{"id":"CVE-2026-23097","summary":"migrate: correct lock ordering for hugetlb file folios","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmigrate: correct lock ordering for hugetlb file folios\n\nSyzbot has found a deadlock (analyzed by Lance Yang):\n\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\n\nmigrate_pages()\n  -\u003e migrate_hugetlbs()\n    -\u003e unmap_and_move_huge_page()     \u003c- Takes folio_lock!\n      -\u003e remove_migration_ptes()\n        -\u003e __rmap_walk_file()\n          -\u003e i_mmap_lock_read()       \u003c- Waits for i_mmap_rwsem(read lock)!\n\nhugetlbfs_fallocate()\n  -\u003e hugetlbfs_punch_hole()           \u003c- Takes i_mmap_rwsem(write lock)!\n    -\u003e hugetlbfs_zero_partial_page()\n     -\u003e filemap_lock_hugetlb_folio()\n      -\u003e filemap_lock_folio()\n        -\u003e __filemap_get_folio        \u003c- Waits for folio_lock!\n\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c.  So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\n\nThis is (mostly) how it used to be after commit c0d0381ade79.  That was\nremoved by 336bf30eb765 for both file & anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages.","modified":"2026-04-02T17:30:03.645837Z","published":"2026-02-04T16:08:19.815Z","related":["ALSA-2026:3463","ALSA-2026:3464","ALSA-2026:3488","ALSA-2026:4012","SUSE-SU-2026:20838-1","SUSE-SU-2026:20931-1","openSUSE-SU-2026:20416-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23097.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305"},{"type":"WEB","url":"https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23097.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23097"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"336bf30eb76580b579dc711ded5d599d905c0217"},{"fixed":"e7396d23f9d5739f56cf9ab430c3a169f5508394"},{"fixed":"ad97b9a55246eb940a26ac977f80892a395cabf9"},{"fixed":"5edb9854f8df5428b40990a1c7d60507da5bd330"},{"fixed":"526394af4e8ade89cacd1a9ce2b97712712fcc34"},{"fixed":"b75070823b89009f5123fd0e05a8e0c3d39937c1"},{"fixed":"1b68efce6dd483d22f50d0d3800c4cfda14b1305"},{"fixed":"b7880cb166ab62c2409046b2347261abf701530e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"ef792d6ce0db6a56e56743b1de1716a982c3b851"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23097.json"}}],"schema_version":"1.7.5"}