CVE-2024-35993

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-35993
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-35993.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-35993
Downstream
Published
2024-05-20T09:47:57Z
Modified
2025-10-17T06:02:54.621514Z
Summary
mm: turn folio_test_hugetlb into a PageType
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: turn foliotesthugetlb into a PageType

The current foliotesthugetlb() can be fooled by a concurrent folio split into returning true for a folio which has never belonged to hugetlbfs. This can't happen if the caller holds a refcount on it, but we have a few places (memory-failure, compaction, procfs) which do not and should not take a speculative reference.

Since hugetlb pages do not use individual page mapcounts (they are always fully mapped and use the entiremapcount field to record the number of mappings), the PageType field is available now that pagemapcount() ignores the value in this field.

In compaction and with CONFIGDEBUGVM enabled, the current implementation can result in an oops, as reported by Luis. This happens since 9c5ccf2db04b ("mm: remove HUGETLBPAGEDTOR") effectively added some VMBUGON() checks in the PageHuge() testing path.

[willy@infradead.org: update vmcoreinfo]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9c5ccf2db04b8d7c3df363fdd4856c2b79ab2c6a
Fixed
2431b5f2650dfc47ce782d1ca7b02d6b3916976f
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9c5ccf2db04b8d7c3df363fdd4856c2b79ab2c6a
Fixed
9fdcc5b6359dfdaa52a55033bf50e2cedd66eb32
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9c5ccf2db04b8d7c3df363fdd4856c2b79ab2c6a
Fixed
d99e3140a4d33e26066183ff727d8f02f56bec64

Affected versions

v6.*

v6.5
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.30
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.8.9