CVE-2025-71134 (GCVE-0-2025-71134)

Vulnerability from cvelistv5 – Published: 2026-01-14 15:07 – Updated: 2026-01-14 15:07
VLAI?
Title
mm/page_alloc: change all pageblocks migrate type on coalescing
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: change all pageblocks migrate type on coalescing When a page is freed it coalesces with a buddy into a higher order page while possible. When the buddy page migrate type differs, it is expected to be updated to match the one of the page being freed. However, only the first pageblock of the buddy page is updated, while the rest of the pageblocks are left unchanged. That causes warnings in later expand() and other code paths (like below), since an inconsistency between migration type of the list containing the page and the page-owned pageblocks migration types is introduced. [ 308.986589] ------------[ cut here ]------------ [ 308.987227] page type is 0, passed migratetype is 1 (nr=256) [ 308.987275] WARNING: CPU: 1 PID: 5224 at mm/page_alloc.c:812 expand+0x23c/0x270 [ 308.987293] Modules linked in: algif_hash(E) af_alg(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) nf_tables(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) drm(E) i2c_core(E) drm_panel_orientation_quirks(E) loop(E) nfnetlink(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vsock(E) ctcm(E) fsm(E) diag288_wdt(E) watchdog(E) zfcp(E) scsi_transport_fc(E) ghash_s390(E) prng(E) aes_s390(E) des_generic(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha_common(E) paes_s390(E) crypto_engine(E) pkey_cca(E) pkey_ep11(E) zcrypt(E) rng_core(E) pkey_pckmo(E) pkey(E) autofs4(E) [ 308.987439] Unloaded tainted modules: hmac_s390(E):2 [ 308.987650] CPU: 1 UID: 0 PID: 5224 Comm: mempig_verify Kdump: loaded Tainted: G E 6.18.0-gcc-bpf-debug #431 PREEMPT [ 308.987657] Tainted: [E]=UNSIGNED_MODULE [ 308.987661] Hardware name: IBM 3906 M04 704 (z/VM 7.3.0) [ 308.987666] Krnl PSW : 0404f00180000000 00000349976fa600 (expand+0x240/0x270) [ 308.987676] R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3 [ 308.987682] Krnl GPRS: 0000034980000004 0000000000000005 0000000000000030 000003499a0e6d88 [ 308.987688] 0000000000000005 0000034980000005 000002be803ac000 0000023efe6c8300 [ 308.987692] 0000000000000008 0000034998d57290 000002be00000100 0000023e00000008 [ 308.987696] 0000000000000000 0000000000000000 00000349976fa5fc 000002c99b1eb6f0 [ 308.987708] Krnl Code: 00000349976fa5f0: c020008a02f2 larl %r2,000003499883abd4 00000349976fa5f6: c0e5ffe3f4b5 brasl %r14,0000034997378f60 #00000349976fa5fc: af000000 mc 0,0 >00000349976fa600: a7f4ff4c brc 15,00000349976fa498 00000349976fa604: b9040026 lgr %r2,%r6 00000349976fa608: c0300088317f larl %r3,0000034998800906 00000349976fa60e: c0e5fffdb6e1 brasl %r14,00000349976b13d0 00000349976fa614: af000000 mc 0,0 [ 308.987734] Call Trace: [ 308.987738] [<00000349976fa600>] expand+0x240/0x270 [ 308.987744] ([<00000349976fa5fc>] expand+0x23c/0x270) [ 308.987749] [<00000349976ff95e>] rmqueue_bulk+0x71e/0x940 [ 308.987754] [<00000349976ffd7e>] __rmqueue_pcplist+0x1fe/0x2a0 [ 308.987759] [<0000034997700966>] rmqueue.isra.0+0xb46/0xf40 [ 308.987763] [<0000034997703ec8>] get_page_from_freelist+0x198/0x8d0 [ 308.987768] [<0000034997706fa8>] __alloc_frozen_pages_noprof+0x198/0x400 [ 308.987774] [<00000349977536f8>] alloc_pages_mpol+0xb8/0x220 [ 308.987781] [<0000034997753bf6>] folio_alloc_mpol_noprof+0x26/0xc0 [ 308.987786] [<0000034997753e4c>] vma_alloc_folio_noprof+0x6c/0xa0 [ 308.987791] [<0000034997775b22>] vma_alloc_anon_folio_pmd+0x42/0x240 [ 308.987799] [<000003499777bfea>] __do_huge_pmd_anonymous_page+0x3a/0x210 [ 308.987804] [<00000349976cb0 ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: e6cf9e1c4cde8a53385423ecb8ca581097f42e02 , < 914769048818021556c940b9163e8056be9507dd (git)
Affected: e6cf9e1c4cde8a53385423ecb8ca581097f42e02 , < a794d65b132107a085d165caba33aae1101316a5 (git)
Affected: e6cf9e1c4cde8a53385423ecb8ca581097f42e02 , < 7838a4eb8a1d23160bd3f588ea7f2b8f7c00c55b (git)
Create a notification for this product.
