CVE-2026-43404 (GCVE-0-2026-43404)

Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-11 22:23
VLAI
Title
mm: Fix a hmm_range_fault() livelock / starvation problem
Summary
In the Linux kernel, the following vulnerability has been resolved: mm: Fix a hmm_range_fault() livelock / starvation problem If hmm_range_fault() fails a folio_trylock() in do_swap_page, trying to acquire the lock of a device-private folio for migration, to ram, the function will spin until it succeeds grabbing the lock. However, if the process holding the lock is depending on a work item to be completed, which is scheduled on the same CPU as the spinning hmm_range_fault(), that work item might be starved and we end up in a livelock / starvation situation which is never resolved. This can happen, for example if the process holding the device-private folio lock is stuck in migrate_device_unmap()->lru_add_drain_all() sinc lru_add_drain_all() requires a short work-item to be run on all online cpus to complete. A prerequisite for this to happen is: a) Both zone device and system memory folios are considered in migrate_device_unmap(), so that there is a reason to call lru_add_drain_all() for a system memory folio while a folio lock is held on a zone device folio. b) The zone device folio has an initial mapcount > 1 which causes at least one migration PTE entry insertion to be deferred to try_to_migrate(), which can happen after the call to lru_add_drain_all(). c) No or voluntary only preemption. This all seems pretty unlikely to happen, but indeed is hit by the "xe_exec_system_allocator" igt test. Resolve this by waiting for the folio to be unlocked if the folio_trylock() fails in do_swap_page(). Rename migration_entry_wait_on_locked() to softleaf_entry_wait_unlock() and update its documentation to indicate the new use-case. Future code improvements might consider moving the lru_add_drain_all() call in migrate_device_unmap() to be called *after* all pages have migration entries inserted. That would eliminate also b) above. v2: - Instead of a cond_resched() in hmm_range_fault(), eliminate the problem by waiting for the folio to be unlocked in do_swap_page() (Alistair Popple, Andrew Morton) v3: - Add a stub migration_entry_wait_on_locked() for the !CONFIG_MIGRATION case. (Kernel Test Robot) v4: - Rename migrate_entry_wait_on_locked() to softleaf_entry_wait_on_locked() and update docs (Alistair Popple) v5: - Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION version of softleaf_entry_wait_on_locked(). - Modify wording around function names in the commit message (Andrew Morton) (cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1afaeb8293c9addbf4f9140bdd22635fed763459 , < 94b6d0ba4b640ba23bb6c708a59316e74e5ede63 (git)
Affected: 1afaeb8293c9addbf4f9140bdd22635fed763459 , < 7e6e2fc91d4b9b12ec6e137019532568ebcf2680 (git)
Affected: 1afaeb8293c9addbf4f9140bdd22635fed763459 , < b570f37a2ce480be26c665345c5514686a8a0274 (git)
Create a notification for this product.
Linux Linux Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.18.19 , ≤ 6.18.* (semver)
Unaffected: 6.19.9 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/migrate.h",
            "mm/filemap.c",
            "mm/memory.c",
            "mm/migrate.c",
            "mm/migrate_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "94b6d0ba4b640ba23bb6c708a59316e74e5ede63",
              "status": "affected",
              "version": "1afaeb8293c9addbf4f9140bdd22635fed763459",
              "versionType": "git"
            },
            {
              "lessThan": "7e6e2fc91d4b9b12ec6e137019532568ebcf2680",
              "status": "affected",
              "version": "1afaeb8293c9addbf4f9140bdd22635fed763459",
              "versionType": "git"
            },
            {
              "lessThan": "b570f37a2ce480be26c665345c5514686a8a0274",
              "status": "affected",
              "version": "1afaeb8293c9addbf4f9140bdd22635fed763459",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/migrate.h",
            "mm/filemap.c",
            "mm/memory.c",
            "mm/migrate.c",
            "mm/migrate_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.19",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: Fix a hmm_range_fault() livelock / starvation problem\n\nIf hmm_range_fault() fails a folio_trylock() in do_swap_page,\ntrying to acquire the lock of a device-private folio for migration,\nto ram, the function will spin until it succeeds grabbing the lock.\n\nHowever, if the process holding the lock is depending on a work\nitem to be completed, which is scheduled on the same CPU as the\nspinning hmm_range_fault(), that work item might be starved and\nwe end up in a livelock / starvation situation which is never\nresolved.\n\nThis can happen, for example if the process holding the\ndevice-private folio lock is stuck in\n   migrate_device_unmap()-\u003elru_add_drain_all()\nsinc lru_add_drain_all() requires a short work-item\nto be run on all online cpus to complete.\n\nA prerequisite for this to happen is:\na) Both zone device and system memory folios are considered in\n   migrate_device_unmap(), so that there is a reason to call\n   lru_add_drain_all() for a system memory folio while a\n   folio lock is held on a zone device folio.