{"api_version":"1","generated_at":"2026-05-10T13:04:08+00:00","cve":"CVE-2026-43404","urls":{"html":"https://cve.report/CVE-2026-43404","api":"https://cve.report/api/cve/CVE-2026-43404.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43404","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43404"},"summary":{"title":"mm: Fix a hmm_range_fault() livelock / starvation problem","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: Fix a hmm_range_fault() livelock / starvation problem\n\nIf hmm_range_fault() fails a folio_trylock() in do_swap_page,\ntrying to acquire the lock of a device-private folio for migration,\nto ram, the function will spin until it succeeds grabbing the lock.\n\nHowever, if the process holding the lock is depending on a work\nitem to be completed, which is scheduled on the same CPU as the\nspinning hmm_range_fault(), that work item might be starved and\nwe end up in a livelock / starvation situation which is never\nresolved.\n\nThis can happen, for example if the process holding the\ndevice-private folio lock is stuck in\n   migrate_device_unmap()->lru_add_drain_all()\nsinc lru_add_drain_all() requires a short work-item\nto be run on all online cpus to complete.\n\nA prerequisite for this to happen is:\na) Both zone device and system memory folios are considered in\n   migrate_device_unmap(), so that there is a reason to call\n   lru_add_drain_all() for a system memory folio while a\n   folio lock is held on a zone device folio.\nb) The zone device folio has an initial mapcount > 1 which causes\n   at least one migration PTE entry insertion to be deferred to\n   try_to_migrate(), which can happen after the call to\n   lru_add_drain_all().\nc) No or voluntary only preemption.\n\nThis all seems pretty unlikely to happen, but indeed is hit by\nthe \"xe_exec_system_allocator\" igt test.\n\nResolve this by waiting for the folio to be unlocked if the\nfolio_trylock() fails in do_swap_page().\n\nRename migration_entry_wait_on_locked() to\nsoftleaf_entry_wait_unlock() and update its documentation to\nindicate the new use-case.\n\nFuture code improvements might consider moving\nthe lru_add_drain_all() call in migrate_device_unmap() to be\ncalled *after* all pages have migration entries inserted.\nThat would eliminate also b) above.\n\nv2:\n- Instead of a cond_resched() in hmm_range_fault(),\n  eliminate the problem by waiting for the folio to be unlocked\n  in do_swap_page() (Alistair Popple, Andrew Morton)\nv3:\n- Add a stub migration_entry_wait_on_locked() for the\n  !CONFIG_MIGRATION case. (Kernel Test Robot)\nv4:\n- Rename migrate_entry_wait_on_locked() to\n  softleaf_entry_wait_on_locked() and update docs (Alistair Popple)\nv5:\n- Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION\n  version of softleaf_entry_wait_on_locked().\n- Modify wording around function names in the commit message\n  (Andrew Morton)\n\n(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-08 15:16:51","updated_at":"2026-05-08 15:16:51"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680","name":"https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274","name":"https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63","name":"https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43404","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43404","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1afaeb8293c9addbf4f9140bdd22635fed763459 94b6d0ba4b640ba23bb6c708a59316e74e5ede63 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1afaeb8293c9addbf4f9140bdd22635fed763459 7e6e2fc91d4b9b12ec6e137019532568ebcf2680 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1afaeb8293c9addbf4f9140bdd22635fed763459 b570f37a2ce480be26c665345c5514686a8a0274 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.15","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.15 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.19 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.9 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"43404","cve":"CVE-2026-43404","epss":"0.000170000","percentile":"0.041270000","score_date":"2026-05-09","updated_at":"2026-05-10 00:03:04"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["include/linux/migrate.h","mm/filemap.c","mm/memory.c","mm/migrate.c","mm/migrate_device.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"94b6d0ba4b640ba23bb6c708a59316e74e5ede63","status":"affected","version":"1afaeb8293c9addbf4f9140bdd22635fed763459","versionType":"git"},{"lessThan":"7e6e2fc91d4b9b12ec6e137019532568ebcf2680","status":"affected","version":"1afaeb8293c9addbf4f9140bdd22635fed763459","versionType":"git"},{"lessThan":"b570f37a2ce480be26c665345c5514686a8a0274","status":"affected","version":"1afaeb8293c9addbf4f9140bdd22635fed763459","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["include/linux/migrate.h","mm/filemap.c","mm/memory.c","mm/migrate.c","mm/migrate_device.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.15"},{"lessThan":"6.15","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.19","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.9","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.19","versionStartIncluding":"6.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.9","versionStartIncluding":"6.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.15","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: Fix a hmm_range_fault() livelock / starvation problem\n\nIf hmm_range_fault() fails a folio_trylock() in do_swap_page,\ntrying to acquire the lock of a device-private folio for migration,\nto ram, the function will spin until it succeeds grabbing the lock.