An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap) a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs.

...

PT-2009-2739 · Linux · Linux Kernel

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 2.6.24.1 Description: The issue allows local users to cause a denial of service or gain privileges via unspecified vectors, related to the vm file structure member, and the mmap region and do munmap functions...