CVE-2025-38050 Information
Description
In the Linux kernel the following vulnerability has been resolved:
mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios
A kernel crash was observed when replacing free hugetlb folios:
BUG: kernel NULL pointer dereference address: 0000000000000028
PGD 0 P4D 0
Oops: Oops: 0000 [1] SMP NOPTI
CPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp 41 PREEMPT(voluntary)
RIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0
RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000
RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000
RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000
R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000
R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004
FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0
Call Trace:
There is a potential race between __update_and_free_hugetlb_folio() and replace_free_hugepage_folios():
CPU1 CPU2 __update_and_free_hugetlb_folio replace_free_hugepage_folios folio_test_hugetlb(folio) – It’s still hugetlb folio.
__folio_clear_hugetlb(folio) hugetlb_free_folio(folio) h = folio_hstate(folio) – Here h is NULL pointer
When the above race condition occurs folio_hstate(folio) returns NULL and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue execute folio_hstate(folio) under the protection of the hugetlb_lock lock ensuring that folio_hstate(folio) does not return NULL.
Reference
https://git.kernel.org/stable/c/113ed54ad276c352ee5ce109bdcf0df118a43bda https://git.kernel.org/stable/c/e97283978a9848190d451f7038ac399613445f79
Related CNNVD
CNNVD-202506-2185 (Published: 2025-06-18)
Share on: