CVE-2023-52935

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/khugepaged: fix -&gt;anon_vma race<br /> <br /> If an -&gt;anon_vma is attached to the VMA, collapse_and_free_pmd() requires<br /> it to be locked.<br /> <br /> Page table traversal is allowed under any one of the mmap lock, the<br /> anon_vma lock (if the VMA is associated with an anon_vma), and the<br /> mapping lock (if the VMA is associated with a mapping); and so to be<br /> able to remove page tables, we must hold all three of them. <br /> retract_page_tables() bails out if an -&gt;anon_vma is attached, but does<br /> this check before holding the mmap lock (as the comment above the check<br /> explains).<br /> <br /> If we racily merged an existing -&gt;anon_vma (shared with a child<br /> process) from a neighboring VMA, subsequent rmap traversals on pages<br /> belonging to the child will be able to see the page tables that we are<br /> concurrently removing while assuming that nothing else can access them.<br /> <br /> Repeat the -&gt;anon_vma check once we hold the mmap lock to ensure that<br /> there really is no concurrent page table access.<br /> <br /> Hitting this bug causes a lockdep warning in collapse_and_free_pmd(),<br /> in the line "lockdep_assert_held_write(&amp;vma-&gt;anon_vma-&gt;root-&gt;rwsem)". <br /> It can also lead to use-after-free access.