CVE-2023-52490 (GCVE-0-2023-52490)

Vulnerability from cvelistv5 – Published: 2024-02-29 15:52 – Updated: 2026-05-23 15:25
VLAI
Title
mm: migrate: fix getting incorrect page mapping during page migration
Summary
In the Linux kernel, the following vulnerability has been resolved: mm: migrate: fix getting incorrect page mapping during page migration When running stress-ng testing, we found below kernel crash after a few hours: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : dentry_name+0xd8/0x224 lr : pointer+0x22c/0x370 sp : ffff800025f134c0 ...... Call trace: dentry_name+0xd8/0x224 pointer+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprintf+0x2c/0x60 vprintk_store+0x70/0x234 vprintk_emit+0xe0/0x24c vprintk_default+0x3c/0x44 vprintk_func+0x84/0x2d0 printk+0x64/0x88 __dump_page+0x52c/0x530 dump_page+0x14/0x20 set_migratetype_isolate+0x110/0x224 start_isolate_page_range+0xc4/0x20c offline_pages+0x124/0x474 memory_block_offline+0x44/0xf4 memory_subsys_offline+0x3c/0x70 device_offline+0xf0/0x120 ...... After analyzing the vmcore, I found this issue is caused by page migration. The scenario is that, one thread is doing page migration, and we will use the target page's ->mapping field to save 'anon_vma' pointer between page unmap and page move, and now the target page is locked and refcount is 1. Currently, there is another stress-ng thread performing memory hotplug, attempting to offline the target page that is being migrated. It discovers that the refcount of this target page is 1, preventing the offline operation, thus proceeding to dump the page. However, page_mapping() of the target page may return an incorrect file mapping to crash the system in dump_mapping(), since the target page->mapping only saves 'anon_vma' pointer without setting PAGE_MAPPING_ANON flag. There are seveval ways to fix this issue: (1) Setting the PAGE_MAPPING_ANON flag for target page's ->mapping when saving 'anon_vma', but this can confuse PageAnon() for PFN walkers, since the target page has not built mappings yet. (2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing the system, however, there are still some PFN walkers that call page_mapping() without holding the page lock, such as compaction. (3) Using target page->private field to save the 'anon_vma' pointer and 2 bits page state, just as page->mapping records an anonymous page, which can remove the page_mapping() impact for PFN walkers and also seems a simple way. So I choose option 3 to fix this issue, and this can also fix other potential issues for PFN walkers, such as compaction.
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-476 - NULL Pointer Dereference
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 64c8902ed4418317cd416c566f896bd4a92b2efc , < 9128bfbc5c80d8f4874dd0a0424d1f5fb010df1b (git)
Affected: 64c8902ed4418317cd416c566f896bd4a92b2efc , < 3889a418b6eb9a1113fb989aaadecf2f64964767 (git)
Affected: 64c8902ed4418317cd416c566f896bd4a92b2efc , < d1adb25df7111de83b64655a80b5a135adbded61 (git)
Affected: 8ca5f0ea52e1eef5e7dcbdff1d1afe602764ea93 (git)
Affected: 6.1.116 , < 6.2 (semver)
Create a notification for this product.
