Products

Linux Kernel

• 6.7

• 6.10-rc6

Source

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Published : Aug. 7, 2024, 4:15 p.m.
Last Modified : Aug. 7, 2024, 7:09 p.m.

Description

In the Linux kernel, the following vulnerability has been resolved: mm: fix crashes from deferred split racing folio migration Even on 6.10-rc6, I've been seeing elusive "Bad page state"s (often on flags when freeing, yet the flags shown are not bad: PG_locked had been set and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from deferred_split_scan()'s folio_put(), and a variety of other BUG and WARN symptoms implying double free by deferred split and large folio migration. 6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when large folio migration") was right to fix the memcg-dependent locking broken in 85ce2c517ade ("memcontrol: only transfer the memcg data for migration"), but missed a subtlety of deferred_split_scan(): it moves folios to its own local list to work on them without split_queue_lock, during which time folio->_deferred_list is not empty, but even the "right" lock does nothing to secure the folio and the list it is on. Fortunately, deferred_split_scan() is careful to use folio_try_get(): so folio_migrate_mapping() can avoid the race by folio_undo_large_rmappable() while the old folio's reference count is temporarily frozen to 0 - adding such a freeze in the !mapping case too (originally, folio lock and unmapping and no swap cache left an anon folio unreachable, so no freezing was needed there: but the deferred split queue offers a way to reach it).

References

URL	Source
https://git.kernel.org/stable/c/be9581ea8c058d81154251cb0695987098996cad	416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/fc7facce686b64201dbf0b9614cc1d0bfad70010	416baaa9-dc9f-4396-8d5f-8c081fb06d67