CVE-2025-22090: x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()

Description

In the Linux kernel, the following vulnerability has been resolved:

x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()

If track_pfn_copy() fails, we already added the dst VMA to the maple
tree. As fork() fails, we'll cleanup the maple tree, and stumble over
the dst VMA for which we neither performed any reservation nor copied
any page tables.

Consequently untrack_pfn() will see VM_PAT and try obtaining the
PAT information from the page table -- which fails because the page
table was not copied.

The easiest fix would be to simply clear the VM_PAT flag of the dst VMA
if track_pfn_copy() fails. However, the whole thing is about "simply"
clearing the VM_PAT flag is shaky as well: if we passed track_pfn_copy()
and performed a reservation, but copying the page tables fails, we'll
simply clear the VM_PAT flag, not properly undoing the reservation ...
which is also wrong.

So let's fix it properly: set the VM_PAT flag only if the reservation
succeeded (leaving it clear initially), and undo the reservation if
anything goes wrong while copying the page tables: clearing the VM_PAT
flag after undoing the reservation.

Note that any copied page table entries will get zapped when the VMA will
get removed later, after copy_page_range() succeeded; as VM_PAT is not set
then, we won't try cleaning VM_PAT up once more and untrack_pfn() will be
happy. Note that leaving these page tables in place without a reservation
is not a problem, as we are aborting fork(); this pr...

Classification

CVE ID: CVE-2025-22090

Affected Products

Vendor: Linux

Product: Linux, Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.07% (scored less or equal to compared to others)

EPSS Date: 2025-04-20 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22090
https://git.kernel.org/stable/c/b07398e8a5da517083f5c3f2daa8f6681b48ab28
https://git.kernel.org/stable/c/8d6373f83f367dbed316ddeb178130a3a64b5b67
https://git.kernel.org/stable/c/da381c33f3aa6406406c9fdf07b8b0b63e0ce722
https://git.kernel.org/stable/c/de6185b8892d88142ef69768fe4077cbf40109c0
https://git.kernel.org/stable/c/dc84bc2aba85a1508f04a936f9f9a15f64ebfb31

Timeline