\n\nHowever, if the process holding the lock is depending on a work\nitem to be completed, which is scheduled on the same CPU as the\nspinning hmm_range_fault(), that work item might be starved and\nwe end up in a livelock / starvation situation which is never\nresolved.\n\nThis can happen, for example if the process holding the\ndevice-private folio lock is stuck in\n   migrate_device_unmap()->lru_add_drain_all()\nsinc lru_add_drain_all() requires a short work-item\nto be run on all online cpus to complete.\n\nA prerequisite for this to happen is:\na) Both zone device and system memory folios are considered in\n   migrate_device_unmap(), so that there is a reason to call\n   lru_add_drain_all() for a system memory folio while a\n   folio lock is held on a zone device folio.\nb) The zone device folio has an initial mapcount > 1 which causes\n   at least one migration PTE entry insertion to be deferred to\n   try_to_migrate(), which can happen after the call to\n   lru_add_drain_all().\nc) No or voluntary only preemption.\n\nThis all seems pretty unlikely to happen, but indeed is hit by\nthe \"xe_exec_system_allocator\" igt test.\n\nResolve this by waiting for the folio to be unlocked if the\nfolio_trylock() fails in do_swap_page().\n\nRename migration_entry_wait_on_locked() to\nsoftleaf_entry_wait_unlock() and update its documentation to\nindicate the new use-case.\n\nFuture code improvements might consider moving\nthe lru_add_drain_all() call in migrate_device_unmap() to be\ncalled *after* all pages have migration entries inserted.\nThat would eliminate also b) above.\n\nv2:\n- Instead of a cond_resched() in hmm_range_fault(),\n  eliminate the problem by waiting for the folio to be unlocked\n  in do_swap_page() (Alistair Popple, Andrew Morton)\nv3:\n- Add a stub migration_entry_wait_on_locked() for the\n  !CONFIG_MIGRATION case. (Kernel Test Robot)\nv4:\n- Rename migrate_entry_wait_on_locked() to\n  softleaf_entry_wait_on_locked() and update docs (Alistair Popple)\nv5:\n- Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION\n  version of softleaf_entry_wait_on_locked().\n- Modify wording around function names in the commit message\n  (Andrew Morton)\n\n(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)"}],"providerMetadata":{"dateUpdated":"2026-05-08T14:21:44.929Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63"},{"url":"https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680"},{"url":"https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274"}],"title":"mm: Fix a hmm_range_fault() livelock / starvation problem","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43404","datePublished":"2026-05-08T14:21:44.929Z","dateReserved":"2026-05-01T14:12:56.007Z","dateUpdated":"2026-05-08T14:21:44.929Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-08 15:16:51","lastModifiedDate":"2026-05-08 15:16:51","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43404","Ordinal":"1","Title":"mm: Fix a hmm_range_fault() livelock / starvation problem","CVE":"CVE-2026-43404","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43404","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm: Fix a hmm_range_fault() livelock / starvation problem\n\nIf hmm_range_fault() fails a folio_trylock() in do_swap_page,\ntrying to acquire the lock of a device-private folio for migration,\nto ram, the function will spin until it succeeds grabbing the lock.\n\nHowever, if the process holding the lock is depending on a work\nitem to be completed, which is scheduled on the same CPU as the\nspinning hmm_range_fault(), that work item might be starved and\nwe end up in a livelock / starvation situation which is never\nresolved.\n\nThis can happen, for example if the process holding the\ndevice-private folio lock is stuck in\n   migrate_device_unmap()->lru_add_drain_all()\nsinc lru_add_drain_all() requires a short work-item\nto be run on all online cpus to complete.\n\nA prerequisite for this to happen is:\na) Both zone device and system memory folios are considered in\n   migrate_device_unmap(), so that there is a reason to call\n   lru_add_drain_all() for a system memory folio while a\n   folio lock is held on a zone device folio.\nb) The zone device folio has an initial mapcount > 1 which causes\n   at least one migration PTE entry insertion to be deferred to\n   try_to_migrate(), which can happen after the call to\n   lru_add_drain_all().\nc) No or voluntary only preemption.\n\nThis all seems pretty unlikely to happen, but indeed is hit by\nthe \"xe_exec_system_allocator\" igt test.\n\nResolve this by waiting for the folio to be unlocked if the\nfolio_trylock() fails in do_swap_page().\n\nRename migration_entry_wait_on_locked() to\nsoftleaf_entry_wait_unlock() and update its documentation to\nindicate the new use-case.\n\nFuture code improvements might consider moving\nthe lru_add_drain_all() call in migrate_device_unmap() to be\ncalled *after* all pages have migration entries inserted.\nThat would eliminate also b) above.\n\nv2:\n- Instead of a cond_resched() in hmm_range_fault(),\n  eliminate the problem by waiting for the folio to be unlocked\n  in do_swap_page() (Alistair Popple, Andrew Morton)\nv3:\n- Add a stub migration_entry_wait_on_locked() for the\n  !CONFIG_MIGRATION case. (Kernel Test Robot)\nv4:\n- Rename migrate_entry_wait_on_locked() to\n  softleaf_entry_wait_on_locked() and update docs (Alistair Popple)\nv5:\n- Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION\n  version of softleaf_entry_wait_on_locked().\n- Modify wording around function names in the commit message\n  (Andrew Morton)\n\n(cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)","Type":"Description","Title":"mm: Fix a hmm_range_fault() livelock / starvation problem"}]}}}