{"id":"CVE-2025-38242","summary":"mm: userfaultfd: fix race of userfaultfd_move and swap cache","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: userfaultfd: fix race of userfaultfd_move and swap cache\n\nThis commit fixes two kinds of races, they may have different results:\n\nBarry reported a BUG_ON in commit c50f8e6053b0, we may see the same\nBUG_ON if the filemap lookup returned NULL and folio is added to swap\ncache after that.\n\nIf another kind of race is triggered (folio changed after lookup) we\nmay see RSS counter is corrupted:\n\n[  406.893936] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0\ntype:MM_ANONPAGES val:-1\n[  406.894071] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0\ntype:MM_SHMEMPAGES val:1\n\nBecause the folio is being accounted to the wrong VMA.\n\nI'm not sure if there will be any data corruption though, seems no. \nThe issues above are critical already.\n\n\nOn seeing a swap entry PTE, userfaultfd_move does a lockless swap cache\nlookup, and tries to move the found folio to the faulting vma.  Currently,\nit relies on checking the PTE value to ensure that the moved folio still\nbelongs to the src swap entry and that no new folio has been added to the\nswap cache, which turns out to be unreliable.\n\nWhile working and reviewing the swap table series with Barry, following\nexisting races are observed and reproduced [1]:\n\nIn the example below, move_pages_pte is moving src_pte to dst_pte, where\nsrc_pte is a swap entry PTE holding swap entry S1, and S1 is not in the\nswap cache:\n\nCPU1                               CPU2\nuserfaultfd_move\n  move_pages_pte()\n    entry = pte_to_swp_entry(orig_src_pte);\n    // Here it got entry = S1\n    ... \u003c interrupted\u003e ...\n                                   \u003cswapin src_pte, alloc and use folio A\u003e\n                                   // folio A is a new allocated folio\n                                   // and get installed into src_pte\n                                   \u003cfrees swap entry S1\u003e\n                                   // src_pte now points to folio A, S1\n                                   // has swap count == 0, it can be freed\n                                   // by folio_swap_swap or swap\n                                   // allocator's reclaim.\n                                   \u003ctry to swap out another folio B\u003e\n                                   // folio B is a folio in another VMA.\n                                   \u003cput folio B to swap cache using S1 \u003e\n                                   // S1 is freed, folio B can use it\n                                   // for swap out with no problem.\n                                   ...\n    folio = filemap_get_folio(S1)\n    // Got folio B here !!!\n    ... \u003c interrupted again\u003e ...\n                                   \u003cswapin folio B and free S1\u003e\n                                   // Now S1 is free to be used again.\n                                   \u003cswapout src_pte & folio A using S1\u003e\n                                   // Now src_pte is a swap entry PTE\n                                   // holding S1 again.\n    folio_trylock(folio)\n    move_swap_pte\n      double_pt_lock\n      is_pte_pages_stable\n      // Check passed because src_pte == S1\n      folio_move_anon_rmap(...)\n      // Moved invalid folio B here !!!\n\nThe race window is very short and requires multiple collisions of multiple\nrare events, so it's very unlikely to happen, but with a deliberately\nconstructed reproducer and increased time window, it can be reproduced\neasily.\n\nThis can be fixed by checking if the folio returned by filemap is the\nvalid swap cache folio after acquiring the folio lock.\n\nAnother similar race is possible: filemap_get_folio may return NULL, but\nfolio (A) could be swapped in and then swapped out again using the same\nswap entry after the lookup.  In such a case, folio (A) may remain in the\nswap cache, so it must be moved too:\n\nCPU1                               CPU2\nuserfaultfd_move\n  move_pages_pte()\n    entry = pte_to_swp_entry(orig_src_pte);\n    // Here it got entry = S1, and S1 is not in swap cache\n    folio = filemap_get\n---truncated---","modified":"2026-05-15T11:53:07.005456429Z","published":"2025-07-09T10:42:25.396Z","related":["SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38242.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0ea148a799198518d8ebab63ddd0bb6114a103bc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4c443046d8c9ed8724a4f4c3c2457d3ac8814b2f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/db2ca8074955ca64187a4fb596dd290b9c446cd3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38242.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38242"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.8.0"},{"fixed":"6.12.37"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.15.5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38242.json"}}],"schema_version":"1.7.5"}