    Linux Linux Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.65 , ≤ 6.12.* (semver)
Unaffected: 6.18.4 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc4 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/page_alloc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "914769048818021556c940b9163e8056be9507dd",
              "status": "affected",
              "version": "e6cf9e1c4cde8a53385423ecb8ca581097f42e02",
              "versionType": "git"
            },
            {
              "lessThan": "a794d65b132107a085d165caba33aae1101316a5",
              "status": "affected",
              "version": "e6cf9e1c4cde8a53385423ecb8ca581097f42e02",
              "versionType": "git"
            },
            {
              "lessThan": "7838a4eb8a1d23160bd3f588ea7f2b8f7c00c55b",
              "status": "affected",
              "version": "e6cf9e1c4cde8a53385423ecb8ca581097f42e02",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/page_alloc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.65",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.65",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.4",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc4",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/page_alloc: change all pageblocks migrate type on coalescing\n\nWhen a page is freed it coalesces with a buddy into a higher order page\nwhile possible.  When the buddy page migrate type differs, it is expected\nto be updated to match the one of the page being freed.\n\nHowever, only the first pageblock of the buddy page is updated, while the\nrest of the pageblocks are left unchanged.\n\nThat causes warnings in later expand() and other code paths (like below),\nsince an inconsistency between migration type of the list containing the\npage and the page-owned pageblocks migration types is introduced.\n\n[  308.986589] ------------[ cut here ]------------\n[  308.987227] page type is 0, passed migratetype is 1 (nr=256)\n[  308.987275] WARNING: CPU: 1 PID: 5224 at mm/page_alloc.c:812 expand+0x23c/0x270\n[  308.987293] Modules linked in: algif_hash(E) af_alg(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) nf_tables(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) drm(E) i2c_core(E) drm_panel_orientation_quirks(E) loop(E) nfnetlink(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vsock(E) ctcm(E) fsm(E) diag288_wdt(E) watchdog(E) zfcp(E) scsi_transport_fc(E) ghash_s390(E) prng(E) aes_s390(E) des_generic(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha_common(E) paes_s390(E) crypto_engine(E) pkey_cca(E) pkey_ep11(E) zcrypt(E) rng_core(E) pkey_pckmo(E) pkey(E) autofs4(E)\n[  308.987439] Unloaded tainted modules: hmac_s390(E):2\n[  308.987650] CPU: 1 UID: 0 PID: 5224 Comm: mempig_verify Kdump: loaded Tainted: G            E       6.18.0-gcc-bpf-debug #431 PREEMPT\n[  308.987657] Tainted: [E]=UNSIGNED_MODULE\n[  308.987661] Hardware name: IBM 3906 M04 704 (z/VM 7.3.0)\n[  308.987666] Krnl PSW : 0404f00180000000 00000349976fa600 (expand+0x240/0x270)\n[  308.987676]            R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\n[  308.987682] Krnl GPRS: 0000034980000004 0000000000000005 0000000000000030 000003499a0e6d88\n[  308.987688]            0000000000000005 0000034980000005 000002be803ac000 0000023efe6c8300\n[  308.987692]            0000000000000008 0000034998d57290 000002be00000100 0000023e00000008\n[  308.987696]            0000000000000000 