In the Linux kernel, the following vulnerability has been resolved:
riscv: rewrite _kernelmap_pages() to fix sleeping in invalid context
_kernelmap_pages() is a debug function which clears the valid bit in page table entry for deallocated pages to detect illegal memory accesses to freed pages.
This function set/clear the valid bit using _setmemory(). _setmemory() acquires initmm's semaphore, and this operation may sleep. This is problematic, because _kernelmappages() can be called in atomic context, and thus is illegal to sleep. An example warning that this causes:
BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578 inatomic(): 1, irqsdisabled(): 0, nonblock: 0, pid: 2, name: kthreadd preemptcount: 2, expected: 0 CPU: 0 PID: 2 Comm: kthreadd Not tainted 6.9.0-g1d4c6d784ef6 #37 Hardware name: riscv-virtio,qemu (DT) Call Trace: [<ffffffff800060dc>] dumpbacktrace+0x1c/0x24 [<ffffffff8091ef6e>] showstack+0x2c/0x38 [<ffffffff8092baf8>] dumpstacklvl+0x5a/0x72 [<ffffffff8092bb24>] dumpstack+0x14/0x1c [<ffffffff8003b7ac>] _mightresched+0x104/0x10e [<ffffffff8003b7f4>] _mightsleep+0x3e/0x62 [<ffffffff8093276a>] downwrite+0x20/0x72 [<ffffffff8000cf00>] _setmemory+0x82/0x2fa [<ffffffff8000d324>] _kernelmappages+0x5a/0xd4 [<ffffffff80196cca>] _allocpagesbulk+0x3b2/0x43a [<ffffffff8018ee82>] _vmallocnoderange+0x196/0x6ba [<ffffffff80011904>] copyprocess+0x72c/0x17ec [<ffffffff80012ab4>] kernelclone+0x60/0x2fe [<ffffffff80012f62>] kernelthread+0x82/0xa0 [<ffffffff8003552c>] kthreadd+0x14a/0x1be [<ffffffff809357de>] retfromfork+0xe/0x1c
Rewrite this function with applytoexistingpagerange(). It is fine to not have any locking, because _kernelmap_pages() works with pages being allocated/deallocated and those pages are not changed by anyone else in the meantime.
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d5257ceb19d92069195254866421f425aea42915",
"target": {
"file": "arch/riscv/mm/pageattr.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"148126207944728173651656797549629591118",
"42297094463228431792522376150873166176",
"105734223747640000971967129990020537227",
"189604853587076892682893690935937348650",
"339779487458405179493239827246561934115",
"112070571865624452891866612536450817144",
"60366805529988115294253836754594333204",
"93811107597686835600187859499391529045",
"54304844835848699155242500152542850532",
"93851728560124950505959665612632189405",
"287273060614530404081436898147662164857",
"42070807573537205137218171276935865394",
"38435564151044321187547943942400838353",
"211086035157734148709472859148155041485"
],
"threshold": 0.9
},
"id": "CVE-2024-40915-01080943"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8661a7af04991201640863ad1a0983173f84b5eb",
"target": {
"function": "__kernel_map_pages",
"file": "arch/riscv/mm/pageattr.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "177440876833028715063345196142187379521",
"length": 327.0
},
"id": "CVE-2024-40915-159d8995"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb1cf0878328fe75d47f0aed0a65b30126fcefc4",
"target": {
"function": "__kernel_map_pages",
"file": "arch/riscv/mm/pageattr.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "177440876833028715063345196142187379521",
"length": 327.0
},
"id": "CVE-2024-40915-247cf20b"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d5257ceb19d92069195254866421f425aea42915",
"target": {
"function": "__kernel_map_pages",
"file": "arch/riscv/mm/pageattr.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "177440876833028715063345196142187379521",
"length": 327.0
},
"id": "CVE-2024-40915-2bb54193"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8661a7af04991201640863ad1a0983173f84b5eb",
"target": {
"file": "arch/riscv/mm/pageattr.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"148126207944728173651656797549629591118",
"42297094463228431792522376150873166176",
"105734223747640000971967129990020537227",
"189604853587076892682893690935937348650",
"339779487458405179493239827246561934115",
"112070571865624452891866612536450817144",
"60366805529988115294253836754594333204",
"93811107597686835600187859499391529045",
"54304844835848699155242500152542850532",
"93851728560124950505959665612632189405",
"287273060614530404081436898147662164857",
"42070807573537205137218171276935865394",
"38435564151044321187547943942400838353",
"211086035157734148709472859148155041485"
],
"threshold": 0.9
},
"id": "CVE-2024-40915-432a9883"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb1cf0878328fe75d47f0aed0a65b30126fcefc4",
"target": {
"file": "arch/riscv/mm/pageattr.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"148126207944728173651656797549629591118",
"42297094463228431792522376150873166176",
"105734223747640000971967129990020537227",
"189604853587076892682893690935937348650",
"339779487458405179493239827246561934115",
"112070571865624452891866612536450817144",
"60366805529988115294253836754594333204",
"93811107597686835600187859499391529045",
"54304844835848699155242500152542850532",
"93851728560124950505959665612632189405",
"287273060614530404081436898147662164857",
"42070807573537205137218171276935865394",
"38435564151044321187547943942400838353",
"211086035157734148709472859148155041485"
],
"threshold": 0.9
},
"id": "CVE-2024-40915-5b81204b"
}
]