mm/hugetlb: fixes for split races (!1138) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-10

JIRA: https://issues.redhat.com/browse/RHEL-101261
JIRA: https://issues.redhat.com/browse/RHEL-101296
CVE: CVE-2025-38084
CVE: CVE-2025-38085

Currently, __split_vma() triggers hugetlb page table unsharing through
vm_ops->may_split(). This happens before the VMA lock and rmap locks are
taken - which is too early, it allows racing VMA-locked page faults in our
process and racing rmap walks from other processes to cause page tables to
be shared again before we actually perform the split.

Signed-off-by: Rafael Aquini raquini@redhat.com

Edited Jul 01, 2025 by Rafael Aquini

mm/hugetlb: fixes for split races

Merge request reports