Home

Description

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in which that immediately leads to kernel memory corruption, it is really weird and unexpected. Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), just like we do in khugepaged when removing page tables for a THP collapse.

PUBLISHED Reserved 2025-04-16 | Published 2025-06-28 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa (git) before 952596b08c74e8fe9e2883d1dc8a8f54a37384ec
affected

39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa (git) before a3d864c901a300c295692d129159fc3001a56185
affected

39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa (git) before b7754d3aa7bf9f62218d096c0c8f6c13698fac8b
affected

39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa (git) before fe684290418ef9ef76630072086ee530b92f02b8
affected

39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa (git) before 034a52b5ef57c9c8225d94e9067f3390bb33922f
affected

39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa (git) before a6bfeb97941a9187833b526bc6cc4ff5706d0ce9
affected

39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa (git) before 1013af4f585fccc4d3e5c5824d174de2257f7d6d
affected

Default status
affected

2.6.20
affected

Any version before 2.6.20
unaffected

5.10.239 (semver)
unaffected

5.15.186 (semver)
unaffected

6.1.142 (semver)
unaffected

6.6.95 (semver)
unaffected

6.12.35 (semver)
unaffected

6.15.4 (semver)
unaffected

6.16 (original_commit_for_fix)
unaffected

References

lists.debian.org/debian-lts-announce/2025/10/msg00008.html

lists.debian.org/debian-lts-announce/2025/10/msg00007.html

git.kernel.org/...c/952596b08c74e8fe9e2883d1dc8a8f54a37384ec

git.kernel.org/...c/a3d864c901a300c295692d129159fc3001a56185

git.kernel.org/...c/b7754d3aa7bf9f62218d096c0c8f6c13698fac8b

git.kernel.org/...c/fe684290418ef9ef76630072086ee530b92f02b8

git.kernel.org/...c/034a52b5ef57c9c8225d94e9067f3390bb33922f

git.kernel.org/...c/a6bfeb97941a9187833b526bc6cc4ff5706d0ce9

git.kernel.org/...c/1013af4f585fccc4d3e5c5824d174de2257f7d6d

project-zero.issues.chromium.org/issues/420715744

cve.org (CVE-2025-38085)

nvd.nist.gov (CVE-2025-38085)

Download JSON