Linux Linux Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.15 , ≤ 6.6.* (semver)
Unaffected: 6.7.3 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-52490",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:48:39.445128Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-07T20:02:34.423Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:20.374Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9128bfbc5c80d8f4874dd0a0424d1f5fb010df1b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3889a418b6eb9a1113fb989aaadecf2f64964767"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d1adb25df7111de83b64655a80b5a135adbded61"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/migrate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9128bfbc5c80d8f4874dd0a0424d1f5fb010df1b",
              "status": "affected",
              "version": "64c8902ed4418317cd416c566f896bd4a92b2efc",
              "versionType": "git"
            },
            {
              "lessThan": "3889a418b6eb9a1113fb989aaadecf2f64964767",
              "status": "affected",
              "version": "64c8902ed4418317cd416c566f896bd4a92b2efc",
              "versionType": "git"
            },
            {
              "lessThan": "d1adb25df7111de83b64655a80b5a135adbded61",
              "status": "affected",
              "version": "64c8902ed4418317cd416c566f896bd4a92b2efc",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8ca5f0ea52e1eef5e7dcbdff1d1afe602764ea93",
              "versionType": "git"
            },
            {
              "lessThan": "6.2",
              "status": "affected",
              "version": "6.1.116",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/migrate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.15",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.3",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.116",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: migrate: fix getting incorrect page mapping during page migration\n\nWhen running stress-ng testing, we found below kernel crash after a few hours:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\npc : dentry_name+0xd8/0x224\nlr : pointer+0x22c/0x370\nsp : ffff800025f134c0\n......\nCall trace:\n  dentry_name+0xd8/0x224\n  pointer+0x22c/0x370\n  vsnprintf+0x1ec/0x730\n  vscnprintf+0x2c/0x60\n  vprintk_store+0x70/0x234\n  vprintk_emit+0xe0/0x24c\n  vprintk_default+0x3c/0x44\n  vprintk_func+0x84/0x2d0\n  printk+0x64/0x88\n  __dump_page+0x52c/0x530\n  dump_page+0x14/0x20\n  set_migratetype_isolate+0x110/0x224\n  start_isolate_page_range+0xc4/0x20c\n  offline_pages+0x124/0x474\n  memory_block_offline+0x44/0xf4\n  memory_subsys_offline+0x3c/0x70\n  device_offline+0xf0/0x120\n  ......\n\nAfter analyzing the vmcore, I found this issue is caused by page migration.\nThe scenario is that, one thread is doing page migration, and we will use the\ntarget page\u0027s -\u003emapping field to save \u0027anon_vma\u0027 pointer between page unmap and\npage move, and now the target page is locked and refcount is 1.\n\nCurrently, there is another stress-ng thread performing memory hotplug,\nattempting to offline the target page that is being migrated. It discovers that\nthe refcount of this target page is 1, preventing the offline operation, thus\nproceeding to dump the page. However, page_mapping() of the target page may\nreturn an incorrect file mapping to crash the system in dump_mapping(), since\nthe target page-\u003emapping only saves \u0027anon_vma\u0027 pointer without setting\nPAGE_MAPPING_ANON flag.\n\nThere are seveval ways to fix this issue:\n(1) Setting the PAGE_MAPPING_ANON flag for target page\u0027s -\u003emapping when saving\n\u0027anon_vma\u0027, but this can confuse PageAnon() for PFN walkers, since the target\npage has not built mappings yet.\n(2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing\nthe system, however, there are still some PFN walkers that call page_mapping()\nwithout holding the page lock, such as compaction.\n(3) Using target page-\u003eprivate field to save the \u0027anon_vma\u0027 pointer and 2 bits\npage state, just as page-\u003emapping records an anonymous page, which can remove\nthe page_mapping() impact for PFN walkers and also seems a simple way.\n\nSo I choose option 3 to fix this issue, and this can also fix other potential\nissues for PFN walkers, such as compaction."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:25:41.201Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9128bfbc5c80d8f4874dd0a0424d1f5fb010df1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3889a418b6eb9a1113fb989aaadecf2f64964767"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1adb25df7111de83b64655a80b5a135adbded61"
