CVE-2025-40272

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/secretmem: fix use-after-free race in fault handler<br /> <br /> When a page fault occurs in a secret memory file created with<br /> `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the<br /> underlying page as not-present in the direct map, and add it to the file<br /> mapping.<br /> <br /> If two tasks cause a fault in the same page concurrently, both could end<br /> up allocating a folio and removing the page from the direct map, but only<br /> one would succeed in adding the folio to the file mapping. The task that<br /> failed undoes the effects of its attempt by (a) freeing the folio again<br /> and (b) putting the page back into the direct map. However, by doing<br /> these two operations in this order, the page becomes available to the<br /> allocator again before it is placed back in the direct mapping.<br /> <br /> If another task attempts to allocate the page between (a) and (b), and the<br /> kernel tries to access it via the direct map, it would result in a<br /> supervisor not-present page fault.<br /> <br /> Fix the ordering to restore the direct map before the folio is freed.