In the Linux kernel, the following vulnerability has been resolved:
mm: turn folio_test_hugetlb into a PageType
The current folio_test_hugetlb() can be fooled by a concurrent folio split
into returning true for a folio which has never belonged to hugetlbfs.
This can’t happen if the caller holds a refcount on it, but we have a few
places (memory-failure, compaction, procfs) which do not and should not
take a speculative reference.
Since hugetlb pages do not use individual page mapcounts (they are always
fully mapped and use the entire_mapcount field to record the number of
mappings), the PageType field is available now that page_mapcount()
ignores the value in this field.
In compaction and with CONFIG_DEBUG_VM enabled, the current implementation
can result in an oops, as reported by Luis. This happens since 9c5ccf2db04b
(“mm: remove HUGETLB_PAGE_DTOR”) effectively added some VM_BUG_ON() checks
in the PageHuge() testing path.
[[email protected]: update vmcoreinfo]
Link: https://lkml.kernel.org/r/[email protected]
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"include/linux/page-flags.h",
"include/trace/events/mmflags.h",
"kernel/vmcore_info.c",
"mm/hugetlb.c"
],
"versions": [
{
"version": "9c5ccf2db04b",
"lessThan": "2431b5f2650d",
"status": "affected",
"versionType": "git"
},
{
"version": "9c5ccf2db04b",
"lessThan": "9fdcc5b6359d",
"status": "affected",
"versionType": "git"
},
{
"version": "9c5ccf2db04b",
"lessThan": "d99e3140a4d3",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"include/linux/page-flags.h",
"include/trace/events/mmflags.h",
"kernel/vmcore_info.c",
"mm/hugetlb.c"
],
"versions": [
{
"version": "6.6",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.6",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.6.30",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.8.9",
"lessThanOrEqual": "6.8.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.9",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]