CVE-2024-40914
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-40914
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40914.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-40914
- Related
- Published
- 2024-07-12T13:15:14Z
- Modified
- 2024-09-18T03:26:30.320607Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mm/hugememory: don't unpoison hugezero_folio
When I did memory failure tests recently, below panic occurs:
kernel BUG at include/linux/mm.h:1135! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 9 PID: 137 Comm: kswapd1 Not tainted 6.9.0-rc4-00491-gd5ce28f156fe-dirty #14 RIP: 0010:shrinkhugezeropagescan+0x168/0x1a0 RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246 RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0 RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492 R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00 FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0 Call Trace: <TASK> doshrinkslab+0x14f/0x6a0 shrinkslab+0xca/0x8c0 shrinknode+0x2d0/0x7d0 balancepgdat+0x33a/0x720 kswapd+0x1f3/0x410 kthread+0xd5/0x100 retfromfork+0x2f/0x50 retfromforkasm+0x1a/0x30 </TASK> Modules linked in: mceinject hwpoisoninject ---[ end trace 0000000000000000 ]--- RIP: 0010:shrinkhugezeropagescan+0x168/0x1a0 RSP: 0018:ffff9933c6c57bd0 EFLAGS: 00000246 RAX: 000000000000003e RBX: 0000000000000000 RCX: ffff88f61fc5c9c8 RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff88f61fc5c9c0 RBP: ffffcd7c446b0000 R08: ffffffff9a9405f0 R09: 0000000000005492 R10: 00000000000030ea R11: ffffffff9a9405f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88e703c4ac00 FS: 0000000000000000(0000) GS:ffff88f61fc40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f4da6e9878 CR3: 0000000c71048000 CR4: 00000000000006f0
The root cause is that HWPoison flag will be set for hugezerofolio without increasing the folio refcnt. But then unpoisonmemory() will decrease the folio refcnt unexpectedly as it appears like a successfully hwpoisoned folio leading to VMBUGONPAGE(pagerefcount(page) == 0) when releasing hugezerofolio.
Skip unpoisoning hugezerofolio in unpoisonmemory() to fix this issue. We're not prepared to unpoison hugezero_folio yet.
- References
-
- https://git.kernel.org/stable/c/0d73477af964dbd7396163a13817baf13940bca9
- https://git.kernel.org/stable/c/688bb46ad339497b5b7f527b6636d2afe04b46af
- https://git.kernel.org/stable/c/b2494506f30675245a3e6787281f79601af087bf
- https://git.kernel.org/stable/c/d72b7711919de49d92a67dfc844a6cf4c23dd794
- https://git.kernel.org/stable/c/fe6f86f4b40855a130a19aa589f9ba7f650423f4
- https://security-tracker.debian.org/tracker/CVE-2024-40914
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.99-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.9.7-1