| ID |
CVE-2026-46280
|
| Sažetak |
In the Linux kernel, the following vulnerability has been resolved:
lib: test_hmm: evict device pages on file close to avoid use-after-free
Patch series "Minor hmm_test fixes and cleanups".
Two bugfixes a cleanup for the HMM kernel selftests. These were mostly
reported by Zenghui Yu with special thanks to Lorenzo for analysing and
pointing out the problems.
This patch (of 3):
When dmirror_fops_release() is called it frees the dmirror struct but
doesn't migrate device private pages back to system memory first. This
leaves those pages with a dangling zone_device_data pointer to the freed
dmirror.
If a subsequent fault occurs on those pages (eg. during coredump) the
dmirror_devmem_fault() callback dereferences the stale pointer causing a
kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64,
where a test failure triggered SIGABRT and the resulting coredump walked
the VMAs faulting in the stale device private pages.
Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in
dmirror_fops_release() to migrate all device private pages back to system
memory before freeing the dmirror struct. The function is moved earlier
in the file to avoid a forward declaration. |
| Reference |
|
| CVSS |
| Base: | 0.0 |
| Impact: | None |
| Exploitability: | None |
|
| Pristup |
| Vektor | Složenost | Autentikacija |
| None |
None |
None |
|
| Impact |
| Povjerljivost | Cjelovitost | Dostupnost |
| None |
None |
None |
|
| CVSS vektor |
None |
| Zadnje važnije ažuriranje |
08-06-2026 - 17:16 |
| Objavljeno |
08-06-2026 - 17:16 |
