CVE-2025-38085
mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in which that immediately leads to kernel memory corruption, it is really weird and unexpected. Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), just like we do in khugepaged when removing page tables for a THP collapse.
Reserved 2025-04-16 | Published 2025-06-28 | Updated 2025-06-28 | Assigner Linuxgit.kernel.org/...c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec
git.kernel.org/...c/a3d864c901a300c295692d129159fc3001a56185
git.kernel.org/...c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b
git.kernel.org/...c/fe684290418ef9ef76630072086ee530b92f02b8
git.kernel.org/...c/034a52b5ef57c9c8225d94e9067f3390bb33922f
git.kernel.org/...c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9
git.kernel.org/...c/1013af4f585fccc4d3e5c5824d174de2257f7d6d
Support options
