Home

Description

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix folio isn't locked in softleaf_to_folio() On arm64 server, we found folio that get from migration entry isn't locked in softleaf_to_folio(). This issue triggers when mTHP splitting and zap_nonpresent_ptes() races, and the root cause is lack of memory barrier in softleaf_to_folio(). The race is as follows: CPU0 CPU1 deferred_split_scan() zap_nonpresent_ptes() lock folio split_folio() unmap_folio() change ptes to migration entries __split_folio_to_order() softleaf_to_folio() set flags(including PG_locked) for tail pages folio = pfn_folio(softleaf_to_pfn(entry)) smp_wmb() VM_WARN_ON_ONCE(!folio_test_locked(folio)) prep_compound_page() for tail pages In __split_folio_to_order(), smp_wmb() guarantees page flags of tail pages are visible before the tail page becomes non-compound. smp_wmb() should be paired with smp_rmb() in softleaf_to_folio(), which is missed. As a result, if zap_nonpresent_ptes() accesses migration entry that stores tail pfn, softleaf_to_folio() may see the updated compound_head of tail page before page->flags. This issue will trigger VM_WARN_ON_ONCE() in pfn_swap_entry_folio() because of the race between folio split and zap_nonpresent_ptes() leading to a folio incorrectly undergoing modification without a folio lock being held. This is a BUG_ON() before commit 93976a20345b ("mm: eliminate further swapops predicates"), which in merged in v6.19-rc1. To fix it, add missing smp_rmb() if the softleaf entry is migration entry in softleaf_to_folio() and softleaf_to_page(). [tujinjiang@huawei.com: update function name and comments]

PUBLISHED Reserved 2026-03-09 | Published 2026-04-22 | Updated 2026-05-11 | Assigner Linux

Product status

Default status
unaffected

e9b61f19858a5d6c42ce2298cf138279375d0d9b (git) before 426ee10711586617da869c8bb798214965337617
affected

e9b61f19858a5d6c42ce2298cf138279375d0d9b (git) before f1acf5887c2bbaf998dc3fe32c72b7a8b84a3ddd
affected

e9b61f19858a5d6c42ce2298cf138279375d0d9b (git) before 722cfaf6b31d31123439e67b5deac6b1261a3dea
affected

e9b61f19858a5d6c42ce2298cf138279375d0d9b (git) before 7ddcf4a245c1c5a91fdd9698757e3d95179ffe41
affected

e9b61f19858a5d6c42ce2298cf138279375d0d9b (git) before b8c49ad888892ad7b77062b9c102b799a3e9b4f8
affected

e9b61f19858a5d6c42ce2298cf138279375d0d9b (git) before 7ad1997b9bc8032603df8f091761114479285769
affected

e9b61f19858a5d6c42ce2298cf138279375d0d9b (git) before 8bfb8414e9f2ce6f5f2f0e3d0da52f2d132128e7
affected

e9b61f19858a5d6c42ce2298cf138279375d0d9b (git) before 4c5e7f0fcd592801c9cc18f29f80fbee84eb8669
affected

Default status
affected

4.5
affected

Any version before 4.5
unaffected

5.10.253 (semver)
unaffected

5.15.203 (semver)
unaffected

6.1.168 (semver)
unaffected

6.6.134 (semver)
unaffected

6.12.81 (semver)
unaffected

6.18.21 (semver)
unaffected

6.19.11 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/426ee10711586617da869c8bb798214965337617

git.kernel.org/...c/f1acf5887c2bbaf998dc3fe32c72b7a8b84a3ddd

git.kernel.org/...c/722cfaf6b31d31123439e67b5deac6b1261a3dea

git.kernel.org/...c/7ddcf4a245c1c5a91fdd9698757e3d95179ffe41

git.kernel.org/...c/b8c49ad888892ad7b77062b9c102b799a3e9b4f8

git.kernel.org/...c/7ad1997b9bc8032603df8f091761114479285769

git.kernel.org/...c/8bfb8414e9f2ce6f5f2f0e3d0da52f2d132128e7

git.kernel.org/...c/4c5e7f0fcd592801c9cc18f29f80fbee84eb8669

cve.org (CVE-2026-31466)

nvd.nist.gov (CVE-2026-31466)

Download JSON