0000000000000000 00000349976fa5fc 000002c99b1eb6f0\n[  308.987708] Krnl Code: 00000349976fa5f0: c020008a02f2\tlarl\t%r2,000003499883abd4\n                          00000349976fa5f6: c0e5ffe3f4b5\tbrasl\t%r14,0000034997378f60\n                         #00000349976fa5fc: af000000\t\tmc\t0,0\n                         \u003e00000349976fa600: a7f4ff4c\t\tbrc\t15,00000349976fa498\n                          00000349976fa604: b9040026\t\tlgr\t%r2,%r6\n                          00000349976fa608: c0300088317f\tlarl\t%r3,0000034998800906\n                          00000349976fa60e: c0e5fffdb6e1\tbrasl\t%r14,00000349976b13d0\n                          00000349976fa614: af000000\t\tmc\t0,0\n[  308.987734] Call Trace:\n[  308.987738]  [\u003c00000349976fa600\u003e] expand+0x240/0x270\n[  308.987744] ([\u003c00000349976fa5fc\u003e] expand+0x23c/0x270)\n[  308.987749]  [\u003c00000349976ff95e\u003e] rmqueue_bulk+0x71e/0x940\n[  308.987754]  [\u003c00000349976ffd7e\u003e] __rmqueue_pcplist+0x1fe/0x2a0\n[  308.987759]  [\u003c0000034997700966\u003e] rmqueue.isra.0+0xb46/0xf40\n[  308.987763]  [\u003c0000034997703ec8\u003e] get_page_from_freelist+0x198/0x8d0\n[  308.987768]  [\u003c0000034997706fa8\u003e] __alloc_frozen_pages_noprof+0x198/0x400\n[  308.987774]  [\u003c00000349977536f8\u003e] alloc_pages_mpol+0xb8/0x220\n[  308.987781]  [\u003c0000034997753bf6\u003e] folio_alloc_mpol_noprof+0x26/0xc0\n[  308.987786]  [\u003c0000034997753e4c\u003e] vma_alloc_folio_noprof+0x6c/0xa0\n[  308.987791]  [\u003c0000034997775b22\u003e] vma_alloc_anon_folio_pmd+0x42/0x240\n[  308.987799]  [\u003c000003499777bfea\u003e] __do_huge_pmd_anonymous_page+0x3a/0x210\n[  308.987804]  [\u003c00000349976cb0\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-14T15:07:49.200Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/914769048818021556c940b9163e8056be9507dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/a794d65b132107a085d165caba33aae1101316a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/7838a4eb8a1d23160bd3f588ea7f2b8f7c00c55b"
        }
      ],
      "title": "mm/page_alloc: change all pageblocks migrate type on coalescing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71134",
    "datePublished": "2026-01-14T15:07:49.200Z",
    "dateReserved": "2026-01-13T15:30:19.656Z",
    "dateUpdated": "2026-01-14T15:07:49.200Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-71134\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-14T15:16:03.167\",\"lastModified\":\"2026-01-14T16:25:12.057\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm/page_alloc: change all pageblocks migrate type on coalescing\\n\\nWhen a page is freed it coalesces with a buddy into a higher order page\\nwhile possible.  When the buddy page migrate type differs, it is expected\\nto be updated to match the one of the page being freed.\\n\\nHowever, only the first pageblock of the buddy page is updated, while the\\nrest of the pageblocks are left unchanged.\\n\\nThat causes warnings in later expand() and other code paths (like below),\\nsince an inconsistency between migration type of the list containing the\\npage and the page-owned pageblocks migration types is introduced.