CVE-2024-42234
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-42234
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-42234.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-42234
- Downstream
- Published
- 2024-08-07T15:14:24Z
- Modified
- 2025-10-17T09:27:41.660308Z
- Summary
- mm: fix crashes from deferred split racing folio migration
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mm: fix crashes from deferred split racing folio migration
Even on 6.10-rc6, I've been seeing elusive "Bad page state"s (often on flags when freeing, yet the flags shown are not bad: PGlocked had been set and cleared??), and VMBUGONPAGE(pagerefcount(page) == 0)s from deferredsplitscan()'s folio_put(), and a variety of other BUG and WARN symptoms implying double free by deferred split and large folio migration.
6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when large folio migration") was right to fix the memcg-dependent locking broken in 85ce2c517ade ("memcontrol: only transfer the memcg data for migration"), but missed a subtlety of deferredsplitscan(): it moves folios to its own local list to work on them without splitqueuelock, during which time folio->deferredlist is not empty, but even the "right" lock does nothing to secure the folio and the list it is on.
Fortunately, deferredsplitscan() is careful to use foliotryget(): so foliomigratemapping() can avoid the race by folioundolarge_rmappable() while the old folio's reference count is temporarily frozen to 0 - adding such a freeze in the !mapping case too (originally, folio lock and unmapping and no swap cache left an anon folio unreachable, so no freezing was needed there: but the deferred split queue offers a way to reach it).
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9bcef5973e31020e5aa8571eb994d67b77318356Fixedfc7facce686b64201dbf0b9614cc1d0bfad70010
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9bcef5973e31020e5aa8571eb994d67b77318356Fixedbe9581ea8c058d81154251cb0695987098996cad
Affected versions
v6.*
Database specific
vanir_signatures
[
{
"digest": {
"function_hash": "14923251138126787591266845793489643923",
"length": 2088.0
},
"id": "CVE-2024-42234-2a61238f",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be9581ea8c058d81154251cb0695987098996cad",
"target": {
"file": "mm/migrate.c",
"function": "folio_migrate_mapping"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"45888911572335216845898233230991445215",
"151232515261034243143820879498277612392",
"257141061796115691092596990990889465831",
"309585071734049226105120117775616103997",
"301202540896698890161169418981848110887",
"178729655181593569836841927678557975497"
]
},
"id": "CVE-2024-42234-2ba6a993",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be9581ea8c058d81154251cb0695987098996cad",
"target": {
"file": "mm/migrate.c"
},
"deprecated": false
},
{
"digest": {
"function_hash": "14923251138126787591266845793489643923",
"length": 2088.0
},
"id": "CVE-2024-42234-36d580c1",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fc7facce686b64201dbf0b9614cc1d0bfad70010",
"target": {
"file": "mm/migrate.c",
"function": "folio_migrate_mapping"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"1000846476469371865177278873272442067",
"162470700919768104100128375495472752812",
"223587722708853308938127261505936488476",
"313219033250414935543786591444888012696",
"57786601268463591317951865220946979646"
]
},
"id": "CVE-2024-42234-41f29860",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be9581ea8c058d81154251cb0695987098996cad",
"target": {
"file": "mm/memcontrol.c"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"45888911572335216845898233230991445215",
"151232515261034243143820879498277612392",
"257141061796115691092596990990889465831",
"309585071734049226105120117775616103997",
"301202540896698890161169418981848110887",
"178729655181593569836841927678557975497"
]
},
"id": "CVE-2024-42234-903c9a86",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fc7facce686b64201dbf0b9614cc1d0bfad70010",
"target": {
"file": "mm/migrate.c"
},
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"1000846476469371865177278873272442067",
"162470700919768104100128375495472752812",
"223587722708853308938127261505936488476",
"313219033250414935543786591444888012696",
"57786601268463591317951865220946979646"
]
},
"id": "CVE-2024-42234-ea70fc97",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fc7facce686b64201dbf0b9614cc1d0bfad70010",
"target": {
"file": "mm/memcontrol.c"
},
"deprecated": false
}
]