        }
      ],
      "title": "mm: migrate: fix getting incorrect page mapping during page migration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52490",
    "datePublished": "2024-02-29T15:52:09.281Z",
    "dateReserved": "2024-02-20T12:30:33.303Z",
    "dateUpdated": "2026-05-23T15:25:41.201Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-52490",
      "date": "2026-05-30",
      "epss": "9e-05",
      "percentile": "0.00972"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52490\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-11T18:15:16.750\",\"lastModified\":\"2025-04-22T16:15:42.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: migrate: fix getting incorrect page mapping during page migration\\n\\nWhen running stress-ng testing, we found below kernel crash after a few hours:\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\\npc : dentry_name+0xd8/0x224\\nlr : pointer+0x22c/0x370\\nsp : ffff800025f134c0\\n......\\nCall trace:\\n  dentry_name+0xd8/0x224\\n  pointer+0x22c/0x370\\n  vsnprintf+0x1ec/0x730\\n  vscnprintf+0x2c/0x60\\n  vprintk_store+0x70/0x234\\n  vprintk_emit+0xe0/0x24c\\n  vprintk_default+0x3c/0x44\\n  vprintk_func+0x84/0x2d0\\n  printk+0x64/0x88\\n  __dump_page+0x52c/0x530\\n  dump_page+0x14/0x20\\n  set_migratetype_isolate+0x110/0x224\\n  start_isolate_page_range+0xc4/0x20c\\n  offline_pages+0x124/0x474\\n  memory_block_offline+0x44/0xf4\\n  memory_subsys_offline+0x3c/0x70\\n  device_offline+0xf0/0x120\\n  ......\\n\\nAfter analyzing the vmcore, I found this issue is caused by page migration.\\nThe scenario is that, one thread is doing page migration, and we will use the\\ntarget page\u0027s -\u003emapping field to save \u0027anon_vma\u0027 pointer between page unmap and\\npage move, and now the target page is locked and refcount is 1.\\n\\nCurrently, there is another stress-ng thread performing memory hotplug,\\nattempting to offline the target page that is being migrated. It discovers that\\nthe refcount of this target page is 1, preventing the offline operation, thus\\nproceeding to dump the page. However, page_mapping() of the target page may\\nreturn an incorrect file mapping to crash the system in dump_mapping(), since\\nthe target page-\u003emapping only saves \u0027anon_vma\u0027 pointer without setting\\nPAGE_MAPPING_ANON flag.\\n\\nThere are seveval ways to fix this issue:\\n(1) Setting the PAGE_MAPPING_ANON flag for target page\u0027s -\u003emapping when saving\\n\u0027anon_vma\u0027, but this can confuse PageAnon() for PFN walkers, since the target\\npage has not built mappings yet.\\n(2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing\\nthe system, however, there are still some PFN walkers that call page_mapping()\\nwithout holding the page lock, such as compaction.\\n(3) Using target page-\u003eprivate field to save the \u0027anon_vma\u0027 pointer and 2 bits\\npage state, just as page-\u003emapping records an anonymous page, which can remove\\nthe page_mapping() impact for PFN walkers and also seems a simple way.\\n\\nSo I choose option 3 to fix this issue, and this can also fix other potential\\nissues for PFN walkers, such as compaction.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: mm: migrar: se corrigi\u00f3 la asignaci\u00f3n de p\u00e1gina incorrecta durante la migraci\u00f3n de la p\u00e1gina Al ejecutar la prueba de estr\u00e9s, encontramos el siguiente bloqueo del kernel despu\u00e9s de unas horas: No se puede manejar la desreferencia del puntero NULL del kernel en virtual direcci\u00f3n 0000000000000000 pc: dentry_name+0xd8/0x224 lr: puntero+0x22c/0x370 sp: ffff800025f134c0 ...... Rastreo de llamadas: dentry_name+0xd8/0x224 puntero+0x22c/0x370 vsnprintf+0x1ec/0x730 vscnprint f+0x2c/0x60 vprintk_store+ 0x70/0x234 vprintk_emit+0xe0/0x24c vprintk_default+0x3c/0x44 vprintk_func+0x84/0x2d0 printk+0x64/0x88 __dump_page+0x52c/0x530 dump_page+0x14/0x20 set_migratetype_isolate+0x110/0x22 4 start_isolate_page_range+0xc4/0x20c offline_pages+0x124/0x474 memoria_block_offline+ 0x44/0xf4 Memory_subsys_offline+0x3c/0x70 device_offline+0xf0/0x120 ...... Despu\u00e9s de analizar vmcore, descubr\u00ed que este problema se debe a la migraci\u00f3n de la p\u00e1gina. El escenario es que un hilo est\u00e1 realizando la migraci\u00f3n de la p\u00e1gina y usaremos el campo -\u0026gt;mapping de la p\u00e1gina de destino para guardar el puntero \u0027anon_vma\u0027 entre la desasignaci\u00f3n de la p\u00e1gina y el movimiento de la p\u00e1gina, y ahora la p\u00e1gina de destino est\u00e1 bloqueada y el recuento es 1. Actualmente, Hay otro subproceso estresante que realiza una conexi\u00f3n en caliente de la memoria, intentando desconectar la p\u00e1gina de destino que se est\u00e1 migrando. Descubre que el refcount de esta p\u00e1gina de destino es 1, impidiendo la operaci\u00f3n fuera de l\u00ednea, procediendo as\u00ed a volcar la p\u00e1gina. Sin embargo, page_mapping() de la p\u00e1gina de destino puede devolver una asignaci\u00f3n de archivos incorrecta para bloquear el sistema en dump_mapping(), ya que la p\u00e1gina de destino-\u0026gt;mapping solo guarda el puntero \u0027anon_vma\u0027 sin configurar el indicador PAGE_MAPPING_ANON. Hay varias formas de solucionar este problema: (1) Configurar el indicador PAGE_MAPPING_ANON para la p\u00e1gina de destino -\u0026gt;mapping al guardar \u0027anon_vma\u0027, pero esto puede confundir a PageAnon() para los usuarios de PFN, ya que la p\u00e1gina de destino a\u00fan no ha creado asignaciones. (2) Hacer que el bloqueo de p\u00e1gina llame a page_mapping() en __dump_page() para evitar bloquear el sistema; sin embargo, todav\u00eda hay algunos caminantes PFN que llaman a page_mapping() sin mantener el bloqueo de p\u00e1gina, como la compactaci\u00f3n. (3) Usar p\u00e1gina de destino-\u0026gt;campo privado para guardar el puntero \u0027anon_vma\u0027 y el estado de la p\u00e1gina de 2 bits, tal como p\u00e1gina-\u0026gt;mapping registra una p\u00e1gina an\u00f3nima, lo que puede eliminar el impacto de page_mapping() para los caminantes de PFN y tambi\u00e9n parece una soluci\u00f3n simple forma. As\u00ed que elijo la opci\u00f3n 3 para solucionar este problema, y esto tambi\u00e9n puede solucionar otros problemas potenciales para los caminantes PFN, como la compactaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.3\",\"versionEndExcluding\":\"6.6.15\",\"matchCriteriaId\":\"FB27F895-1DBC-4989-B3A8-4327A549A9BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.7.3\",\"matchCriteriaId\":\"58FD5308-148A-40D3-B36A-0CA6B434A8BF\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3889a418b6eb9a1113fb989aaadecf2f64964767\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9128bfbc5c80d8f4874dd0a0424d1f5fb010df1b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d1adb25df7111de83b64655a80b5a135adbded61\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3889a418b6eb9a1113fb989aaadecf2f64964767\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9128bfbc5c80d8f4874dd0a0424d1f5fb010df1b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d1adb25df7111de83b64655a80b5a135adbded61\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/9128bfbc5c80d8f4874dd0a0424d1f5fb010df1b\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/3889a418b6eb9a1113fb989aaadecf2f64964767\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/d1adb25df7111de83b64655a80b5a135adbded61\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T23:03:20.374Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-52490\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:48:39.445128Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-476\", \"description\": \"CWE-476 NULL Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:16.888Z\"}}], \"cna\": {\"title\": \"mm: migrate: fix getting incorrect page mapping during page migration\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"64c8902ed4418317cd416c566f896bd4a92b2efc\", \"lessThan\": \"9128bfbc5c80d8f4874dd0a0424d1f5fb010df1b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"64c8902ed4418317cd416c566f896bd4a92b2efc\", \"lessThan\": \"3889a418b6eb9a1113fb989aaadecf2f64964767\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"64c8902ed4418317cd416c566f896bd4a92b2efc\", \"lessThan\": \"d1adb25df7111de83b64655a80b5a135adbded61\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8ca5f0ea52e1eef5e7dcbdff1d1afe602764ea93\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6.1.116\", \"lessThan\": \"6.2\", \"versionType\": \"semver\"}], \"programFiles\": [\"mm/migrate.