.663383] Preemption disabled at:\n[    0.663386] [<0002f3284cbb4eda>] apply_to_pte_range+0xfa/0x4a0\n[    0.663405] CPU: 0 UID: 0 PID: 2 Comm: kthreadd Not tainted 6.15.0-rc5-gcc-kasan-00043-gd76bb1ebb558-dirty #162 PREEMPT\n[    0.663408] Hardware name: IBM 3931 A01 701 (KVM/Linux)\n[    0.663409] Call Trace:\n[    0.663410]  [<0002f3284c385f58>] dump_stack_lvl+0xe8/0x140\n[    0.663413]  [<0002f3284c507b9e>] __might_resched+0x66e/0x700\n[    0.663415]  [<0002f3284cc4f6c0>] __alloc_frozen_pages_noprof+0x370/0x4b0\n[    0.663419]  [<0002f3284ccc73c0>] alloc_pages_mpol+0x1a0/0x4a0\n[    0.663421]  [<0002f3284ccc8518>] alloc_frozen_pages_noprof+0x88/0xc0\n[    0.663424]  [<0002f3284ccc8572>] alloc_pages_noprof+0x22/0x120\n[    0.663427]  [<0002f3284cc341ac>] get_free_pages_noprof+0x2c/0xc0\n[    0.663429]  [<0002f3284cceba70>] kasan_populate_vmalloc_pte+0x50/0x120\n[    0.663433]  [<0002f3284cbb4ef8>] apply_to_pte_range+0x118/0x4a0\n[    0.663435]  [<0002f3284cbc7c14>] apply_to_pmd_range+0x194/0x3e0\n[    0.663437]  [<0002f3284cbc99be>] __apply_to_page_range+0x2fe/0x7a0\n[    0.663440]  [<0002f3284cbc9e88>] apply_to_page_range+0x28/0x40\n[    0.663442]  [<0002f3284ccebf12>] kasan_populate_vmalloc+0x82/0xa0\n[    0.663445]  [<0002f3284cc1578c>] alloc_vmap_area+0x34c/0xc10\n[    0.663448]  [<0002f3284cc1c2a6>] __get_vm_area_node+0x186/0x2a0\n[    0.663451]  [<0002f3284cc1e696>] __vmalloc_node_range_noprof+0x116/0x310\n[    0.663454]  [<0002f3284cc1d950>] __vmalloc_node_noprof+0xd0/0x110\n[    0.663457]  [<0002f3284c454b88>] alloc_thread_stack_node+0xf8/0x330\n[    0.663460]  [<0002f3284c458d56>] dup_task_struct+0x66/0x4d0\n[    0.663463]  [<0002f3284c45be90>] copy_process+0x280/0x4b90\n[    0.663465]  [<0002f3284c460940>] kernel_clone+0xd0/0x4b0\n[    0.663467]  [<0002f3284c46115e>] kernel_thread+0xbe/0xe0\n[    0.663469]  [<0002f3284c4e440e>] kthreadd+0x50e/0x7f0\n[    0.663472]  [<0002f3284c38c04a>] __ret_from_fork+0x8a/0xf0\n[    0.663475]  [<0002f3284ed57ff2>] ret_from_fork+0xa/0x38\nInstead of allocating single pages per-PTE, bulk-allocate the shadow\nmemory prior to applying kasan_populate_vmalloc_pte() callback on a page\nrange.", "A flaw was found in the Linux kernel's Kernel Address Sanitizer (KASAN) component. When the apply_to_pte_range() function enters lazy Memory Management Unit (MMU) mode, the kasan_populate_vmalloc_pte() callback may attempt to allocate a page that can cause the system to sleep. If preemption is disabled during this process, it can lead to a kernel crash, resulting in a Denial of Service (DoS) for the system." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38029\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38029\nhttps://lore.kernel.org/linux-cve-announce/2025061824-CVE-2025-38029-47a6@gregkh/T" ],
  "name" : "CVE-2025-38029",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}