CVE-2022-48991

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths<br /> <br /> Any codepath that zaps page table entries must invoke MMU notifiers to<br /> ensure that secondary MMUs (like KVM) don&amp;#39;t keep accessing pages which<br /> aren&amp;#39;t mapped anymore. Secondary MMUs don&amp;#39;t hold their own references to<br /> pages that are mirrored over, so failing to notify them can lead to page<br /> use-after-free.<br /> <br /> I&amp;#39;m marking this as addressing an issue introduced in commit f3f0e1d2150b<br /> ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of<br /> the security impact of this only came in commit 27e1f8273113 ("khugepaged:<br /> enable collapse pmd for pte-mapped THP"), which actually omitted flushes<br /> for the removal of present PTEs, not just for the removal of empty page<br /> tables.