In the Linux kernel, the following vulnerability has been resolved:
mm: hugetlb: independent PMD page table shared count
The folio refcount may be increased unexpectly through trygetfolio() by caller such as splithugepages. In hugepmdunshare(), we use refcount to check whether a pmd page table is shared. The check is incorrect if the refcount is increased by the above caller, and this can cause the page table leaked:
BUG: Bad page state in process sh pfn:109324 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x66 pfn:0x109324 flags: 0x17ffff800000000(node=0|zone=2|lastcpupid=0xfffff) pagetype: f2(table) raw: 017ffff800000000 0000000000000000 0000000000000000 0000000000000000 raw: 0000000000000066 0000000000000000 00000000f2000000 0000000000000000 page dumped because: nonzero mapcount ... CPU: 31 UID: 0 PID: 7515 Comm: sh Kdump: loaded Tainted: G B 6.13.0-rc2master+ #7 Tainted: [B]=BADPAGE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Call trace: showstack+0x20/0x38 (C) dumpstacklvl+0x80/0xf8 dumpstack+0x18/0x28 badpage+0x8c/0x130 freepageisbadreport+0xa4/0xb0 freeunrefpage+0x3cc/0x620 _folioput+0xf4/0x158 splithugepagesall+0x1e0/0x3e8 splithugepageswrite+0x25c/0x2d8 fullproxywrite+0x64/0xd8 vfswrite+0xcc/0x280 ksyswrite+0x70/0x110 _arm64syswrite+0x24/0x38 invokesyscall+0x50/0x120 el0svccommon.constprop.0+0xc8/0xf0 doel0svc+0x24/0x38 el0svc+0x34/0x128 el0t64synchandler+0xc8/0xd0 el0t64_sync+0x190/0x198
The issue may be triggered by damon, offlinepage, pageidle, etc, which will increase the refcount of page table.
The page table itself will be discarded after reporting the "nonzero mapcount".
The HugeTLB page mapped by the page table miss freeing since we treat the page table as shared and a shared page table will not be unmapped.
Fix it by introducing independent PMD page table shared count. As described by comment, ptindex/ptmm/ptfragrefcount are used for s390 gmap, x86 pgds and powerpc, ptsharecount is used for x86/arm64/riscv pmds, so we can reuse the field as ptsharecount.