{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40006","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.151Z","datePublished":"2025-10-20T15:26:53.097Z","dateUpdated":"2026-05-11T21:40:39.321Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:40:39.321Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix folio is still mapped when deleted\n\nMigration may be raced with fallocating hole.  remove_inode_single_folio\nwill unmap the folio if the folio is still mapped.  However, it's called\nwithout folio lock.  If the folio is migrated and the mapped pte has been\nconverted to migration entry, folio_mapped() returns false, and won't\nunmap it.  Due to extra refcount held by remove_inode_single_folio,\nmigration fails, restores migration entry to normal pte, and the folio is\nmapped again.  As a result, we triggered BUG in filemap_unaccount_folio.\n\nThe log is as follows:\n BUG: Bad page cache in process hugetlb  pfn:156c00\n page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00\n head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0\n aops:hugetlbfs_aops ino:dcc dentry name(?):\"my_hugepage_file\"\n flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: f4(hugetlb)\n page dumped because: still mapped when deleted\n CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE\n Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015\n Call Trace:\n  <TASK>\n  dump_stack_lvl+0x4f/0x70\n  filemap_unaccount_folio+0xc4/0x1c0\n  __filemap_remove_folio+0x38/0x1c0\n  filemap_remove_folio+0x41/0xd0\n  remove_inode_hugepages+0x142/0x250\n  hugetlbfs_fallocate+0x471/0x5a0\n  vfs_fallocate+0x149/0x380\n\nHold folio lock before checking if the folio is mapped to avold race with\nmigration."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/hugetlbfs/inode.c"],"versions":[{"version":"4aae8d1c051ea00b456da6811bc36d1f69de5445","lessThan":"bc1c9ce8aeff45318332035dbef9713fb9e982d7","status":"affected","versionType":"git"},{"version":"4aae8d1c051ea00b456da6811bc36d1f69de5445","lessThan":"91f548e920fbf8be3f285bfa3fa045ae017e836d","status":"affected","versionType":"git"},{"version":"4aae8d1c051ea00b456da6811bc36d1f69de5445","lessThan":"3e851448078f5b01f6264915df3cfef75e323a12","status":"affected","versionType":"git"},{"version":"4aae8d1c051ea00b456da6811bc36d1f69de5445","lessThan":"c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39","status":"affected","versionType":"git"},{"version":"4aae8d1c051ea00b456da6811bc36d1f69de5445","lessThan":"c9c2a51f91aea70e89b496cac360cd795a2b3c26","status":"affected","versionType":"git"},{"version":"4aae8d1c051ea00b456da6811bc36d1f69de5445","lessThan":"910d7749346c4b0acdc6e4adfdc4a9984281a206","status":"affected","versionType":"git"},{"version":"4aae8d1c051ea00b456da6811bc36d1f69de5445","lessThan":"21ee79ce938127f88fe07e409c1817f477dbe7ea","status":"affected","versionType":"git"},{"version":"4aae8d1c051ea00b456da6811bc36d1f69de5445","lessThan":"7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/hugetlbfs/inode.c"],"versions":[{"version":"4.5","status":"affected"},{"version":"0","lessThan":"4.5","status":"unaffected","versionType":"semver"},{"version":"5.4.300","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.245","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.194","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.155","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.109","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.50","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.10","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"5.4.300"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"5.10.245"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"5.15.194"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"6.1.155"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"6.6.109"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"6.12.50"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"6.16.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.5","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/bc1c9ce8aeff45318332035dbef9713fb9e982d7"},{"url":"https://git.kernel.org/stable/c/91f548e920fbf8be3f285bfa3fa045ae017e836d"},{"url":"https://git.kernel.org/stable/c/3e851448078f5b01f6264915df3cfef75e323a12"},{"url":"https://git.kernel.org/stable/c/c1dc0524ab2cc3982d4e0d2bfac71a0cd4d65c39"},{"url":"https://git.kernel.org/stable/c/c9c2a51f91aea70e89b496cac360cd795a2b3c26"},{"url":"https://git.kernel.org/stable/c/910d7749346c4b0acdc6e4adfdc4a9984281a206"},{"url":"https://git.kernel.org/stable/c/21ee79ce938127f88fe07e409c1817f477dbe7ea"},{"url":"https://git.kernel.org/stable/c/7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7"}],"title":"mm/hugetlb: fix folio is still mapped when deleted","x_generator":{"engine":"bippy-1.2.0"}}}}