Description

In the Linux kernel, the following vulnerability has been resolved:

mm/swap: fix race when skipping swapcache

When skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads
swapin the same entry at the same time, they get different pages (A, B).
Before one thread (T0) finishes the swapin and installs page (A) to the
PTE, another thread (T1) could finish swapin of page (B), swap_free the
entry, then swap out the possibly modified page reusing the same entry.
It breaks the pte_same check in (T0) because PTE value is unchanged,
causing ABA problem. Thread (T0) will install a stalled page (A) into the
PTE and cause data corruption.

One possible callstack is like this:

CPU0 CPU1
---- ----
do_swap_page() do_swap_page() with same entry


swap_read_folio() <- read to page A swap_read_folio() <- read to page B

... set_pte_at()
swap_free() <- entry is free


pte_same() <- Check pass, PTE seems
unchanged, but page A
is stalled!
swap_free() <- page B content lost!
set_pte_at() <- staled page A installed!

And besides, for ZRAM, swap_free() allows the swap device to discard the
entry content, so even if page (B) is not modified, if swap_read_folio()
on CPU0 happens later th...

Classification

CVE ID: CVE-2024-26759

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.83% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95
https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a
https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d
https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458

Timeline