\nb) The zone device folio has an initial mapcount \u003e 1 which causes\n   at least one migration PTE entry insertion to be deferred to\n   try_to_migrate(), which can happen after the call to\n   lru_add_drain_all().\nc) No or voluntary only preemption.\n\nThis all seems pretty unlikely to happen, but indeed is hit by\nthe \"xe_exec_system_allocator\" igt test.\n\nResolve this by waiting for the folio to be unlocked if the\nfolio_trylock() fails in do_swap_page().\n\nRename migration_entry_wait_on_locked() to\nsoftleaf_entry_wait_unlock() and update its documentation to\nindicate the new use-case.\n\nFuture code improvements might consider moving\nthe lru_add_drain_all() call in migrate_device_unmap() to be\ncalled *after* all pages have migration entries inserted.\nThat would eliminate also b) above.\n\nv2:\n- Instead of a cond_resched() in hmm_range_fault(),\n  eliminate the problem by waiting for the folio to be unlocked\n  in do_swap_page() (Alistair Popple, Andrew Morton)\nv3:\n- Add a stub migration_entry_wait_on_locked() for the\n  !CONFIG_MIGRATION case. (Kernel Test Robot)\nv4:\n- Rename migrate_entry_wait_on_locked() to\n  softleaf_entry_wait_on_locked() and update docs (Alistair Popple)\nv5:\n- Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION\n  version of softleaf_entry_wait_on_locked().\n- Modify wording around function names in the commit message\n  (Andrew Morton)\n\n(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:23:55.638Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680"
        },
        {
          "url": "https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274"
        }
      ],
      "title": "mm: Fix a hmm_range_fault() livelock / starvation problem",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43404",
    "datePublished": "2026-05-08T14:21:44.929Z",
    "dateReserved": "2026-05-01T14:12:56.007Z",
    "dateUpdated": "2026-05-11T22:23:55.638Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43404",
      "date": "2026-05-28",
      "epss": "0.00012",
      "percentile": "0.0176"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43404\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T15:16:51.887\",\"lastModified\":\"2026-05-21T19:21:22.460\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmm: Fix a hmm_range_fault() livelock / starvation problem\\n\\nIf hmm_range_fault() fails a folio_trylock() in do_swap_page,\\ntrying to acquire the lock of a device-private folio for migration,\\nto ram, the function will spin until it succeeds grabbing the lock.\\n\\nHowever, if the process holding the lock is depending on a work\\nitem to be completed, which is scheduled on the same CPU as the\\nspinning hmm_range_fault(), that work item might be starved and\\nwe end up in a livelock / starvation situation which is never\\nresolved.\\n\\nThis can happen, for example if the process holding the\\ndevice-private folio lock is stuck in\\n   migrate_device_unmap()-\u003elru_add_drain_all()\\nsinc lru_add_drain_all() requires a short work-item\\nto be run on all online cpus to complete.\\n\\nA prerequisite for this to happen is:\\na) Both zone device and system memory folios are considered in\\n   migrate_device_unmap(), so that there is a reason to call\\n   lru_add_drain_all() for a system memory folio while a\\n   folio lock is held on a zone device folio.\\nb) The zone device folio has an initial mapcount \u003e 1 which causes\\n   at least one migration PTE entry insertion to be deferred to\\n   try_to_migrate(), which can happen after the call to\\n   lru_add_drain_all().\\nc) No or voluntary only preemption.\\n\\nThis all seems pretty unlikely to happen, but indeed is hit by\\nthe \\\"xe_exec_system_allocator\\\" igt test.\\n\\nResolve this by waiting for the folio to be unlocked if the\\nfolio_trylock() fails in do_swap_page().\\n\\nRename migration_entry_wait_on_locked() to\\nsoftleaf_entry_wait_unlock() and update its documentation to\\nindicate the new use-case.\\n\\nFuture code improvements might consider moving\\nthe lru_add_drain_all() call in migrate_device_unmap() to be\\ncalled *after* all pages have migration entries inserted.\\nThat would eliminate also b) above.\\n\\nv2:\\n- Instead of a cond_resched() in hmm_range_fault(),\\n  eliminate the problem by waiting for the folio to be unlocked\\n  in do_swap_page() (Alistair Popple, Andrew Morton)\\nv3:\\n- Add a stub migration_entry_wait_on_locked() for the\\n  !CONFIG_MIGRATION case. (Kernel Test Robot)\\nv4:\\n- Rename migrate_entry_wait_on_locked() to\\n  softleaf_entry_wait_on_locked() and update docs (Alistair Popple)\\nv5:\\n- Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION\\n  version of softleaf_entry_wait_on_locked().\\n- Modify wording around function names in the commit message\\n  (Andrew Morton)\\n\\n(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-667\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.15\",\"versionEndExcluding\":\"6.18.19\",\"matchCriteriaId\":\"D6461E17-9936-4679-8F97-568871A6FBE4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.9\",\"matchCriteriaId\":\"E825E7C3-FEAC-4FD3-8A81-78D7387948C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.