CVE-2024-49964

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/hugetlb: fix memfd_pin_folios free_huge_pages leak<br /> <br /> memfd_pin_folios followed by unpin_folios fails to restore free_huge_pages<br /> if the pages were not already faulted in, because the folio refcount for<br /> pages created by memfd_alloc_folio never goes to 0. memfd_pin_folios<br /> needs another folio_put to undo the folio_try_get below:<br /> <br /> memfd_alloc_folio()<br /> alloc_hugetlb_folio_nodemask()<br /> dequeue_hugetlb_folio_nodemask()<br /> dequeue_hugetlb_folio_node_exact()<br /> folio_ref_unfreeze(folio, 1); ; adds 1 refcount<br /> folio_try_get() ; adds 1 refcount<br /> hugetlb_add_to_page_cache() ; adds 512 refcount (on x86)<br /> <br /> With the fix, after memfd_pin_folios + unpin_folios, the refcount for the<br /> (unfaulted) page is 512, which is correct, as the refcount for a faulted<br /> unpinned page is 513.