CVE-2025-38050

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios<br /> <br /> A kernel crash was observed when replacing free hugetlb folios:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000028<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary)<br /> RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0<br /> RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286<br /> RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000<br /> RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000<br /> RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000<br /> R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000<br /> R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004<br /> FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> replace_free_hugepage_folios+0xb6/0x100<br /> alloc_contig_range_noprof+0x18a/0x590<br /> ? srso_return_thunk+0x5/0x5f<br /> ? down_read+0x12/0xa0<br /> ? srso_return_thunk+0x5/0x5f<br /> cma_range_alloc.constprop.0+0x131/0x290<br /> __cma_alloc+0xcf/0x2c0<br /> cma_alloc_write+0x43/0xb0<br /> simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110<br /> debugfs_attr_write+0x46/0x70<br /> full_proxy_write+0x62/0xa0<br /> vfs_write+0xf8/0x420<br /> ? srso_return_thunk+0x5/0x5f<br /> ? filp_flush+0x86/0xa0<br /> ? srso_return_thunk+0x5/0x5f<br /> ? filp_close+0x1f/0x30<br /> ? srso_return_thunk+0x5/0x5f<br /> ? do_dup2+0xaf/0x160<br /> ? srso_return_thunk+0x5/0x5f<br /> ksys_write+0x65/0xe0<br /> do_syscall_64+0x64/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> There is a potential race between __update_and_free_hugetlb_folio() and<br /> replace_free_hugepage_folios():<br /> <br /> CPU1 CPU2<br /> __update_and_free_hugetlb_folio replace_free_hugepage_folios<br /> folio_test_hugetlb(folio)<br /> -- It&amp;#39;s still hugetlb folio.<br /> <br /> __folio_clear_hugetlb(folio)<br /> hugetlb_free_folio(folio)<br /> h = folio_hstate(folio)<br /> -- Here, h is NULL pointer<br /> <br /> When the above race condition occurs, folio_hstate(folio) returns NULL,<br /> and subsequent access to this NULL pointer will cause the system to crash.<br /> To resolve this issue, execute folio_hstate(folio) under the protection<br /> of the hugetlb_lock lock, ensuring that folio_hstate(folio) does not<br /> return NULL.