cve/published/2024/CVE-2024-40914.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-40914: mm/huge_memory: don't unpoison huge_zero_folio

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/huge_memory: don't unpoison huge_zero_folio

 When I did memory failure tests recently, below panic occurs:

  kernel BUG at include/linux/mm.h:1135!
  invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
  CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14
  RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0
  RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246
  RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8
  RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0
  RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492
  R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000
  R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00
  FS:  0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0
  Call Trace:
   <TASK>
   do_shrink_slab+0x14f/0x6a0
   shrink_slab+0xca/0x8c0
   shrink_node+0x2d0/0x7d0
   balance_pgdat+0x33a/0x720
   kswapd+0x1f3/0x410
   kthread+0xd5/0x100
   ret_from_fork+0x2f/0x50
   ret_from_fork_asm+0x1a/0x30
   </TASK>
  Modules linked in: mce_inject hwpoison_inject
  ---[ end trace 0000000000000000 ]---
  RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0
  RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246
  RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8
  RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0
  RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492
  R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000
  R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00
  FS:  0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0

 The root cause is that HWPoison flag will be set for huge_zero_folio
 without increasing the folio refcnt.  But then unpoison_memory() will
 decrease the folio refcnt unexpectedly as it appears like a successfully
 hwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when
 releasing huge_zero_folio.

 Skip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue.
 We're not prepared to unpoison huge_zero_folio yet.

 The Linux kernel CVE team has assigned CVE-2024-40914 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.41 with commit f8f836100fff594cea8a0a027affb9d5520f09a7 and fixed in 5.15.162 with commit 688bb46ad339497b5b7f527b6636d2afe04b46af
 	Issue introduced in 5.18 with commit 478d134e9506c7e9bfe2830ed03dd85e97966313 and fixed in 6.1.95 with commit b2494506f30675245a3e6787281f79601af087bf
 	Issue introduced in 5.18 with commit 478d134e9506c7e9bfe2830ed03dd85e97966313 and fixed in 6.6.35 with commit 0d73477af964dbd7396163a13817baf13940bca9
 	Issue introduced in 5.18 with commit 478d134e9506c7e9bfe2830ed03dd85e97966313 and fixed in 6.9.6 with commit d72b7711919de49d92a67dfc844a6cf4c23dd794
 	Issue introduced in 5.18 with commit 478d134e9506c7e9bfe2830ed03dd85e97966313 and fixed in 6.10 with commit fe6f86f4b40855a130a19aa589f9ba7f650423f4
 	Issue introduced in 5.17.9 with commit 13d9b8cd12f37d133b07ea5b323583e8a0c6b738

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-40914
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/memory-failure.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af
 	https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf
 	https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9
 	https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794
 	https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-40914: mm/huge_memory: don't unpoison huge_zero_folio

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/huge_memory: don't unpoison huge_zero_folio

	When I did memory failure tests recently, below panic occurs:

	kernel BUG at include/linux/mm.h:1135!
	invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
	CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14
	RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0
	RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246
	RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8
	RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0
	RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492
	R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000
	R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00
	FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0
	Call Trace:
	<TASK>
	do_shrink_slab+0x14f/0x6a0
	shrink_slab+0xca/0x8c0
	shrink_node+0x2d0/0x7d0
	balance_pgdat+0x33a/0x720
	kswapd+0x1f3/0x410
	kthread+0xd5/0x100
	ret_from_fork+0x2f/0x50
	ret_from_fork_asm+0x1a/0x30
	</TASK>
	Modules linked in: mce_inject hwpoison_inject
	---[ end trace 0000000000000000 ]---
	RIP: 0010:shrink_huge_zero_page_scan+0x168/0x1a0
	RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246
	RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8
	RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0
	RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492
	R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000
	R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00
	FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0

	The root cause is that HWPoison flag will be set for huge_zero_folio
	without increasing the folio refcnt. But then unpoison_memory() will
	decrease the folio refcnt unexpectedly as it appears like a successfully
	hwpoisoned folio leading to VM_BUG_ON_PAGE(page_ref_count(page) == 0) when
	releasing huge_zero_folio.

	Skip unpoisoning huge_zero_folio in unpoison_memory() to fix this issue.
	We're not prepared to unpoison huge_zero_folio yet.

	The Linux kernel CVE team has assigned CVE-2024-40914 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.41 with commit f8f836100fff594cea8a0a027affb9d5520f09a7 and fixed in 5.15.162 with commit 688bb46ad339497b5b7f527b6636d2afe04b46af
	Issue introduced in 5.18 with commit 478d134e9506c7e9bfe2830ed03dd85e97966313 and fixed in 6.1.95 with commit b2494506f30675245a3e6787281f79601af087bf
	Issue introduced in 5.18 with commit 478d134e9506c7e9bfe2830ed03dd85e97966313 and fixed in 6.6.35 with commit 0d73477af964dbd7396163a13817baf13940bca9
	Issue introduced in 5.18 with commit 478d134e9506c7e9bfe2830ed03dd85e97966313 and fixed in 6.9.6 with commit d72b7711919de49d92a67dfc844a6cf4c23dd794
	Issue introduced in 5.18 with commit 478d134e9506c7e9bfe2830ed03dd85e97966313 and fixed in 6.10 with commit fe6f86f4b40855a130a19aa589f9ba7f650423f4
	Issue introduced in 5.17.9 with commit 13d9b8cd12f37d133b07ea5b323583e8a0c6b738

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-40914
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/memory-failure.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af
	https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf
	https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9
	https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794
	https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4