CVE-2024-26987

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26987
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26987.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26987
Downstream
Related
Published
2024-05-01T05:27:34Z
Modified
2025-10-15T09:57:25.066312Z
Summary
mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/memory-failure: fix deadlock when hugetlboptimizevmemmap is enabled

When I did hard offline test with hugetlb pages, below deadlock occurs:

====================================================== WARNING: possible circular locking dependency detected

6.8.0-11409-gf6cef5f8c37f #1 Not tainted

bash/46904 is trying to acquire lock: ffffffffabe68910 (cpuhotpluglock){++++}-{0:0}, at: statickeyslow_dec+0x16/0x60

but task is already holding lock: ffffffffabf92ea8 (pcpbatchhighlock){+.+.}-{3:3}, at: zonepcp_disable+0x16/0x40

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-> #1 (pcpbatchhighlock){+.+.}-{3:3}: _mutexlock+0x6c/0x770 pagealloccpuonline+0x3c/0x70 cpuhpinvokecallback+0x397/0x5f0 _cpuhpinvokecallbackrange+0x71/0xe0 cpuup+0xeb/0x210 cpuup+0x91/0xe0 cpuhpbringupmask+0x49/0xb0 bringupnonbootcpus+0xb7/0xe0 smpinit+0x25/0xa0 kernelinitfreeable+0x15f/0x3e0 kernelinit+0x15/0x1b0 retfromfork+0x2f/0x50 retfromforkasm+0x1a/0x30

-> #0 (cpuhotpluglock){++++}-{0:0}: _lockacquire+0x1298/0x1cd0 lockacquire+0xc0/0x2b0 cpusreadlock+0x2a/0xc0 statickeyslowdec+0x16/0x60 _hugetlbvmemmaprestorefolio+0x1b9/0x200 dissolvefreehugepage+0x211/0x260 _pagehandlepoison+0x45/0xc0 memoryfailure+0x65e/0xc70 hardofflinepagestore+0x55/0xa0 kernfsfopwriteiter+0x12c/0x1d0 vfswrite+0x387/0x550 ksyswrite+0x64/0xe0 dosyscall64+0xca/0x1e0 entrySYSCALL64after_hwframe+0x6d/0x75

other info that might help us debug this:

Possible unsafe locking scenario:

   CPU0                    CPU1
   ----                    ----

lock(pcpbatchhighlock); lock(cpuhotpluglock); lock(pcpbatchhighlock); rlock(cpuhotpluglock);

* DEADLOCK *

5 locks held by bash/46904: #0: ffff98f6c3bb23f0 (sbwriters#5){.+.+}-{0:0}, at: ksyswrite+0x64/0xe0 #1: ffff98f6c328e488 (&of->mutex){+.+.}-{3:3}, at: kernfsfopwriteiter+0xf8/0x1d0 #2: ffff98ef83b31890 (kn->active#113){.+.+}-{0:0}, at: kernfsfopwriteiter+0x100/0x1d0 #3: ffffffffabf9db48 (mfmutex){+.+.}-{3:3}, at: memoryfailure+0x44/0xc70 #4: ffffffffabf92ea8 (pcpbatchhighlock){+.+.}-{3:3}, at: zonepcp_disable+0x16/0x40

stack backtrace: CPU: 10 PID: 46904 Comm: bash Kdump: loaded Not tainted 6.8.0-11409-gf6cef5f8c37f #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x68/0xa0 checknoncircular+0x129/0x140 _lockacquire+0x1298/0x1cd0 lockacquire+0xc0/0x2b0 cpusreadlock+0x2a/0xc0 statickeyslowdec+0x16/0x60 _hugetlbvmemmaprestorefolio+0x1b9/0x200 dissolvefreehugepage+0x211/0x260 _pagehandlepoison+0x45/0xc0 memoryfailure+0x65e/0xc70 hardofflinepagestore+0x55/0xa0 kernfsfopwriteiter+0x12c/0x1d0 vfswrite+0x387/0x550 ksyswrite+0x64/0xe0 dosyscall64+0xca/0x1e0 entrySYSCALL64afterhwframe+0x6d/0x75 RIP: 0033:0x7fc862314887 Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 RSP: 002b:00007fff19311268 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007fc862314887 RDX: 000000000000000c RSI: 000056405645fe10 RDI: 0000000000000001 RBP: 000056405645fe10 R08: 00007fc8623d1460 R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c R13: 00007fc86241b780 R14: 00007fc862417600 R15: 00007fc862416a00

In short, below scene breaks the ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a6b40850c442bf996e729e1d441d3dbc37cea171
Fixed
5ef7ba2799a3b5ed292b8f6407376e2c25ef002e
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a6b40850c442bf996e729e1d441d3dbc37cea171
Fixed
882e1180c83f5b75bae03d0ccc31ccedfe5159de
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a6b40850c442bf996e729e1d441d3dbc37cea171
Fixed
49955b24002dc16a0ae2e83a57a2a6c863a1845c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a6b40850c442bf996e729e1d441d3dbc37cea171
Fixed
1983184c22dd84a4d95a71e5c6775c2638557dc7

