CVE-2026-43404 (GCVE-0-2026-43404)

Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-08 14:21
VLAI?
Title
mm: Fix a hmm_range_fault() livelock / starvation problem
Summary
In the Linux kernel, the following vulnerability has been resolved: mm: Fix a hmm_range_fault() livelock / starvation problem If hmm_range_fault() fails a folio_trylock() in do_swap_page, trying to acquire the lock of a device-private folio for migration, to ram, the function will spin until it succeeds grabbing the lock. However, if the process holding the lock is depending on a work item to be completed, which is scheduled on the same CPU as the spinning hmm_range_fault(), that work item might be starved and we end up in a livelock / starvation situation which is never resolved. This can happen, for example if the process holding the device-private folio lock is stuck in migrate_device_unmap()->lru_add_drain_all() sinc lru_add_drain_all() requires a short work-item to be run on all online cpus to complete. A prerequisite for this to happen is: a) Both zone device and system memory folios are considered in migrate_device_unmap(), so that there is a reason to call lru_add_drain_all() for a system memory folio while a folio lock is held on a zone device folio. b) The zone device folio has an initial mapcount > 1 which causes at least one migration PTE entry insertion to be deferred to try_to_migrate(), which can happen after the call to lru_add_drain_all(). c) No or voluntary only preemption. This all seems pretty unlikely to happen, but indeed is hit by the "xe_exec_system_allocator" igt test. Resolve this by waiting for the folio to be unlocked if the folio_trylock() fails in do_swap_page(). Rename migration_entry_wait_on_locked() to softleaf_entry_wait_unlock() and update its documentation to indicate the new use-case. Future code improvements might consider moving the lru_add_drain_all() call in migrate_device_unmap() to be called *after* all pages have migration entries inserted. That would eliminate also b) above. v2: - Instead of a cond_resched() in hmm_range_fault(), eliminate the problem by waiting for the folio to be unlocked in do_swap_page() (Alistair Popple, Andrew Morton) v3: - Add a stub migration_entry_wait_on_locked() for the !CONFIG_MIGRATION case. (Kernel Test Robot) v4: - Rename migrate_entry_wait_on_locked() to softleaf_entry_wait_on_locked() and update docs (Alistair Popple) v5: - Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION version of softleaf_entry_wait_on_locked(). - Modify wording around function names in the commit message (Andrew Morton) (cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1afaeb8293c9addbf4f9140bdd22635fed763459 , < 94b6d0ba4b640ba23bb6c708a59316e74e5ede63 (git)
Affected: 1afaeb8293c9addbf4f9140bdd22635fed763459 , < 7e6e2fc91d4b9b12ec6e137019532568ebcf2680 (git)
Affected: 1afaeb8293c9addbf4f9140bdd22635fed763459 , < b570f37a2ce480be26c665345c5514686a8a0274 (git)
Create a notification for this product.
    Linux Linux Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.18.19 , ≤ 6.18.* (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/migrate.h",
            "mm/filemap.c",
            "mm/memory.c",
            "mm/migrate.c",
            "mm/migrate_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "94b6d0ba4b640ba23bb6c708a59316e74e5ede63",
              "status": "affected",
              "version": "1afaeb8293c9addbf4f9140bdd22635fed763459",
              "versionType": "git"
            },
            {
              "lessThan": "7e6e2fc91d4b9b12ec6e137019532568ebcf2680",
              "status": "affected",
              "version": "1afaeb8293c9addbf4f9140bdd22635fed763459",
              "versionType": "git"
            },
            {
              "lessThan": "b570f37a2ce480be26c665345c5514686a8a0274",
              "status": "affected",
              "version": "1afaeb8293c9addbf4f9140bdd22635fed763459",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/migrate.h",
            "mm/filemap.c",
            "mm/memory.c",
            "mm/migrate.c",
            "mm/migrate_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: Fix a hmm_range_fault() livelock / starvation problem\n\nIf hmm_range_fault() fails a folio_trylock() in do_swap_page,\ntrying to acquire the lock of a device-private folio for migration,\nto ram, the function will spin until it succeeds grabbing the lock.\n\nHowever, if the process holding the lock is depending on a work\nitem to be completed, which is scheduled on the same CPU as the\nspinning hmm_range_fault(), that work item might be starved and\nwe end up in a livelock / starvation situation which is never\nresolved.\n\nThis can happen, for example if the process holding the\ndevice-private folio lock is stuck in\n   migrate_device_unmap()-\u003elru_add_drain_all()\nsinc lru_add_drain_all() requires a short work-item\nto be run on all online cpus to complete.