cve/published/2024/CVE-2024-56673.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56673: riscv: mm: Do not call pmd dtor on vmemmap page table teardown

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 riscv: mm: Do not call pmd dtor on vmemmap page table teardown

 The vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page
 tables are populated using pmd (page middle directory) hugetables.
 However, the pmd allocation is not using the generic mechanism used by
 the VMA code (e.g. pmd_alloc()), or the RISC-V specific
 create_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table
 code allocates a page, and calls vmemmap_set_pmd(). This results in
 that the pmd ctor is *not* called, nor would it make sense to do so.

 Now, when tearing down a vmemmap page table pmd, the cleanup code
 would unconditionally, and incorrectly call the pmd dtor, which
 results in a crash (best case).

 This issue was found when running the HMM selftests:

   | tools/testing/selftests/mm# ./test_hmm.sh smoke
   | ... # when unloading the test_hmm.ko module
   | page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b
   | flags: 0x1000000000000000(node=0|zone=1)
   | raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000
   | raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
   | page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte)
   | ------------[ cut here ]------------
   | kernel BUG at include/linux/mm.h:3080!
   | Kernel BUG [#1]
   | Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod
   | CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G        W          6.12.0-00982-gf2a4f1682d07 #2
   | Tainted: [W]=WARN
   | Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024
   | epc : remove_pgd_mapping+0xbec/0x1070
   |  ra : remove_pgd_mapping+0xbec/0x1070
   | epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940
   |  gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04
   |  t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50
   |  s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008
   |  a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000
   |  a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8
   |  s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000
   |  s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000
   |  s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0
   |  s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00
   |  t5 : ff60000080244000 t6 : ff20000000a73708
   | status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003
   | [<ffffffff80010a68>] remove_pgd_mapping+0xbec/0x1070
   | [<ffffffff80fd238e>] vmemmap_free+0x14/0x1e
   | [<ffffffff8032e698>] section_deactivate+0x220/0x452
   | [<ffffffff8032ef7e>] sparse_remove_section+0x4a/0x58
   | [<ffffffff802f8700>] __remove_pages+0x7e/0xba
   | [<ffffffff803760d8>] memunmap_pages+0x2bc/0x3fe
   | [<ffffffff02a3ca28>] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm]
   | [<ffffffff02a3e026>] hmm_dmirror_exit+0x3e/0x1018 [test_hmm]
   | [<ffffffff80102c14>] __riscv_sys_delete_module+0x15a/0x2a6
   | [<ffffffff80fd020c>] do_trap_ecall_u+0x1f2/0x266
   | [<ffffffff80fde0a2>] _new_vmalloc_restore_context_a0+0xc6/0xd2
   | Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597
   | ---[ end trace 0000000000000000 ]---
   | Kernel panic - not syncing: Fatal exception in interrupt

 Add a check to avoid calling the pmd dtor, if the calling context is
 vmemmap_free().

 The Linux kernel CVE team has assigned CVE-2024-56673 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.11 with commit c75a74f4ba19c904c0ae1e011ae2568449409ae4 and fixed in 6.12.6 with commit 344945806f2f7af68be98bac02836c867f223aa9
 	Issue introduced in 6.11 with commit c75a74f4ba19c904c0ae1e011ae2568449409ae4 and fixed in 6.13 with commit 21f1b85c8912262adf51707e63614a114425eb10

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56673
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/riscv/mm/init.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/344945806f2f7af68be98bac02836c867f223aa9
 	https://git.kernel.org/stable/c/21f1b85c8912262adf51707e63614a114425eb10
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56673: riscv: mm: Do not call pmd dtor on vmemmap page table teardown

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	riscv: mm: Do not call pmd dtor on vmemmap page table teardown

	The vmemmap's, which is used for RV64 with SPARSEMEM_VMEMMAP, page
	tables are populated using pmd (page middle directory) hugetables.
	However, the pmd allocation is not using the generic mechanism used by
	the VMA code (e.g. pmd_alloc()), or the RISC-V specific
	create_pgd_mapping()/alloc_pmd_late(). Instead, the vmemmap page table
	code allocates a page, and calls vmemmap_set_pmd(). This results in
	that the pmd ctor is not called, nor would it make sense to do so.

	Now, when tearing down a vmemmap page table pmd, the cleanup code
	would unconditionally, and incorrectly call the pmd dtor, which
	results in a crash (best case).

