CVE-2024-26783

With numa balancing on, when a numa system is running where a numa node doesn't have its local memory so it has no managed zones, the following oops has been observed. It's because wakeupkswapd() is called with a wrong zone index, -1. Fixed it by checking the index before calling wakeupkswapd().

BUG: unable to handle page fault for address: 00000000000033f3

PF: supervisor read access in kernel mode

PF: error_code(0x0000) - not-present page

PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:wakeupkswapd (./linux/mm/vmscan.c:7812) Code: (omitted) RSP: 0000:ffffc90004257d58 EFLAGS: 00010286 RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480 RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940 FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? _die ? pagefaultoops ? _pteoffsetmaplock ? excpagefault ? asmexcpagefault ? wakeupkswapd migratemisplacedpage _handlemmfault handlemmfault douseraddrfault excpagefault asmexcpage_fault RIP: 0033:0x55b897ba0808 Code: (omitted) RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287 RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0 RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0 RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000 </TASK>

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c574bbe917036c8968b984c82c7b13194fe5ce98

Fixed

e5ec1c24e71dbf144677a975d6ba91043c2193db

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c574bbe917036c8968b984c82c7b13194fe5ce98

Fixed

d6159bd4c00594249e305bfe02304c67c506264e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c574bbe917036c8968b984c82c7b13194fe5ce98

Fixed

bdd21eed8b72f9e28d6c279f6db258e090c79080

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c574bbe917036c8968b984c82c7b13194fe5ce98

Fixed

2774f256e7c0219e2b0a0894af1c76bdabc4f974

Affected versions

v5.*

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.100

v6.1.101

v6.1.102

v6.1.103

v6.1.104

v6.1.105

v6.1.106

v6.1.107

v6.1.108

v6.1.109

v6.1.11

v6.1.110

v6.1.111

v6.1.112

v6.1.113

v6.1.114

v6.1.115

v6.1.116

v6.1.117

v6.1.118

v6.1.119

v6.1.12

v6.1.120

v6.1.121

v6.1.122

v6.1.123

v6.1.124

v6.1.125

v6.1.126

v6.1.127

v6.1.128

v6.1.129

v6.1.13

v6.1.130

v6.1.131

v6.1.132

v6.1.133

v6.1.134

v6.1.135

v6.1.136

v6.1.137

v6.1.138

v6.1.139

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.42

v6.1.43

v6.1.44

v6.1.45

v6.1.46

v6.1.47

v6.1.48

v6.1.49

v6.1.5

v6.1.50

v6.1.51

v6.1.52

v6.1.53

v6.1.54

v6.1.55

v6.1.56

v6.1.57

v6.1.58

v6.1.59

v6.1.6

v6.1.60

v6.1.61

v6.1.62

v6.1.63

v6.1.64

v6.1.65

v6.1.66

v6.1.67

v6.1.68

v6.1.69

v6.1.7

v6.1.70

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.78

v6.1.79

v6.1.8

v6.1.80

v6.1.81

v6.1.82

v6.1.83

v6.1.84

v6.1.85

v6.1.86

v6.1.87

v6.1.88

v6.1.89

v6.1.9

v6.1.90

v6.1.91

v6.1.92

v6.1.93

v6.1.94

v6.1.95

v6.1.96

v6.1.97

v6.1.98

v6.1.99

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.7.1

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.7.7

v6.7.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e5ec1c24e71dbf144677a975d6ba91043c2193db",
        "deprecated": false,
        "digest": {
            "function_hash": "110205616953720845255981445186202645065",
            "length": 712.0
        },
        "target": {
            "function": "numamigrate_isolate_page",
            "file": "mm/migrate.c"
        },
        "id": "CVE-2024-26783-047e657e",
        "signature_version": "v1",
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bdd21eed8b72f9e28d6c279f6db258e090c79080",
        "deprecated": false,
        "digest": {
            "function_hash": "238568298222481004386638108051451842993",
            "length": 569.0
        },
        "target": {
            "function": "numamigrate_isolate_folio",
            "file": "mm/migrate.c"
        },
        "id": "CVE-2024-26783-8c5d75b6",
        "signature_version": "v1",
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bdd21eed8b72f9e28d6c279f6db258e090c79080",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "52575079099391875739670362080581877014",
                "314757465785460227062515260850746999263",
                "270445900866054529276259153614371236312",
                "73034617069600324338935965153543526747"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "mm/migrate.c"
        },
        "id": "CVE-2024-26783-99817651",
        "signature_version": "v1",
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e5ec1c24e71dbf144677a975d6ba91043c2193db",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "52575079099391875739670362080581877014",
                "65089543792032457161069409192728798576",
                "98033364336888244533491025539029926945",
                "185721115889587305666486435187583860357"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "mm/migrate.c"
        },
        "id": "CVE-2024-26783-b1618251",
        "signature_version": "v1",
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.18.0

Fixed

6.1.140

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.22

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.7.9