In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
IntheLinuxkernel,the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, thefollowing vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've beenseeing elusive "Badpage state"s (often onflags when freeing,yet the flags shown are not bad: PG_locked hadbeenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and a variety of other BUG and WARNsymptomsimplyingdouble free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right tofix thememcg-dependent locking broken in85ce2c517ade ("memcontrol:onlytransferthe memcg datafor migration"),but missed a subtlety of deferred_split_scan(): it moves foliosto its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list isnot empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is carefulto use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count istemporarily frozen to0 - addingsuch a freeze in the !mapping case too(originally,folio lock andunmapping and noswap cache left ananon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).The Linux kernel CVE team hasassigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
IntheLinuxkernel,the following vulnerabilityhas been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Badpage state"s (oftenonflags when freeing, yet the flags shown arenot bad: PG_locked had beenset and cleared??),and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and a variety of other BUG and WARNsymptoms implying double free bydeferredsplit and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependentlockingbroken in85ce2c517ade ("memcontrol: only transfer the memcgdatafor migration"),butmissed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list towork on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the"right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get():sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0- addingsuch a freezein the !mapping case too (originally, folio lockandunmappingand no swap cache left an anonfolio unreachable,so no freezingwas needed there: but the deferred split queue offers a way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I've been seeing elusive "Bad page state"s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()'s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the "right" lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio's reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In theLinux kernel,the followingvulnerability has been resolved:mm: fix crashesfrom deferred split racing foliomigrationEven on 6.10-rc6, I've been seeingelusive"Bad page state"s (oftenonflags when freeing, yet the flags shown arenot bad:PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)sfromdeferred_split_scan()'sfolio_put(), and a varietyof otherBUG and WARNsymptoms implyingdouble free by deferred splitand large folio migration.6.7 commit9bcef5973e31 ("mm:memcg: fix split queue listcrash when largefolio migration") was right to fix the memcg-dependent locking broken in85ce2c517ade("memcontrol: only transferthe memcg data for migration"),but misseda subtlety ofdeferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock,duringwhich timefolio->_deferred_listis not empty, but eventhe"right" lock does nothingto secure the folioand the list it is on.Fortunately,deferred_split_scan() is careful touse folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()whiletheold folio's reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally,folio lock andunmapping and noswap cache left an anon folio unreachable,so no freezingwas needed there: but the deferred split queue offers a way to reach it).The Linux kernel CVE team has assigned CVE-2024-42234 to this issue.
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
IntheLinuxkernel,the followingvulnerabilityhas been resolved:mm: fix crashes from deferredsplit racing folio migrationEvenon 6.10-rc6, I ve been seeing elusive Bad pagestate s(often onflags when freeing, yetthe flags shown are not bad: PG_locked had beenset andcleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()s folio_put(), and a variety ofother BUG and WARNsymptomsimplyingdouble free by deferred splitand large folio migration.6.7commit 9bcef5973e31 ( mm: memcg: fixsplit queue list crashwhen largefolio migration )was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcgdata for migration ),but misseda subtlety of deferred_split_scan(): it movesfolios to itsownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is notempty,but even the right lock does nothingto secure the folioandthe list it is on.Fortunately, deferred_split_scan()is careful to use folio_try_get():sofolio_migrate_mapping() can avoidthe race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to0 -addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon foliounreachable, so no freezingwasneeded there: but the deferred split queueoffers a way to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, Ive been seeing elusive Bad page state s(often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() sfolio_put(), and avariety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 (mm: memcg: fix split queue list crash when largefolio migration )was right to fix the memcg-dependent locking broken in85ce2c517ade (memcontrol: only transfer the memcg data for migration ),but missed asubtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio sreference count is temporarily frozen to 0-addingsuch afreeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers away to reach it).
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6, I ve been seeing elusive Bad page state s (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan() s folio_put(), and a variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31 ( mm: memcg: fix split queue list crash when largefolio migration ) was right to fix the memcg-dependent locking broken in85ce2c517ade ( memcontrol: only transfer the memcg data for migration ),but missed a subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folio s reference count is temporarily frozen to 0 - addingsuch a freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offers a way to reach it).
| linux | | https://git.kernel.org/linus/be9581ea8c058d81154251cb0695987098996cad | https://git.kernel.org/linus/9bcef5973e31020e5aa8571eb994d67b77318356 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:mm: fix crashes from deferred split racing folio migrationEven on 6.10-rc6,I ve been seeing elusive Bad page states (often onflags when freeing, yet the flags shown are not bad: PG_locked had beenset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s fromdeferred_split_scan()s folio_put(), anda variety of other BUG and WARNsymptoms implying double free by deferred split and large folio migration.6.7 commit 9bcef5973e31( mm: memcg: fix split queue list crash when largefolio migration) was right to fix the memcg-dependent locking broken in85ce2c517ade( memcontrol: only transfer the memcg data for migration ),but misseda subtlety of deferred_split_scan(): it moves folios to its ownlocal list to work on them without split_queue_lock, during which timefolio->_deferred_list is not empty, but even the right lock does nothingto secure the folio and the list it is on.Fortunately, deferred_split_scan() is careful to use folio_try_get(): sofolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()while the old folios reference count is temporarily frozen to0- addingsucha freeze in the !mapping case too (originally, folio lock andunmapping and no swap cache left an anon folio unreachable, so no freezingwas needed there: but the deferred split queue offersa way to reach it).