	This issue was found when running the HMM selftests:

	\| tools/testing/selftests/mm# ./test_hmm.sh smoke
	\| ... # when unloading the test_hmm.ko module
	\| page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10915b
	\| flags: 0x1000000000000000(node=0\|zone=1)
	\| raw: 1000000000000000 0000000000000000 dead000000000122 0000000000000000
	\| raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
	\| page dumped because: VM_BUG_ON_PAGE(ptdesc->pmd_huge_pte)
	\| ------------[ cut here ]------------
	\| kernel BUG at include/linux/mm.h:3080!
	\| Kernel BUG [#1]
	\| Modules linked in: test_hmm(-) sch_fq_codel fuse drm drm_panel_orientation_quirks backlight dm_mod
	\| CPU: 1 UID: 0 PID: 514 Comm: modprobe Tainted: G W 6.12.0-00982-gf2a4f1682d07 #2
	\| Tainted: [W]=WARN
	\| Hardware name: riscv-virtio qemu/qemu, BIOS 2024.10 10/01/2024
	\| epc : remove_pgd_mapping+0xbec/0x1070
	\| ra : remove_pgd_mapping+0xbec/0x1070
	\| epc : ffffffff80010a68 ra : ffffffff80010a68 sp : ff20000000a73940
	\| gp : ffffffff827b2d88 tp : ff6000008785da40 t0 : ffffffff80fbce04
	\| t1 : 0720072007200720 t2 : 706d756420656761 s0 : ff20000000a73a50
	\| s1 : ff6000008915cff8 a0 : 0000000000000039 a1 : 0000000000000008
	\| a2 : ff600003fff0de20 a3 : 0000000000000000 a4 : 0000000000000000
	\| a5 : 0000000000000000 a6 : c0000000ffffefff a7 : ffffffff824469b8
	\| s2 : ff1c0000022456c0 s3 : ff1ffffffdbfffff s4 : ff6000008915c000
	\| s5 : ff6000008915c000 s6 : ff6000008915c000 s7 : ff1ffffffdc00000
	\| s8 : 0000000000000001 s9 : ff1ffffffdc00000 s10: ffffffff819a31f0
	\| s11: ffffffffffffffff t3 : ffffffff8000c950 t4 : ff60000080244f00
	\| t5 : ff60000080244000 t6 : ff20000000a73708
	\| status: 0000000200000120 badaddr: ffffffff80010a68 cause: 0000000000000003
	\| [<ffffffff80010a68>] remove_pgd_mapping+0xbec/0x1070
	\| [<ffffffff80fd238e>] vmemmap_free+0x14/0x1e
	\| [<ffffffff8032e698>] section_deactivate+0x220/0x452
	\| [<ffffffff8032ef7e>] sparse_remove_section+0x4a/0x58
	\| [<ffffffff802f8700>] __remove_pages+0x7e/0xba
	\| [<ffffffff803760d8>] memunmap_pages+0x2bc/0x3fe
	\| [<ffffffff02a3ca28>] dmirror_device_remove_chunks+0x2ea/0x518 [test_hmm]
	\| [<ffffffff02a3e026>] hmm_dmirror_exit+0x3e/0x1018 [test_hmm]
	\| [<ffffffff80102c14>] __riscv_sys_delete_module+0x15a/0x2a6
	\| [<ffffffff80fd020c>] do_trap_ecall_u+0x1f2/0x266
	\| [<ffffffff80fde0a2>] _new_vmalloc_restore_context_a0+0xc6/0xd2
	\| Code: bf51 7597 0184 8593 76a5 854a 4097 0029 80e7 2c00 (9002) 7597
	\| ---[ end trace 0000000000000000 ]---
	\| Kernel panic - not syncing: Fatal exception in interrupt

	Add a check to avoid calling the pmd dtor, if the calling context is
	vmemmap_free().

	The Linux kernel CVE team has assigned CVE-2024-56673 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.11 with commit c75a74f4ba19c904c0ae1e011ae2568449409ae4 and fixed in 6.12.6 with commit 344945806f2f7af68be98bac02836c867f223aa9
	Issue introduced in 6.11 with commit c75a74f4ba19c904c0ae1e011ae2568449409ae4 and fixed in 6.13 with commit 21f1b85c8912262adf51707e63614a114425eb10

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56673
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/riscv/mm/init.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/344945806f2f7af68be98bac02836c867f223aa9
	https://git.kernel.org/stable/c/21f1b85c8912262adf51707e63614a114425eb10