mm: swap: fix race between free_swap_and_cache() and swapoff()
Summary
| CVE | CVE-2024-26960 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2024-05-01 06:15:12 UTC |
| Updated | 2026-05-12 12:16:28 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix race between free_swap_and_cache() and swapoff() There was previously a theoretical window where swapoff() could run and teardown a swap_info_struct while a call to free_swap_and_cache() was running in another thread. This could cause, amongst other bad possibilities, swap_page_trans_huge_swapped() (called by free_swap_and_cache()) to access the freed memory for swap_map. This is a theoretical problem and I haven't been able to provoke it from a test case. But there has been agreement based on code review that this is possible (see link below). Fix it by using get_swap_device()/put_swap_device(), which will stall swapoff(). There was an extra check in _swap_info_get() to confirm that the swap entry was not free. This isn't present in get_swap_device() because it doesn't make sense in general due to the race between getting the reference and swapoff. So I've added an equivalent check directly in free_swap_and_cache(). Details of how to provoke one possible issue (thanks to David Hildenbrand for deriving this): --8<----- __swap_entry_free() might be the last user and result in "count == SWAP_HAS_CACHE". swapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0. So the question is: could someone reclaim the folio and turn si->inuse_pages==0, before we completed swap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio in the swapcache. Only 2 subpages are still references by swap entries. Process 1 still references subpage 0 via swap entry. Process 2 still references subpage 1 via swap entry. Process 1 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted in the hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). -> count == SWAP_HAS_CACHE Process 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap(). __try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()-> put_swap_folio()->free_swap_slot()->swapcache_free_entries()-> swap_entry_free()->swap_range_free()-> ... WRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries); What stops swapoff to succeed after process 2 reclaimed the swap cache but before process1 finished its call to swap_page_trans_huge_swapped()? --8<----- |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from ADP
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-362 | CWE-362 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e d85c11c97ecf92d47a4b29e3faca714dc1f18d0d git | Not specified |
| CNA | Linux | Linux | affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 2da5568ee222ce0541bfe446a07998f92ed1643e git | Not specified |
| CNA | Linux | Linux | affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 1ede7f1d7eed1738d1b9333fd1e152ccb450b86a git | Not specified |
| CNA | Linux | Linux | affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a git | Not specified |
| CNA | Linux | Linux | affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39 git | Not specified |
| CNA | Linux | Linux | affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 363d17e7f7907c8e27a9e86968af0eaa2301787b git | Not specified |
| CNA | Linux | Linux | affected 7c00bafee87c7bac7ed9eced7c161f8e5332cb4e 82b1c07a0af603e3c47b906c8e991dc96f01688e git | Not specified |
| CNA | Linux | Linux | affected 4.11 | Not specified |
| CNA | Linux | Linux | unaffected 4.11 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.215 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.154 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.84 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.24 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.7.12 6.7.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.8.3 6.8.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.9 * original_commit_for_fix | Not specified |
| ADP | Linux | Linux Kernel | affected 7c00bafee87c d85c11c97ecf custom | Not specified |
| ADP | Linux | Linux Kernel | affected 7c00bafee87c 2da5568ee222 custom | Not specified |
| ADP | Linux | Linux Kernel | affected 7c00bafee87c 1ede7f1d7eed custom | Not specified |
| ADP | Linux | Linux Kernel | affected 7c00bafee87c 0f98f6d2fb5f custom | Not specified |
| ADP | Linux | Linux Kernel | affected 7c00bafee87c 3ce4c4c653e4 custom | Not specified |
| ADP | Linux | Linux Kernel | affected 7c00bafee87c 363d17e7f790 custom | Not specified |
| ADP | Linux | Linux Kernel | affected 7c00bafee87c 82b1c07a0af6 custom | Not specified |
| ADP | Linux | Linux Kernel | unaffected 5.10.215 5.11 custom | Not specified |
| ADP | Linux | Linux Kernel | unaffected 6.1.84 6.2 custom | Not specified |
| ADP | Linux | Linux Kernel | unaffected 6.6.24 6.7 custom | Not specified |
| ADP | Linux | Linux Kernel | unaffected 6.8.3 6.9 custom | Not specified |
| ADP | Linux | Linux Kernel | unaffected 6.9 | Not specified |
| ADP | Linux | Linux Kernel | unaffected 4.11 custom | Not specified |
| ADP | Linux | Linux Kernel | affected 4.11 | Not specified |
| ADP | Linux | Linux Kernel | unaffected 5.15.154 5.16 custom | Not specified |
| ADP | Linux | Linux Kernel | unaffected 6.7.12 6.8 custom | Not specified |
| ADP | Siemens | SIMATIC S7-1500 TM MFP - GNU/Linux Subsystem | affected * custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| lists.debian.org/debian-lts-announce/2024/06/msg00017.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List, Third Party Advisory |
| git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| cert-portal.siemens.com/productcert/html/ssa-265688.html | 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e | cert-portal.siemens.com | |
| git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39 | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a | af854a3a-2127-422b-91ae-364da2661108 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.