CVE-2025-38242

In the Linux kernel, the following vulnerability has been resolved:

mm: userfaultfd: fix race of userfaultfd_move and swap cache

This commit fixes two kinds of races, they may have different results:

Barry reported a BUGON in commit c50f8e6053b0, we may see the same BUGON if the filemap lookup returned NULL and folio is added to swap cache after that.

If another kind of race is triggered (folio changed after lookup) we may see RSS counter is corrupted:

[ 406.893936] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0 type:MMANONPAGES val:-1 [ 406.894071] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0 type:MMSHMEMPAGES val:1

Because the folio is being accounted to the wrong VMA.

I'm not sure if there will be any data corruption though, seems no. The issues above are critical already.

On seeing a swap entry PTE, userfaultfd_move does a lockless swap cache lookup, and tries to move the found folio to the faulting vma. Currently, it relies on checking the PTE value to ensure that the moved folio still belongs to the src swap entry and that no new folio has been added to the swap cache, which turns out to be unreliable.

While working and reviewing the swap table series with Barry, following existing races are observed and reproduced [1]:

In the example below, movepagespte is moving srcpte to dstpte, where src_pte is a swap entry PTE holding swap entry S1, and S1 is not in the swap cache:

CPU1 CPU2 userfaultfdmove movepagespte() entry = ptetoswpentry(origsrcpte); // Here it got entry = S1 ... < interrupted> ... <swapin srcpte, alloc and use folio A> // folio A is a new allocated folio // and get installed into srcpte <frees swap entry S1> // srcpte now points to folio A, S1 // has swap count == 0, it can be freed // by folioswapswap or swap // allocator's reclaim. <try to swap out another folio B> // folio B is a folio in another VMA. <put folio B to swap cache using S1 > // S1 is freed, folio B can use it // for swap out with no problem. ... folio = filemapgetfolio(S1) // Got folio B here !!! ... < interrupted again> ... <swapin folio B and free S1> // Now S1 is free to be used again. <swapout srcpte & folio A using S1> // Now srcpte is a swap entry PTE // holding S1 again. foliotrylock(folio) moveswappte doubleptlock isptepagesstable // Check passed because srcpte == S1 foliomoveanon_rmap(...) // Moved invalid folio B here !!!

The race window is very short and requires multiple collisions of multiple rare events, so it's very unlikely to happen, but with a deliberately constructed reproducer and increased time window, it can be reproduced easily.

This can be fixed by checking if the folio returned by filemap is the valid swap cache folio after acquiring the folio lock.

Another similar race is possible: filemapgetfolio may return NULL, but folio (A) could be swapped in and then swapped out again using the same swap entry after the lookup. In such a case, folio (A) may remain in the swap cache, so it must be moved too:

CPU1 CPU2 userfaultfdmove movepagespte() entry = ptetoswpentry(origsrcpte); // Here it got entry = S1, and S1 is not in swap cache folio = filemap_get ---truncated---