CVE-2024-35993

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm: turn folio_test_hugetlb into a PageType<br /> <br /> The current folio_test_hugetlb() can be fooled by a concurrent folio split<br /> into returning true for a folio which has never belonged to hugetlbfs. <br /> This can&amp;#39;t happen if the caller holds a refcount on it, but we have a few<br /> places (memory-failure, compaction, procfs) which do not and should not<br /> take a speculative reference.<br /> <br /> Since hugetlb pages do not use individual page mapcounts (they are always<br /> fully mapped and use the entire_mapcount field to record the number of<br /> mappings), the PageType field is available now that page_mapcount()<br /> ignores the value in this field.<br /> <br /> In compaction and with CONFIG_DEBUG_VM enabled, the current implementation<br /> can result in an oops, as reported by Luis. This happens since 9c5ccf2db04b<br /> ("mm: remove HUGETLB_PAGE_DTOR") effectively added some VM_BUG_ON() checks<br /> in the PageHuge() testing path.<br /> <br /> [willy@infradead.org: update vmcoreinfo]