{"id":"CVE-2024-42234","summary":"mm: fix crashes from deferred split racing folio migration","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix crashes from deferred split racing folio migration\n\nEven on 6.10-rc6, I've been seeing elusive \"Bad page state\"s (often on\nflags when freeing, yet the flags shown are not bad: PG_locked had been\nset and cleared??), and VM_BUG_ON_PAGE(page_ref_count(page) == 0)s from\ndeferred_split_scan()'s folio_put(), and a variety of other BUG and WARN\nsymptoms implying double free by deferred split and large folio migration.\n\n6.7 commit 9bcef5973e31 (\"mm: memcg: fix split queue list crash when large\nfolio migration\") was right to fix the memcg-dependent locking broken in\n85ce2c517ade (\"memcontrol: only transfer the memcg data for migration\"),\nbut missed a subtlety of deferred_split_scan(): it moves folios to its own\nlocal list to work on them without split_queue_lock, during which time\nfolio-\u003e_deferred_list is not empty, but even the \"right\" lock does nothing\nto secure the folio and the list it is on.\n\nFortunately, deferred_split_scan() is careful to use folio_try_get(): so\nfolio_migrate_mapping() can avoid the race by folio_undo_large_rmappable()\nwhile the old folio's reference count is temporarily frozen to 0 - adding\nsuch a freeze in the !mapping case too (originally, folio lock and\nunmapping and no swap cache left an anon folio unreachable, so no freezing\nwas needed there: but the deferred split queue offers a way to reach it).","modified":"2026-04-02T12:17:52.797641Z","published":"2024-08-07T15:14:24.467Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42234.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/be9581ea8c058d81154251cb0695987098996cad"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fc7facce686b64201dbf0b9614cc1d0bfad70010"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42234.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42234"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9bcef5973e31020e5aa8571eb994d67b77318356"},{"fixed":"fc7facce686b64201dbf0b9614cc1d0bfad70010"},{"fixed":"be9581ea8c058d81154251cb0695987098996cad"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42234.json"}}],"schema_version":"1.7.5"}