{"id":"CVE-2025-40006","summary":"mm/hugetlb: fix folio is still mapped when deleted","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix folio is still mapped when deleted\n\nMigration may be raced with fallocating hole.  remove_inode_single_folio\nwill unmap the folio if the folio is still mapped.  However, it's called\nwithout folio lock.  If the folio is migrated and the mapped pte has been\nconverted to migration entry, folio_mapped() returns false, and won't\nunmap it.  Due to extra refcount held by remove_inode_single_folio,\nmigration fails, restores migration entry to normal pte, and the folio is\nmapped again.  As a result, we triggered BUG in filemap_unaccount_folio.\n\nThe log is as follows:\n BUG: Bad page cache in process hugetlb  pfn:156c00\n page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00\n head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0\n aops:hugetlbfs_aops ino:dcc dentry name(?):\"my_hugepage_file\"\n flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: f4(hugetlb)\n page dumped because: still mapped when deleted\n CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE\n Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x4f/0x70\n  filemap_unaccount_folio+0xc4/0x1c0\n  __filemap_remove_folio+0x38/0x1c0\n  filemap_remove_folio+0x41/0xd0\n  remove_inode_hugepages+0x142/0x250\n  hugetlbfs_fallocate+0x471/0x5a0\n  vfs_fallocate+0x149/0x380\n\nHold folio lock before checking if the folio is mapped to avold race with\nmigration.","modified":"2026-05-18T05:58:07.303493920Z","published":"2025-10-20T15:26:53.097Z","related":["SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0316-1","SUSE-SU-2026:20012-1","SUSE-SU-2026:20015-1","SUSE-SU-2026:20021-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2025:20172-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40006.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/21ee79ce938127f88fe07e409c1817f477dbe7ea"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3e851448078f5b01f6264915df3cfef75e323a12"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/910d7749346c4b0acdc6e4adfdc4a9984281a206"},{"type":"WEB","url":"https://git.kernel.org/stable/c/91f548e920fbf8be3f285bfa3fa045ae017e836d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bc1c9ce8aeff45318332035dbef9713fb9e982d7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c9c2a51f91aea70e89b496cac360cd795a2b3c26"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40006.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40006"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4aae8d1c051ea00b456da6811bc36d1f69de5445"},{"fixed":"bc1c9ce8aeff45318332035dbef9713fb9e982d7"},{"fixed":"91f548e920fbf8be3f285bfa3fa045ae017e836d"},{"fixed":"3e851448078f5b01f6264915df3cfef75e323a12"},{"fixed":"c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39"},{"fixed":"c9c2a51f91aea70e89b496cac360cd795a2b3c26"},{"fixed":"910d7749346c4b0acdc6e4adfdc4a9984281a206"},{"fixed":"21ee79ce938127f88fe07e409c1817f477dbe7ea"},{"fixed":"7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40006.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.5.0"},{"fixed":"5.4.300"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.245"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.194"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.155"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.109"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.50"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.16.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40006.json"}}],"schema_version":"1.7.5"}