{"id":"CVE-2025-71134","summary":"mm/page_alloc: change all pageblocks migrate type on coalescing","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: change all pageblocks migrate type on coalescing\n\nWhen a page is freed it coalesces with a buddy into a higher order page\nwhile possible. When the buddy page migrate type differs, it is expected\nto be updated to match the one of the page being freed.\n\nHowever, only the first pageblock of the buddy page is updated, while the\nrest of the pageblocks are left unchanged.\n\nThat causes warnings in later expand() and other code paths (like below),\nsince an inconsistency between migration type of the list containing the\npage and the page-owned pageblocks migration types is introduced.\n\n[ 308.986589] ------------[ cut here ]------------\n[ 308.987227] page type is 0, passed migratetype is 1 (nr=256)\n[ 308.987275] WARNING: CPU: 1 PID: 5224 at mm/page_alloc.c:812 expand+0x23c/0x270\n[ 308.987293] Modules linked in: algif_hash(E) af_alg(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) nf_tables(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) drm(E) i2c_core(E) drm_panel_orientation_quirks(E) loop(E) nfnetlink(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vsock(E) ctcm(E) fsm(E) diag288_wdt(E) watchdog(E) zfcp(E) scsi_transport_fc(E) ghash_s390(E) prng(E) aes_s390(E) des_generic(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha_common(E) paes_s390(E) crypto_engine(E) pkey_cca(E) pkey_ep11(E) zcrypt(E) rng_core(E) pkey_pckmo(E) pkey(E) autofs4(E)\n[ 308.987439] Unloaded tainted modules: hmac_s390(E):2\n[ 308.987650] CPU: 1 UID: 0 PID: 5224 Comm: mempig_verify Kdump: loaded Tainted: G E 6.18.0-gcc-bpf-debug #431 PREEMPT\n[ 308.987657] Tainted: [E]=UNSIGNED_MODULE\n[ 308.987661] Hardware name: IBM 3906 M04 704 (z/VM 7.3.0)\n[ 308.987666] Krnl PSW : 0404f00180000000 00000349976fa600 (expand+0x240/0x270)\n[ 308.987676] R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[ 308.987682] Krnl GPRS: 0000034980000004 0000000000000005 0000000000000030 000003499a0e6d88\n[ 308.987688] 0000000000000005 0000034980000005 000002be803ac000 0000023efe6c8300\n[ 308.987692] 0000000000000008 0000034998d57290 000002be00000100 0000023e00000008\n[ 308.987696] 0000000000000000 0000000000000000 00000349976fa5fc 000002c99b1eb6f0\n[ 308.987708] Krnl Code: 00000349976fa5f0: c020008a02f2\tlarl\t%r2,000003499883abd4\n 00000349976fa5f6: c0e5ffe3f4b5\tbrasl\t%r14,0000034997378f60\n #00000349976fa5fc: af000000\t\tmc\t0,0\n \u003e00000349976fa600: a7f4ff4c\t\tbrc\t15,00000349976fa498\n 00000349976fa604: b9040026\t\tlgr\t%r2,%r6\n 00000349976fa608: c0300088317f\tlarl\t%r3,0000034998800906\n 00000349976fa60e: c0e5fffdb6e1\tbrasl\t%r14,00000349976b13d0\n 00000349976fa614: af000000\t\tmc\t0,0\n[ 308.987734] Call Trace:\n[ 308.987738] [\u003c00000349976fa600\u003e] expand+0x240/0x270\n[ 308.987744] ([\u003c00000349976fa5fc\u003e] expand+0x23c/0x270)\n[ 308.987749] [\u003c00000349976ff95e\u003e] rmqueue_bulk+0x71e/0x940\n[ 308.987754] [\u003c00000349976ffd7e\u003e] __rmqueue_pcplist+0x1fe/0x2a0\n[ 308.987759] [\u003c0000034997700966\u003e] rmqueue.isra.0+0xb46/0xf40\n[ 308.987763] [\u003c0000034997703ec8\u003e] get_page_from_freelist+0x198/0x8d0\n[ 308.987768] [\u003c0000034997706fa8\u003e] __alloc_frozen_pages_noprof+0x198/0x400\n[ 308.987774] [\u003c00000349977536f8\u003e] alloc_pages_mpol+0xb8/0x220\n[ 308.987781] [\u003c0000034997753bf6\u003e] folio_alloc_mpol_noprof+0x26/0xc0\n[ 308.987786] [\u003c0000034997753e4c\u003e] vma_alloc_folio_noprof+0x6c/0xa0\n[ 308.987791] [\u003c0000034997775b22\u003e] vma_alloc_anon_folio_pmd+0x42/0x240\n[ 308.987799] [\u003c000003499777bfea\u003e] __do_huge_pmd_anonymous_page+0x3a/0x210\n[ 308.987804] [\u003c00000349976cb0\n---truncated---","modified":"2026-04-02T17:30:16.174350Z","published":"2026-01-14T15:07:49.200Z","related":["SUSE-SU-2026:20838-1","SUSE-SU-2026:20931-1","openSUSE-SU-2026:20416-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71134.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/7838a4eb8a1d23160bd3f588ea7f2b8f7c00c55b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/914769048818021556c940b9163e8056be9507dd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a794d65b132107a085d165caba33aae1101316a5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71134.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71134"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e6cf9e1c4cde8a53385423ecb8ca581097f42e02"},{"fixed":"914769048818021556c940b9163e8056be9507dd"},{"fixed":"a794d65b132107a085d165caba33aae1101316a5"},{"fixed":"7838a4eb8a1d23160bd3f588ea7f2b8f7c00c55b"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71134.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.10.0"},{"fixed":"6.12.65"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71134.json"}}],"schema_version":"1.7.5"}