CVE-2025-40006
Description
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix folio is still mapped when deleted
Migration may be raced with fallocating hole. remove_inode_single_folio will unmap the folio if the folio is still mapped. However, it's called without folio lock. If the folio is migrated and the mapped pte has been converted to migration entry, folio_mapped() returns false, and won't unmap it. Due to extra refcount held by remove_inode_single_folio, migration fails, restores migration entry to normal pte, and the folio is mapped again. As a result, we triggered BUG in filemap_unaccount_folio.
The log is as follows: BUG: Bad page cache in process hugetlb pfn:156c00 page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00 head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0 aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file" flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: f4(hugetlb) page dumped because: still mapped when deleted CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 Call Trace:
dump_stack_lvl+0x4f/0x70 filemap_unaccount_folio+0xc4/0x1c0 __filemap_remove_folio+0x38/0x1c0 filemap_remove_folio+0x41/0xd0 remove_inode_hugepages+0x142/0x250 hugetlbfs_fallocate+0x471/0x5a0 vfs_fallocate+0x149/0x380
Hold folio lock before checking if the folio is mapped to avold race with migration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Race condition in Linux kernel's hugetlb migration and fallocate hole punching can cause a BUG when a folio is still mapped after deletion.
Vulnerability
In the Linux kernel's hugetlb subsystem, a race condition exists between folio migration and fallocate hole punching. The function remove_inode_single_folio is called without holding the folio lock to unmap the folio if it is still mapped. However, if the folio has been migrated and the mapped PTE has been converted to a migration entry, folio_mapped() returns false, so the unmap does not occur. The extra refcount held by remove_inode_single_folio causes migration to fail, restoring the migration entry to a normal PTE, leaving the folio mapped. This triggers a BUG in filemap_unaccount_folio when the folio is subsequently deleted.
Exploitation
An attacker with local access and the ability to trigger hugetlbfs fallocate operations (e.g., hole punching) while concurrent migration is occurring can exploit this race. No special privileges are required beyond the ability to manipulate hugetlbfs files, which may be available to unprivileged users depending on system configuration. The race window is narrow but can be triggered repeatedly.
Impact
Successful exploitation causes a kernel BUG, leading to a system crash (denial of service). The crash is accompanied by a "Bad page cache" error and a page dump indicating the folio is still mapped when deleted. This can be used to disrupt system availability.
Mitigation
The vulnerability is fixed in the Linux kernel by holding the folio lock before checking if the folio is mapped, preventing the race with migration [1]. Stable kernel updates incorporating this fix are available [2], [3]. Users should apply the latest kernel updates from their distribution.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=6.17.0-rc5
Patches
8bc1c9ce8aeff91f548e920fb3e851448078fc1dc0524ab2cc9c2a51f91ae910d7749346c21ee79ce93817b7387650dcfVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/21ee79ce938127f88fe07e409c1817f477dbe7eanvd
- git.kernel.org/stable/c/3e851448078f5b01f6264915df3cfef75e323a12nvd
- git.kernel.org/stable/c/7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7nvd
- git.kernel.org/stable/c/910d7749346c4b0acdc6e4adfdc4a9984281a206nvd
- git.kernel.org/stable/c/91f548e920fbf8be3f285bfa3fa045ae017e836dnvd
- git.kernel.org/stable/c/bc1c9ce8aeff45318332035dbef9713fb9e982d7nvd
- git.kernel.org/stable/c/c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39nvd
- git.kernel.org/stable/c/c9c2a51f91aea70e89b496cac360cd795a2b3c26nvd
News mentions
0No linked articles in our index yet.