Liu Shixin

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A warning has been resolved in the Linux kernel related to a UBSAN shift-out-of-bounds issue. The problem occurred in the isolate freepages block() function due to a bogus compound order value. This was because the compound order was part of a union with flags, allowing it to take on any value. The issue was reported by syzkaller. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.13.0-rc2master+ **Description** The issue is related to the Linux kernel's handling of huge page tables. The folio refcount may be increased unexpectedly through `try get folio()` by callers such as `split huge pages()`. This can cause the page table to leak, as the check for shared page tables in `huge pmd unshare()` is incorrect if the refcount is increased. The problem may be triggered by `damon`, `offline page`, `page idle`, etc., which increase the refcount of the page table. This can lead to the page table itself being discarded after reporting a "nonzero mapcount" and the HugeTLB page mapped by the page table not being freed. **Recommendations** To resolve the issue, introduce an independent PMD page table shared count. This can be achieved by reusing the `pt share count` field, which is used for x86/arm64/riscv pmds. As a temporary workaround, consider disabling the `split huge pages()` function until a patch is available. Restrict access to the `huge pmd unshare()` function to minimize the risk of exploitation. Avoid using the `try get folio()` function in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux Kernel (affected versions not specified) Description: A bug in the Linux kernel has been fixed, related to the handling of HugeTLB pages during swapoff operations. The issue can be reproduced by allocating an anonymous 1GB HugeTLB, swapping out the memory, and then running swapoff, resulting in a bad pud error. The error occurs because the HugeTLB pages are not properly freed from the page table, causing them to be lost. The problem can be fixed by skipping HugeTLB pages for unuse vma. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.16.0-rc6-dirty #373 **Description** The issue is related to the mm/hwpoison component of the Linux kernel, where an error in resource management can cause a panic when testing madvise() with MADV SOFT OFFLINE. The BUG() is triggered when retrying get any page() due to the MF COUNT INCREASED flag being kept in the second try, but the refcnt is not increased. This results in a kernel BUG at include/linux/mm.h:737 and an invalid opcode. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.