\\n\\n[  308.986589] ------------[ cut here ]------------\\n[  308.987227] page type is 0, passed migratetype is 1 (nr=256)\\n[  308.987275] WARNING: CPU: 1 PID: 5224 at mm/page_alloc.c:812 expand+0x23c/0x270\\n[  308.987293] Modules linked in: algif_hash(E) af_alg(E) nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) nf_tables(E) s390_trng(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) drm(E) i2c_core(E) drm_panel_orientation_quirks(E) loop(E) nfnetlink(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vsock(E) ctcm(E) fsm(E) diag288_wdt(E) watchdog(E) zfcp(E) scsi_transport_fc(E) ghash_s390(E) prng(E) aes_s390(E) des_generic(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha_common(E) paes_s390(E) crypto_engine(E) pkey_cca(E) pkey_ep11(E) zcrypt(E) rng_core(E) pkey_pckmo(E) pkey(E) autofs4(E)\\n[  308.987439] Unloaded tainted modules: hmac_s390(E):2\\n[  308.987650] CPU: 1 UID: 0 PID: 5224 Comm: mempig_verify Kdump: loaded Tainted: G            E       6.18.0-gcc-bpf-debug #431 PREEMPT\\n[  308.987657] Tainted: [E]=UNSIGNED_MODULE\\n[  308.987661] Hardware name: IBM 3906 M04 704 (z/VM 7.3.0)\\n[  308.987666] Krnl PSW : 0404f00180000000 00000349976fa600 (expand+0x240/0x270)\\n[  308.987676]            R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:3 PM:0 RI:0 EA:3\\n[  308.987682] Krnl GPRS: 0000034980000004 0000000000000005 0000000000000030 000003499a0e6d88\\n[  308.987688]            0000000000000005 0000034980000005 000002be803ac000 0000023efe6c8300\\n[  308.987692]            0000000000000008 0000034998d57290 000002be00000100 0000023e00000008\\n[  308.987696]            0000000000000000 0000000000000000 00000349976fa5fc 000002c99b1eb6f0\\n[  308.987708] Krnl Code: 00000349976fa5f0: c020008a02f2\\tlarl\\t%r2,000003499883abd4\\n                          00000349976fa5f6: c0e5ffe3f4b5\\tbrasl\\t%r14,0000034997378f60\\n                         #00000349976fa5fc: af000000\\t\\tmc\\t0,0\\n                         \u003e00000349976fa600: a7f4ff4c\\t\\tbrc\\t15,00000349976fa498\\n                          00000349976fa604: b9040026\\t\\tlgr\\t%r2,%r6\\n                          00000349976fa608: c0300088317f\\tlarl\\t%r3,0000034998800906\\n                          00000349976fa60e: c0e5fffdb6e1\\tbrasl\\t%r14,00000349976b13d0\\n                          00000349976fa614: af000000\\t\\tmc\\t0,0\\n[  308.987734] Call Trace:\\n[  308.987738]  [\u003c00000349976fa600\u003e] expand+0x240/0x270\\n[  308.987744] ([\u003c00000349976fa5fc\u003e] expand+0x23c/0x270)\\n[  308.987749]  [\u003c00000349976ff95e\u003e] rmqueue_bulk+0x71e/0x940\\n[  308.987754]  [\u003c00000349976ffd7e\u003e] __rmqueue_pcplist+0x1fe/0x2a0\\n[  308.987759]  [\u003c0000034997700966\u003e] rmqueue.isra.0+0xb46/0xf40\\n[  308.987763]  [\u003c0000034997703ec8\u003e] get_page_from_freelist+0x198/0x8d0\\n[  308.987768]  [\u003c0000034997706fa8\u003e] __alloc_frozen_pages_noprof+0x198/0x400\\n[  308.987774]  [\u003c00000349977536f8\u003e] alloc_pages_mpol+0xb8/0x220\\n[  308.987781]  [\u003c0000034997753bf6\u003e] folio_alloc_mpol_noprof+0x26/0xc0\\n[  308.987786]  [\u003c0000034997753e4c\u003e] vma_alloc_folio_noprof+0x6c/0xa0\\n[  308.987791]  [\u003c0000034997775b22\u003e] vma_alloc_anon_folio_pmd+0x42/0x240\\n[  308.987799]  [\u003c000003499777bfea\u003e] __do_huge_pmd_anonymous_page+0x3a/0x210\\n[  308.987804]  [\u003c00000349976cb0\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/7838a4eb8a1d23160bd3f588ea7f2b8f7c00c55b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/914769048818021556c940b9163e8056be9507dd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a794d65b132107a085d165caba33aae1101316a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.