Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-43404— mm: Fix a hmm_range_fault() livelock / starvation problem

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43404

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
mm: Fix a hmm_range_fault() livelock / starvation problem
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: mm: Fix a hmm_range_fault() livelock / starvation problem If hmm_range_fault() fails a folio_trylock() in do_swap_page, trying to acquire the lock of a device-private folio for migration, to ram, the function will spin until it succeeds grabbing the lock. However, if the process holding the lock is depending on a work item to be completed, which is scheduled on the same CPU as the spinning hmm_range_fault(), that work item might be starved and we end up in a livelock / starvation situation which is never resolved. This can happen, for example if the process holding the device-private folio lock is stuck in migrate_device_unmap()->lru_add_drain_all() sinc lru_add_drain_all() requires a short work-item to be run on all online cpus to complete. A prerequisite for this to happen is: a) Both zone device and system memory folios are considered in migrate_device_unmap(), so that there is a reason to call lru_add_drain_all() for a system memory folio while a folio lock is held on a zone device folio. b) The zone device folio has an initial mapcount > 1 which causes at least one migration PTE entry insertion to be deferred to try_to_migrate(), which can happen after the call to lru_add_drain_all(). c) No or voluntary only preemption. This all seems pretty unlikely to happen, but indeed is hit by the "xe_exec_system_allocator" igt test. Resolve this by waiting for the folio to be unlocked if the folio_trylock() fails in do_swap_page(). Rename migration_entry_wait_on_locked() to softleaf_entry_wait_unlock() and update its documentation to indicate the new use-case. Future code improvements might consider moving the lru_add_drain_all() call in migrate_device_unmap() to be called *after* all pages have migration entries inserted. That would eliminate also b) above. v2: - Instead of a cond_resched() in hmm_range_fault(), eliminate the problem by waiting for the folio to be unlocked in do_swap_page() (Alistair Popple, Andrew Morton) v3: - Add a stub migration_entry_wait_on_locked() for the !CONFIG_MIGRATION case. (Kernel Test Robot) v4: - Rename migrate_entry_wait_on_locked() to softleaf_entry_wait_on_locked() and update docs (Alistair Popple) v5: - Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION version of softleaf_entry_wait_on_locked(). - Modify wording around function names in the commit message (Andrew Morton) (cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215)
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 1afaeb8293c9addbf4f9140bdd22635fed763459 ~ 94b6d0ba4b640ba23bb6c708a59316e74e5ede63 -
LinuxLinux 6.15 -

II. Public POCs for CVE-2026-43404

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43404

Please Login to view more intelligence information

Same Patch Batch · Linux · 2026-05-08 · 199 CVEs total

CVE-2026-43337drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw()
CVE-2026-43349f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer
CVE-2026-43348mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER
CVE-2026-43347arm64: dts: qcom: monaco: Reserve full Gunyah metadata region
CVE-2026-43346ice: ptp: don't WARN when controlling PF is unavailable
CVE-2026-43345net: ipa: fix event ring index not programmed for IPA v5.0+
CVE-2026-43344perf/x86/intel/uncore: Fix die ID init and look up bugs
CVE-2026-43343usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
CVE-2026-43342usb: gadget: f_rndis: Protect RNDIS options with mutex
CVE-2026-43340comedi: Reinit dev->spinlock between attachments to low-level drivers
CVE-2026-43341net/ipv6: ioam6: prevent schema length wraparound in trace fill
CVE-2026-43339ipv6: prevent possible UaF in addrconf_permanent_addr()
CVE-2026-43338btrfs: reserve enough transaction items for qgroup ioctls
CVE-2026-43331x86/kexec: Disable KCOV instrumentation after load_segments()
CVE-2026-43325wifi: iwlwifi: mvm: don't send a 6E related command when not supported
CVE-2026-43327USB: dummy-hcd: Fix locking/synchronization error
CVE-2026-43329netfilter: flowtable: strictly check for maximum number of actions
CVE-2026-43328cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path
CVE-2026-43330crypto: caam - fix overflow on long hmac keys
CVE-2026-43334Bluetooth: SMP: force responder MITM requirements before building the pairing response

Showing top 20 of 199 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-43404

No comments yet

Leave a comment