{"id":"CVE-2025-38050","summary":"mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios\n\nA kernel crash was observed when replacing free hugetlb folios:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000028\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 28 UID: 0 PID: 29639 Comm: test_cma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary)\nRIP: 0010:alloc_and_dissolve_hugetlb_folio+0x1d/0x1f0\nRSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000\nRDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000\nRBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000\nR10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000\nR13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004\nFS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0\nCall Trace:\n\u003cTASK\u003e\n replace_free_hugepage_folios+0xb6/0x100\n alloc_contig_range_noprof+0x18a/0x590\n ? srso_return_thunk+0x5/0x5f\n ? down_read+0x12/0xa0\n ? srso_return_thunk+0x5/0x5f\n cma_range_alloc.constprop.0+0x131/0x290\n __cma_alloc+0xcf/0x2c0\n cma_alloc_write+0x43/0xb0\n simple_attr_write_xsigned.constprop.0.isra.0+0xb2/0x110\n debugfs_attr_write+0x46/0x70\n full_proxy_write+0x62/0xa0\n vfs_write+0xf8/0x420\n ? srso_return_thunk+0x5/0x5f\n ? filp_flush+0x86/0xa0\n ? srso_return_thunk+0x5/0x5f\n ? filp_close+0x1f/0x30\n ? srso_return_thunk+0x5/0x5f\n ? do_dup2+0xaf/0x160\n ? srso_return_thunk+0x5/0x5f\n ksys_write+0x65/0xe0\n do_syscall_64+0x64/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThere is a potential race between __update_and_free_hugetlb_folio() and\nreplace_free_hugepage_folios():\n\nCPU1 CPU2\n__update_and_free_hugetlb_folio replace_free_hugepage_folios\n folio_test_hugetlb(folio)\n -- It's still hugetlb folio.\n\n __folio_clear_hugetlb(folio)\n hugetlb_free_folio(folio)\n h = folio_hstate(folio)\n -- Here, h is NULL pointer\n\nWhen the above race condition occurs, folio_hstate(folio) returns NULL,\nand subsequent access to this NULL pointer will cause the system to crash.\nTo resolve this issue, execute folio_hstate(folio) under the protection\nof the hugetlb_lock lock, ensuring that folio_hstate(folio) does not\nreturn NULL.","modified":"2026-05-18T05:58:06.383951959Z","published":"2025-06-18T09:33:32.022Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38050.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/113ed54ad276c352ee5ce109bdcf0df118a43bda"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e97283978a9848190d451f7038ac399613445f79"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38050.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38050"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"04f13d241b8b146b23038bffd907cb8278391d07"},{"fixed":"e97283978a9848190d451f7038ac399613445f79"},{"fixed":"113ed54ad276c352ee5ce109bdcf0df118a43bda"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38050.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.14.0"},{"fixed":"6.14.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38050.json"}}],"schema_version":"1.7.5"}