CVE-2025-38050

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38050
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38050.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38050
Downstream
Published
2025-06-18T09:33:32Z
Modified
2025-10-16T01:23:59.622174Z
Summary
mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios

A kernel crash was observed when replacing free hugetlb folios:

BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 28 UID: 0 PID: 29639 Comm: testcma.sh Tainted 6.15.0-rc6-zp #41 PREEMPT(voluntary) RIP: 0010:allocanddissolvehugetlbfolio+0x1d/0x1f0 RSP: 0018:ffffc9000b30fa90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000342cca RCX: ffffea0043000000 RDX: ffffc9000b30fb08 RSI: ffffea0043000000 RDI: 0000000000000000 RBP: ffffc9000b30fb20 R08: 0000000000001000 R09: 0000000000000000 R10: ffff88886f92eb00 R11: 0000000000000000 R12: ffffea0043000000 R13: 0000000000000000 R14: 00000000010c0200 R15: 0000000000000004 FS: 00007fcda5f14740(0000) GS:ffff8888ec1d8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000391402000 CR4: 0000000000350ef0 Call Trace: <TASK> replacefreehugepagefolios+0xb6/0x100 alloccontigrangenoprof+0x18a/0x590 ? srsoreturnthunk+0x5/0x5f ? downread+0x12/0xa0 ? srsoreturnthunk+0x5/0x5f cmarangealloc.constprop.0+0x131/0x290 _cmaalloc+0xcf/0x2c0 cmaallocwrite+0x43/0xb0 simpleattrwritexsigned.constprop.0.isra.0+0xb2/0x110 debugfsattrwrite+0x46/0x70 fullproxywrite+0x62/0xa0 vfswrite+0xf8/0x420 ? srsoreturnthunk+0x5/0x5f ? filpflush+0x86/0xa0 ? srsoreturnthunk+0x5/0x5f ? filpclose+0x1f/0x30 ? srsoreturnthunk+0x5/0x5f ? dodup2+0xaf/0x160 ? srsoreturnthunk+0x5/0x5f ksyswrite+0x65/0xe0 dosyscall64+0x64/0x170 entrySYSCALL64afterhwframe+0x76/0x7e

There is a potential race between _updateandfreehugetlbfolio() and replacefreehugepagefolios():

CPU1 CPU2 _updateandfreehugetlbfolio replacefreehugepagefolios foliotesthugetlb(folio) -- It's still hugetlb folio.

_folioclearhugetlb(folio) hugetlbfreefolio(folio) h = foliohstate(folio) -- Here, h is NULL pointer

When the above race condition occurs, foliohstate(folio) returns NULL, and subsequent access to this NULL pointer will cause the system to crash. To resolve this issue, execute foliohstate(folio) under the protection of the hugetlblock lock, ensuring that foliohstate(folio) does not return NULL.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
04f13d241b8b146b23038bffd907cb8278391d07
Fixed
e97283978a9848190d451f7038ac399613445f79
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
04f13d241b8b146b23038bffd907cb8278391d07
Fixed
113ed54ad276c352ee5ce109bdcf0df118a43bda

Affected versions

v6.*

v6.13
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.14.3
v6.14.4
v6.14.5
v6.14.6
v6.14.7
v6.14.8
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.14.9