{"id":"CVE-2025-21869","summary":"powerpc/code-patching: Disable KASAN report during patching via temporary mm","details":"In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Disable KASAN report during patching via temporary mm\n\nErhard reports the following KASAN hit on Talos II (power9) with kernel 6.13:\n\n[   12.028126] ==================================================================\n[   12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0\n[   12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1\n\n[   12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G                T  6.13.0-P9-dirty #3\n[   12.028408] Tainted: [T]=RANDSTRUCT\n[   12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV\n[   12.028500] Call Trace:\n[   12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable)\n[   12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708\n[   12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300\n[   12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370\n[   12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40\n[   12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0\n[   12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210\n[   12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590\n[   12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0\n[   12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0\n[   12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930\n[   12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280\n[   12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370\n[   12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00\n[   12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40\n[   12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610\n[   12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280\n[   12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8\n[   12.029608] NIP:  00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000\n[   12.029660] REGS: c000000008dbfe80 TRAP: 3000   Tainted: G                T   (6.13.0-P9-dirty)\n[   12.029735] MSR:  900000000280f032 \u003cSF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI\u003e  CR: 42004848  XER: 00000000\n[   12.029855] IRQMASK: 0\n               GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005\n               GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008\n               GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n               GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000\n               GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90\n               GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80\n               GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8\n               GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580\n[   12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8\n[   12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8\n[   12.030405] --- interrupt: 3000\n[   12.030444] ==================================================================\n\nCommit c28c15b6d28a (\"powerpc/code-patching: Use temporary mm for\nRadix MMU\") is inspired from x86 but unlike x86 is doesn't disable\nKASAN reports during patching. This wasn't a problem at the begining\nbecause __patch_mem() is not instrumented.\n\nCommit 465cabc97b42 (\"powerpc/code-patching: introduce\npatch_instructions()\") use copy_to_kernel_nofault() to copy several\ninstructions at once. But when using temporary mm the destination is\nnot regular kernel memory but a kind of kernel-like memory located\nin user address space. \n---truncated---","modified":"2026-03-20T12:41:13.009152Z","published":"2025-03-27T13:38:22.229Z","related":["SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:1177-1","SUSE-SU-2025:1178-1","SUSE-SU-2025:1180-1","SUSE-SU-2025:20190-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20260-1","SUSE-SU-2025:20270-1","USN-7521-2"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21869.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21869.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21869"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"465cabc97b42405eb89380ea6ba8d8b03e4ae1a2"},{"fixed":"5980d4456dd66d1b6505d5ec15048bd87e8775e0"},{"fixed":"ea291447a4031f3dac5c23d55bc83fe833820d84"},{"fixed":"dc9c5166c3cb044f8a001e397195242fd6796eee"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-21869.json"}}],"schema_version":"1.7.5"}