CVE-2026-23097 (GCVE-0-2026-23097)
Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-06 16:33
VLAI?
Title
migrate: correct lock ordering for hugetlb file folios
Summary
In the Linux kernel, the following vulnerability has been resolved:
migrate: correct lock ordering for hugetlb file folios
Syzbot has found a deadlock (analyzed by Lance Yang):
1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).
2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire
folio_lock.
migrate_pages()
-> migrate_hugetlbs()
-> unmap_and_move_huge_page() <- Takes folio_lock!
-> remove_migration_ptes()
-> __rmap_walk_file()
-> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)!
hugetlbfs_fallocate()
-> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)!
-> hugetlbfs_zero_partial_page()
-> filemap_lock_hugetlb_folio()
-> filemap_lock_folio()
-> __filemap_get_folio <- Waits for folio_lock!
The migration path is the one taking locks in the wrong order according to
the documentation at the top of mm/rmap.c. So expand the scope of the
existing i_mmap_lock to cover the calls to remove_migration_ptes() too.
This is (mostly) how it used to be after commit c0d0381ade79. That was
removed by 336bf30eb765 for both file & anon hugetlb pages when it should
only have been removed for anon hugetlb pages.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
336bf30eb76580b579dc711ded5d599d905c0217 , < e7396d23f9d5739f56cf9ab430c3a169f5508394
(git)
Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < ad97b9a55246eb940a26ac977f80892a395cabf9 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 5edb9854f8df5428b40990a1c7d60507da5bd330 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 526394af4e8ade89cacd1a9ce2b97712712fcc34 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < b75070823b89009f5123fd0e05a8e0c3d39937c1 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < 1b68efce6dd483d22f50d0d3800c4cfda14b1305 (git) Affected: 336bf30eb76580b579dc711ded5d599d905c0217 , < b7880cb166ab62c2409046b2347261abf701530e (git) Affected: ef792d6ce0db6a56e56743b1de1716a982c3b851 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/migrate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e7396d23f9d5739f56cf9ab430c3a169f5508394",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "ad97b9a55246eb940a26ac977f80892a395cabf9",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "5edb9854f8df5428b40990a1c7d60507da5bd330",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "526394af4e8ade89cacd1a9ce2b97712712fcc34",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "b75070823b89009f5123fd0e05a8e0c3d39937c1",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "1b68efce6dd483d22f50d0d3800c4cfda14b1305",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"lessThan": "b7880cb166ab62c2409046b2347261abf701530e",
"status": "affected",
"version": "336bf30eb76580b579dc711ded5d599d905c0217",
"versionType": "git"
},
{
"status": "affected",
"version": "ef792d6ce0db6a56e56743b1de1716a982c3b851",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/migrate.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.249",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.199",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.162",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.122",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.68",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.19-rc7",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.249",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.199",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.162",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.122",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.68",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.8",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19-rc7",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.9.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmigrate: correct lock ordering for hugetlb file folios\n\nSyzbot has found a deadlock (analyzed by Lance Yang):\n\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\n\nmigrate_pages()\n -\u003e migrate_hugetlbs()\n -\u003e unmap_and_move_huge_page() \u003c- Takes folio_lock!\n -\u003e remove_migration_ptes()\n -\u003e __rmap_walk_file()\n -\u003e i_mmap_lock_read() \u003c- Waits for i_mmap_rwsem(read lock)!\n\nhugetlbfs_fallocate()\n -\u003e hugetlbfs_punch_hole() \u003c- Takes i_mmap_rwsem(write lock)!\n -\u003e hugetlbfs_zero_partial_page()\n -\u003e filemap_lock_hugetlb_folio()\n -\u003e filemap_lock_folio()\n -\u003e __filemap_get_folio \u003c- Waits for folio_lock!\n\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c. So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\n\nThis is (mostly) how it used to be after commit c0d0381ade79. That was\nremoved by 336bf30eb765 for both file \u0026 anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages."
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T16:33:19.246Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394"
},
{
"url": "https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9"
},
{
"url": "https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330"
},
{
"url": "https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34"
},
{
"url": "https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1"
},
{
"url": "https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305"
},
{
"url": "https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e"
}
],
"title": "migrate: correct lock ordering for hugetlb file folios",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23097",
"datePublished": "2026-02-04T16:08:19.815Z",
"dateReserved": "2026-01-13T15:37:45.964Z",
"dateUpdated": "2026-02-06T16:33:19.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-23097\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-04T17:16:20.570\",\"lastModified\":\"2026-02-06T17:16:25.040\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmigrate: correct lock ordering for hugetlb file folios\\n\\nSyzbot has found a deadlock (analyzed by Lance Yang):\\n\\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\\nfolio_lock.\\n\\nmigrate_pages()\\n -\u003e migrate_hugetlbs()\\n -\u003e unmap_and_move_huge_page() \u003c- Takes folio_lock!\\n -\u003e remove_migration_ptes()\\n -\u003e __rmap_walk_file()\\n -\u003e i_mmap_lock_read() \u003c- Waits for i_mmap_rwsem(read lock)!\\n\\nhugetlbfs_fallocate()\\n -\u003e hugetlbfs_punch_hole() \u003c- Takes i_mmap_rwsem(write lock)!\\n -\u003e hugetlbfs_zero_partial_page()\\n -\u003e filemap_lock_hugetlb_folio()\\n -\u003e filemap_lock_folio()\\n -\u003e __filemap_get_folio \u003c- Waits for folio_lock!\\n\\nThe migration path is the one taking locks in the wrong order according to\\nthe documentation at the top of mm/rmap.c. So expand the scope of the\\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\\n\\nThis is (mostly) how it used to be after commit c0d0381ade79. That was\\nremoved by 336bf30eb765 for both file \u0026 anon hugetlb pages when it should\\nonly have been removed for anon hugetlb pages.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…