CVE-2024-42234

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: fix crashes from deferred split racing folio migration<br /> <br /> Even on 6.10-rc6, I&amp;#39;ve been seeing elusive "Bad page state"s (often on<br /> flags when freeing, yet the flags shown are not bad: PG_locked had been<br /> set and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from<br /> deferred_split_scan()&amp;#39;s folio_put(), and a variety of other BUG and WARN<br /> symptoms implying double free by deferred split and large folio migration.<br /> <br /> 6.7 commit 9bcef5973e31 ("mm: memcg: fix split queue list crash when large<br /> folio migration") was right to fix the memcg-dependent locking broken in<br /> 85ce2c517ade ("memcontrol: only transfer the memcg data for migration"),<br /> but missed a subtlety of deferred_split_scan(): it moves folios to its own<br /> local list to work on them without split_queue_lock, during which time<br /> folio-&gt;_deferred_list is not empty, but even the "right" lock does nothing<br /> to secure the folio and the list it is on.<br /> <br /> Fortunately, deferred_split_scan() is careful to use folio_try_get(): so<br /> folio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()<br /> while the old folio&amp;#39;s reference count is temporarily frozen to 0 - adding<br /> such a freeze in the !mapping case too (originally, folio lock and<br /> unmapping and no swap cache left an anon folio unreachable, so no freezing<br /> was needed there: but the deferred split queue offers a way to reach it).