CVE-2026-46280
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
lib: test_hmm: evict device pages on file close to avoid use-after-free
Patch series "Minor hmm_test fixes and cleanups".
Two bugfixes a cleanup for the HMM kernel selftests. These were mostly reported by Zenghui Yu with special thanks to Lorenzo for analysing and pointing out the problems.
This patch (of 3):
When dmirror_fops_release() is called it frees the dmirror struct but doesn't migrate device private pages back to system memory first. This leaves those pages with a dangling zone_device_data pointer to the freed dmirror.
If a subsequent fault occurs on those pages (eg. during coredump) the dmirror_devmem_fault() callback dereferences the stale pointer causing a kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64, where a test failure triggered SIGABRT and the resulting coredump walked the VMAs faulting in the stale device private pages.
Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in dmirror_fops_release() to migrate all device private pages back to system memory before freeing the dmirror struct. The function is moved earlier in the file to avoid a forward declaration.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | b2ef9f5a5cb37643ca5def3516c546457074b882 < 234071b4318feaeb27cd2e4e1b16ef6b055adf89 | affected |
| Linux | Linux | b2ef9f5a5cb37643ca5def3516c546457074b882 < bf477abd448c76bb8ea51c9b4f63a3a17c4b6239 | affected |
| Linux | Linux | b2ef9f5a5cb37643ca5def3516c546457074b882 < 5846715b6382dd4c6a69b35a56ca6115d33bc2a0 | affected |
| Linux | Linux | b2ef9f5a5cb37643ca5def3516c546457074b882 < 38f113f81d3f0adc658a4475dd3ecaec985e21d3 | affected |
| Linux | Linux | b2ef9f5a5cb37643ca5def3516c546457074b882 < 9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1 | affected |
| Linux | Linux | b2ef9f5a5cb37643ca5def3516c546457074b882 < 744dd97752ef1076a8d8672bb0d8aa2c7abc1144 | affected |
| Linux | Linux | 5.8 | affected |
| Linux | Linux | 0 < 5.8 | unaffected |
| Linux | Linux | 6.1.176 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.140 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.86 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.27 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.4 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/234071b4318feaeb27cd2e4e1b16ef6b055adf89
- https://git.kernel.org/stable/c/bf477abd448c76bb8ea51c9b4f63a3a17c4b6239
- https://git.kernel.org/stable/c/5846715b6382dd4c6a69b35a56ca6115d33bc2a0
- https://git.kernel.org/stable/c/38f113f81d3f0adc658a4475dd3ecaec985e21d3
- https://git.kernel.org/stable/c/9de1eb0aac2862d6144b8db0ec1388e79f8bc3e1
- https://git.kernel.org/stable/c/744dd97752ef1076a8d8672bb0d8aa2c7abc1144
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.