Description
In the Linux kernel, the following vulnerability has been resolved:

lib: test_hmm: evict device pages on file close to avoid use-after-free

Patch series "Minor hmm_test fixes and cleanups".

Two bugfixes a cleanup for the HMM kernel selftests. These were mostly
reported by Zenghui Yu with special thanks to Lorenzo for analysing and
pointing out the problems.


This patch (of 3):

When dmirror_fops_release() is called it frees the dmirror struct but
doesn't migrate device private pages back to system memory first. This
leaves those pages with a dangling zone_device_data pointer to the freed
dmirror.

If a subsequent fault occurs on those pages (eg. during coredump) the
dmirror_devmem_fault() callback dereferences the stale pointer causing a
kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64,
where a test failure triggered SIGABRT and the resulting coredump walked
the VMAs faulting in the stale device private pages.

Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in
dmirror_fops_release() to migrate all device private pages back to system
memory before freeing the dmirror struct. The function is moved earlier
in the file to avoid a forward declaration.
Published: 2026-06-08
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A dangling pointer to a freed device mirror structure causes a use-after-free in the HMM kernel selftest path. If a fault occurs on device private pages after the mirror has been released, the fault handler dereferences the stale pointer and the kernel panics. The flaw does not directly expose confidential data but can crash the kernel, impacting availability.

Affected Systems

This issue affects the Linux kernel, but no specific versions are listed in the available data. The vulnerability is tied to the HMM test framework and the associated dmirror structure. Updates in any kernel that contains the \"Minor hmm_test fixes and cleanups\" patch series would resolve the problem.

Risk and Exploitability

The CVSS and EPSS scores are not provided, so the quantitative severity is unknown. Based on the description, it appears that the flaw would only be exploitable in environments where the kernel HMM selftest framework is active, such as during kernel builds or automated test runs. It appears that the vulnerability triggers when a device page fault occurs after the mirror struct has been released. The flaw can lead to a kernel panic, providing a local availability impact; no known exploitation path to privilege escalation is stated.

Generated by OpenCVE AI on June 8, 2026 at 19:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the \"Minor hmm_test fixes and cleanups\" patch series; this removes the dangling pointer and prevents the kernel panic.
  • If the selftest framework must remain enabled, restrict its execution to controlled test environments and disable it in production build configurations.
  • Monitor kernel logs for dmirror_devmem_fault or PANIC entries and apply emergency restarts or hot patches if the kernel reboots unexpectedly.

Generated by OpenCVE AI on June 8, 2026 at 19:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: lib: test_hmm: evict device pages on file close to avoid use-after-free Patch series "Minor hmm_test fixes and cleanups". Two bugfixes a cleanup for the HMM kernel selftests. These were mostly reported by Zenghui Yu with special thanks to Lorenzo for analysing and pointing out the problems. This patch (of 3): When dmirror_fops_release() is called it frees the dmirror struct but doesn't migrate device private pages back to system memory first. This leaves those pages with a dangling zone_device_data pointer to the freed dmirror. If a subsequent fault occurs on those pages (eg. during coredump) the dmirror_devmem_fault() callback dereferences the stale pointer causing a kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64, where a test failure triggered SIGABRT and the resulting coredump walked the VMAs faulting in the stale device private pages. Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in dmirror_fops_release() to migrate all device private pages back to system memory before freeing the dmirror struct. The function is moved earlier in the file to avoid a forward declaration.
Title lib: test_hmm: evict device pages on file close to avoid use-after-free
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-08T15:41:23.095Z

Reserved: 2026-05-13T15:03:33.110Z

Link: CVE-2026-46280

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T17:16:45.683

Modified: 2026-06-08T17:16:45.683

Link: CVE-2026-46280

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-08T00:00:00Z

Links: CVE-2026-46280 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T19:15:30Z

Weaknesses