CVE-2024-42234

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-42234
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-42234.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-42234
Downstream
Published
2024-08-07T15:14:24Z
Modified
2025-10-14T20:09:54.668835Z
Summary
mm: fix crashes from deferred split racing folio migration
Details

In the Linux kernel, the following vulnerability has been resolved:

mm: fix crashes from deferred split racing folio migration

Even on 6.10-rc6, I've been seeing elusive "Bad page state"s (often on flags when freeing, yet the flags shown are not bad: PGlocked had been set and cleared??), and VMBUGONPAGE(pagerefcount(page) == 0)s from deferredsplitscan()'s folio_put(), and a variety of other BUG and WARN symptoms implying double free by deferred split and large folio migration.

6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when large folio migration") was right to fix the memcg-dependent locking broken in 85ce2c517ade ("memcontrol: only transfer the memcg data for migration"), but missed a subtlety of deferredsplitscan(): it moves folios to its own local list to work on them without splitqueuelock, during which time folio->deferredlist is not empty, but even the "right" lock does nothing to secure the folio and the list it is on.

Fortunately, deferredsplitscan() is careful to use foliotryget(): so foliomigratemapping() can avoid the race by folioundolarge_rmappable() while the old folio's reference count is temporarily frozen to 0 - adding such a freeze in the !mapping case too (originally, folio lock and unmapping and no swap cache left an anon folio unreachable, so no freezing was needed there: but the deferred split queue offers a way to reach it).

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9bcef5973e31020e5aa8571eb994d67b77318356
Fixed
fc7facce686b64201dbf0b9614cc1d0bfad70010
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9bcef5973e31020e5aa8571eb994d67b77318356
Fixed
be9581ea8c058d81154251cb0695987098996cad

Affected versions

v6.*

v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.7
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v6.9.7
v6.9.8
v6.9.9

Database specific 

{
    "vanir_signatures": [
        {
            "id": "CVE-2024-42234-2a61238f",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be9581ea8c058d81154251cb0695987098996cad",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Function",
            "digest": {
                "length": 2088.0,
                "function_hash": "14923251138126787591266845793489643923"
            },
            "target": {
                "file": "mm/migrate.c",
                "function": "folio_migrate_mapping"
            }
        },
        {
            "id": "CVE-2024-42234-2ba6a993",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be9581ea8c058d81154251cb0695987098996cad",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Line",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "45888911572335216845898233230991445215",
                    "151232515261034243143820879498277612392",
                    "257141061796115691092596990990889465831",
                    "309585071734049226105120117775616103997",
                    "301202540896698890161169418981848110887",
                    "178729655181593569836841927678557975497"
                ]
            },
            "target": {
                "file": "mm/migrate.c"
            }
        },
        {
            "id": "CVE-2024-42234-36d580c1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fc7facce686b64201dbf0b9614cc1d0bfad70010",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Function",
            "digest": {
                "length": 2088.0,
                "function_hash": "14923251138126787591266845793489643923"
            },
            "target": {
                "file": "mm/migrate.c",
                "function": "folio_migrate_mapping"
            }
        },
        {
            "id": "CVE-2024-42234-41f29860",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be9581ea8c058d81154251cb0695987098996cad",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Line",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "1000846476469371865177278873272442067",
                    "162470700919768104100128375495472752812",
                    "223587722708853308938127261505936488476",
                    "313219033250414935543786591444888012696",
                    "57786601268463591317951865220946979646"
                ]
            },
            "target": {
                "file": "mm/memcontrol.c"
            }
        },
        {
            "id": "CVE-2024-42234-903c9a86",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fc7facce686b64201dbf0b9614cc1d0bfad70010",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Line",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "45888911572335216845898233230991445215",
                    "151232515261034243143820879498277612392",
                    "257141061796115691092596990990889465831",
                    "309585071734049226105120117775616103997",
                    "301202540896698890161169418981848110887",
                    "178729655181593569836841927678557975497"
                ]
            },
            "target": {
                "file": "mm/migrate.c"
            }
        },
        {
            "id": "CVE-2024-42234-ea70fc97",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fc7facce686b64201dbf0b9614cc1d0bfad70010",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Line",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "1000846476469371865177278873272442067",
                    "162470700919768104100128375495472752812",
                    "223587722708853308938127261505936488476",
                    "313219033250414935543786591444888012696",
                    "57786601268463591317951865220946979646"
                ]
            },
            "target": {
                "file": "mm/memcontrol.c"
            }
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.9.10