Affected versions

v5.*

v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.16
v6.1.17
v6.1.18
v6.1.19
v6.1.2
v6.1.20
v6.1.21
v6.1.22
v6.1.23
v6.1.24
v6.1.25
v6.1.26
v6.1.27
v6.1.28
v6.1.29
v6.1.3
v6.1.30
v6.1.31
v6.1.32
v6.1.33
v6.1.34
v6.1.35
v6.1.36
v6.1.37
v6.1.38
v6.1.39
v6.1.4
v6.1.40
v6.1.41
v6.1.42
v6.1.43
v6.1.44
v6.1.45
v6.1.46
v6.1.47
v6.1.48
v6.1.49
v6.1.5
v6.1.50
v6.1.51
v6.1.52
v6.1.53
v6.1.54
v6.1.55
v6.1.56
v6.1.57
v6.1.58
v6.1.59
v6.1.6
v6.1.60
v6.1.61
v6.1.62
v6.1.63
v6.1.64
v6.1.65
v6.1.66
v6.1.67
v6.1.68
v6.1.69
v6.1.7
v6.1.70
v6.1.71
v6.1.72
v6.1.73
v6.1.74
v6.1.75
v6.1.76
v6.1.77
v6.1.78
v6.1.79
v6.1.8
v6.1.80
v6.1.81
v6.1.82
v6.1.83
v6.1.84
v6.1.85
v6.1.86
v6.1.87
v6.1.9
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4

Database specific

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "mm/memory-failure.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "89275256280153037777270549164845905168",
                    "265182954862327734355897295562512806088",
                    "225256957549097494078832530254740915511",
                    "26279703555693512730573600305334491176",
                    "213419292817457834270812366876151700905",
                    "182397218503753624709425433594308729588",
                    "231452620414635822532417346978931077811",
                    "255454510611859990890901753000630508280"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26987-043ad4dd",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1983184c22dd84a4d95a71e5c6775c2638557dc7"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "mm/memory-failure.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "89275256280153037777270549164845905168",
                    "265182954862327734355897295562512806088",
                    "225256957549097494078832530254740915511",
                    "26279703555693512730573600305334491176",
                    "213419292817457834270812366876151700905",
                    "182397218503753624709425433594308729588",
                    "231452620414635822532417346978931077811",
                    "255454510611859990890901753000630508280"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26987-11f12d64",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5ef7ba2799a3b5ed292b8f6407376e2c25ef002e"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "mm/memory-failure.c",
                "function": "__page_handle_poison"
            },
            "signature_version": "v1",
            "digest": {
                "length": 203.0,
                "function_hash": "18935243401722486771400325038510316735"
            },
            "id": "CVE-2024-26987-150cc51a",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1983184c22dd84a4d95a71e5c6775c2638557dc7"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "mm/memory-failure.c",
                "function": "__page_handle_poison"
            },
            "signature_version": "v1",
            "digest": {
                "length": 203.0,
                "function_hash": "18935243401722486771400325038510316735"
            },
            "id": "CVE-2024-26987-78fd0f5d",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@882e1180c83f5b75bae03d0ccc31ccedfe5159de"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "mm/memory-failure.c",
                "function": "__page_handle_poison"
            },
            "signature_version": "v1",
            "digest": {
                "length": 203.0,
                "function_hash": "18935243401722486771400325038510316735"
            },
            "id": "CVE-2024-26987-9e69fa4e",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49955b24002dc16a0ae2e83a57a2a6c863a1845c"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "mm/memory-failure.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "89275256280153037777270549164845905168",
                    "265182954862327734355897295562512806088",
                    "225256957549097494078832530254740915511",
                    "26279703555693512730573600305334491176",
                    "213419292817457834270812366876151700905",
                    "182397218503753624709425433594308729588",
                    "231452620414635822532417346978931077811",
                    "255454510611859990890901753000630508280"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26987-b82dc173",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@882e1180c83f5b75bae03d0ccc31ccedfe5159de"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "mm/memory-failure.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "89275256280153037777270549164845905168",
                    "265182954862327734355897295562512806088",
                    "225256957549097494078832530254740915511",
                    "26279703555693512730573600305334491176",
                    "213419292817457834270812366876151700905",
                    "182397218503753624709425433594308729588",
                    "231452620414635822532417346978931077811",
                    "255454510611859990890901753000630508280"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26987-c5694931",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@49955b24002dc16a0ae2e83a57a2a6c863a1845c"
        },
        {
            "deprecated": false,
            "signature_type": "Function",
            "target": {
                "file": "mm/memory-failure.c",
                "function": "__page_handle_poison"
            },
            "signature_version": "v1",
            "digest": {
                "length": 203.0,
                "function_hash": "18935243401722486771400325038510316735"
            },
            "id": "CVE-2024-26987-cacb3212",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5ef7ba2799a3b5ed292b8f6407376e2c25ef002e"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.18.0
Fixed
6.1.88
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.29
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.8.8