CVE-2024-56628

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: Add architecture specific hugepteclear()

When executing mm selftests run_vmtests.sh, there is such an error:

BUG: Bad page state in process uffd-unit-tests pfn:00000 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0 flags: 0xffff0000002000(reserved|node=0|zone=0|lastcpupid=0xffff) raw: 00ffff0000002000 ffffbf0000000008 ffffbf0000000008 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: PAGEFLAGSCHECKATFREE flag(s) set Modules linked in: sndseqdummy sndseq sndseqdevice rfkill vfat fat virtioballoon efipstore virtionet pstore netfailover failover fuse nfnetlink virtioscsi virtiogpu virtiodmabuf dmmultipath efivarfs CPU: 2 UID: 0 PID: 1913 Comm: uffd-unit-tests Not tainted 6.12.0 #184 Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 Stack : 900000047c8ac000 0000000000000000 9000000000223a7c 900000047c8ac000 900000047c8af690 900000047c8af698 0000000000000000 900000047c8af7d8 900000047c8af7d0 900000047c8af7d0 900000047c8af5b0 0000000000000001 0000000000000001 900000047c8af698 10b3c7d53da40d26 0000010000000000 0000000000000022 0000000fffffffff fffffffffe000000 ffff800000000000 000000000000002f 0000800000000000 000000017a6d4000 90000000028f8940 0000000000000000 0000000000000000 90000000025aa5e0 9000000002905000 0000000000000000 90000000028f8940 ffff800000000000 0000000000000000 0000000000000000 0000000000000000 9000000000223a94 000000012001839c 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d ... Call Trace: [<9000000000223a94>] showstack+0x5c/0x180 [<9000000001c3fd64>] dumpstacklvl+0x6c/0xa0 [<900000000056aa08>] badpage+0x1a0/0x1f0 [<9000000000574978>] freeunreffolios+0xbf0/0xd20 [<90000000004e65cc>] foliosputrefs+0x1a4/0x2b8 [<9000000000599a0c>] freepagesandswapcache+0x164/0x260 [<9000000000547698>] tlbbatchpagesflush+0xa8/0x1c0 [<9000000000547f30>] tlbfinishmmu+0xa8/0x218 [<9000000000543cb8>] exitmmap+0x1a0/0x360 [<9000000000247658>] _mmput+0x78/0x200 [<900000000025583c>] doexit+0x43c/0xde8 [<9000000000256490>] dogroupexit+0x68/0x110 [<9000000000256554>] sysexitgroup+0x1c/0x20 [<9000000001c413b4>] dosyscall+0x94/0x130 [<90000000002216d8>] handlesyscall+0xb8/0x158 Disabling lock debugging due to kernel taint BUG: non-zero pgtables_bytes on freeing mm: -16384

On LoongArch system, invalid huge pte entry should be invalidptetable or a single PAGEHUGE bit rather than a zero value. And it should be the same with invalid pmd entry, since pmdnone() is called by function freepgdrange() and pmdnone() return 0 by hugepteclear(). So single PAGEHUGE bit is also treated as a valid pte table and freepterange() will be called in freepmdrange().

freepmdrange() pmd = pmdoffset(pud, addr); do { next = pmdaddrend(addr, end); if (pmdnoneorclearbad(pmd)) continue; freepte_range(tlb, pmd, addr); } while (pmd++, addr = next, addr != end);

Here invalidptetable is used for both invalid huge pte entry and pmd entry.