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.3\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.3\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.6.15\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.7.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.7.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"mm/migrate.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/9128bfbc5c80d8f4874dd0a0424d1f5fb010df1b\"}, {\"url\": \"https://git.kernel.org/stable/c/3889a418b6eb9a1113fb989aaadecf2f64964767\"}, {\"url\": \"https://git.kernel.org/stable/c/d1adb25df7111de83b64655a80b5a135adbded61\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: migrate: fix getting incorrect page mapping during page migration\\n\\nWhen running stress-ng testing, we found below kernel crash after a few hours:\\n\\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\\npc : dentry_name+0xd8/0x224\\nlr : pointer+0x22c/0x370\\nsp : ffff800025f134c0\\n......\\nCall trace:\\n  dentry_name+0xd8/0x224\\n  pointer+0x22c/0x370\\n  vsnprintf+0x1ec/0x730\\n  vscnprintf+0x2c/0x60\\n  vprintk_store+0x70/0x234\\n  vprintk_emit+0xe0/0x24c\\n  vprintk_default+0x3c/0x44\\n  vprintk_func+0x84/0x2d0\\n  printk+0x64/0x88\\n  __dump_page+0x52c/0x530\\n  dump_page+0x14/0x20\\n  set_migratetype_isolate+0x110/0x224\\n  start_isolate_page_range+0xc4/0x20c\\n  offline_pages+0x124/0x474\\n  memory_block_offline+0x44/0xf4\\n  memory_subsys_offline+0x3c/0x70\\n  device_offline+0xf0/0x120\\n  ......\\n\\nAfter analyzing the vmcore, I found this issue is caused by page migration.\\nThe scenario is that, one thread is doing page migration, and we will use the\\ntarget page\u0027s -\u003emapping field to save \u0027anon_vma\u0027 pointer between page unmap and\\npage move, and now the target page is locked and refcount is 1.\\n\\nCurrently, there is another stress-ng thread performing memory hotplug,\\nattempting to offline the target page that is being migrated. It discovers that\\nthe refcount of this target page is 1, preventing the offline operation, thus\\nproceeding to dump the page. However, page_mapping() of the target page may\\nreturn an incorrect file mapping to crash the system in dump_mapping(), since\\nthe target page-\u003emapping only saves \u0027anon_vma\u0027 pointer without setting\\nPAGE_MAPPING_ANON flag.\\n\\nThere are seveval ways to fix this issue:\\n(1) Setting the PAGE_MAPPING_ANON flag for target page\u0027s -\u003emapping when saving\\n\u0027anon_vma\u0027, but this can confuse PageAnon() for PFN walkers, since the target\\npage has not built mappings yet.\\n(2) Getting the page lock to call page_mapping() in __dump_page() to avoid crashing\\nthe system, however, there are still some PFN walkers that call page_mapping()\\nwithout holding the page lock, such as compaction.\\n(3) Using target page-\u003eprivate field to save the \u0027anon_vma\u0027 pointer and 2 bits\\npage state, just as page-\u003emapping records an anonymous page, which can remove\\nthe page_mapping() impact for PFN walkers and also seems a simple way.\\n\\nSo I choose option 3 to fix this issue, and this can also fix other potential\\nissues for PFN walkers, such as compaction.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.15\", \"versionStartIncluding\": \"6.3\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.7.3\", \"versionStartIncluding\": \"6.3\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8\", \"versionStartIncluding\": \"6.3\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.1.116\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-23T15:25:41.201Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-52490\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-23T15:25:41.201Z\", \"dateReserved\": \"2024-02-20T12:30:33.303Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-02-29T15:52:09.281Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.