CVE-2025-21881: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a vulnerability (CVE-2025-21881) was discovered in the uprobes subsystem, specifically in the uprobe_write_opcode() function. The vulnerability was disclosed on March 27, 2025. The issue affects the Linux kernel's memory management system, particularly involving zero page handling (NVD).

The vulnerability stems from incorrect handling of zero pages in the uprobe_write_opcode() function. When a zero pfn is set to the PTE without increasing the RSS count in mfill_atomic_pte_zeropage(), the refcount of zero folio does not increase accordingly. Subsequently, when uprobe_write_opcode()->__replace_page() performs operations on the same pfn, it unconditionally decreases the RSS count and old_folio's refcount (NVD).

The vulnerability results in two critical issues: 1) The RSS count becomes incorrect, leading to a 'Bad rss-count' error when the process exits, and 2) The reserved folio (zero folio) is freed when folio->refcount reaches zero, causing free_pages_prepare->free_page_is_bad() to report a 'Bad page state' error. Additionally, there is potential for a VM_WARN_ON_FOLIO warning in the folio_remove_rmap_pte() function (NVD).

The vulnerability has been resolved by implementing a fix that rejects zero old folio immediately after get_user_page_vma_remote(). This solution was chosen considering that uprobe hit on the zero folio is a very rare case (NVD).