\n\nA prerequisite for this to happen is:\na) Both zone device and system memory folios are considered in\n   migrate_device_unmap(), so that there is a reason to call\n   lru_add_drain_all() for a system memory folio while a\n   folio lock is held on a zone device folio.\nb) The zone device folio has an initial mapcount \u003e 1 which causes\n   at least one migration PTE entry insertion to be deferred to\n   try_to_migrate(), which can happen after the call to\n   lru_add_drain_all().\nc) No or voluntary only preemption.\n\nThis all seems pretty unlikely to happen, but indeed is hit by\nthe \"xe_exec_system_allocator\" igt test.\n\nResolve this by waiting for the folio to be unlocked if the\nfolio_trylock() fails in do_swap_page().\n\nRename migration_entry_wait_on_locked() to\nsoftleaf_entry_wait_unlock() and update its documentation to\nindicate the new use-case.\n\nFuture code improvements might consider moving\nthe lru_add_drain_all() call in migrate_device_unmap() to be\ncalled *after* all pages have migration entries inserted.\nThat would eliminate also b) above.\n\nv2:\n- Instead of a cond_resched() in hmm_range_fault(),\n  eliminate the problem by waiting for the folio to be unlocked\n  in do_swap_page() (Alistair Popple, Andrew Morton)\nv3:\n- Add a stub migration_entry_wait_on_locked() for the\n  !CONFIG_MIGRATION case. (Kernel Test Robot)\nv4:\n- Rename migrate_entry_wait_on_locked() to\n  softleaf_entry_wait_on_locked() and update docs (Alistair Popple)\nv5:\n- Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION\n  version of softleaf_entry_wait_on_locked().\n- Modify wording around function names in the commit message\n  (Andrew Morton)\n\n(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T14:21:44.929Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680"
        },
        {
          "url": "https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274"
        }
      ],
      "title": "mm: Fix a hmm_range_fault() livelock / starvation problem",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43404",
    "datePublished": "2026-05-08T14:21:44.929Z",
    "dateReserved": "2026-05-01T14:12:56.007Z",
    "dateUpdated": "2026-05-08T14:21:44.929Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43404\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T15:16:51.887\",\"lastModified\":\"2026-05-08T15:16:51.887\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: Fix a hmm_range_fault() livelock / starvation problem\\n\\nIf hmm_range_fault() fails a folio_trylock() in do_swap_page,\\ntrying to acquire the lock of a device-private folio for migration,\\nto ram, the function will spin until it succeeds grabbing the lock.\\n\\nHowever, if the process holding the lock is depending on a work\\nitem to be completed, which is scheduled on the same CPU as the\\nspinning hmm_range_fault(), that work item might be starved and\\nwe end up in a livelock / starvation situation which is never\\nresolved.\\n\\nThis can happen, for example if the process holding the\\ndevice-private folio lock is stuck in\\n   migrate_device_unmap()-\u003elru_add_drain_all()\\nsinc lru_add_drain_all() requires a short work-item\\nto be run on all online cpus to complete.\\n\\nA prerequisite for this to happen is:\\na) Both zone device and system memory folios are considered in\\n   migrate_device_unmap(), so that there is a reason to call\\n   lru_add_drain_all() for a system memory folio while a\\n   folio lock is held on a zone device folio.\\nb) The zone device folio has an initial mapcount \u003e 1 which causes\\n   at least one migration PTE entry insertion to be deferred to\\n   try_to_migrate(), which can happen after the call to\\n   lru_add_drain_all().\\nc) No or voluntary only preemption.\\n\\nThis all seems pretty unlikely to happen, but indeed is hit by\\nthe \\\"xe_exec_system_allocator\\\" igt test.\\n\\nResolve this by waiting for the folio to be unlocked if the\\nfolio_trylock() fails in do_swap_page().\\n\\nRename migration_entry_wait_on_locked() to\\nsoftleaf_entry_wait_unlock() and update its documentation to\\nindicate the new use-case.\\n\\nFuture code improvements might consider moving\\nthe lru_add_drain_all() call in migrate_device_unmap() to be\\ncalled *after* all pages have migration entries inserted.\\nThat would eliminate also b) above.\\n\\nv2:\\n- Instead of a cond_resched() in hmm_range_fault(),\\n  eliminate the problem by waiting for the folio to be unlocked\\n  in do_swap_page() (Alistair Popple, Andrew Morton)\\nv3:\\n- Add a stub migration_entry_wait_on_locked() for the\\n  !CONFIG_MIGRATION case. (Kernel Test Robot)\\nv4:\\n- Rename migrate_entry_wait_on_locked() to\\n  softleaf_entry_wait_on_locked() and update docs (Alistair Popple)\\nv5:\\n- Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION\\n  version of softleaf_entry_wait_on_locked().\\n- Modify wording around function names in the commit message\\n  (Andrew Morton)\\n\\n(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.