{ "threat_severity" : "Low", "public_date" : "2024-05-01T00:00:00Z", "bugzilla" : { "description" : "kernel: mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled", "id" : "2278327", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2278327" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled\nWhen I did hard offline test with hugetlb pages, below deadlock occurs:\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-11409-gf6cef5f8c37f #1 Not tainted\n------------------------------------------------------\nbash/46904 is trying to acquire lock:\nffffffffabe68910 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_slow_dec+0x16/0x60\nbut task is already holding lock:\nffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\nwhich lock already depends on the new lock.\nthe existing dependency chain (in reverse order) is:\n-> #1 (pcp_batch_high_lock){+.+.}-{3:3}:\n__mutex_lock+0x6c/0x770\npage_alloc_cpu_online+0x3c/0x70\ncpuhp_invoke_callback+0x397/0x5f0\n__cpuhp_invoke_callback_range+0x71/0xe0\n_cpu_up+0xeb/0x210\ncpu_up+0x91/0xe0\ncpuhp_bringup_mask+0x49/0xb0\nbringup_nonboot_cpus+0xb7/0xe0\nsmp_init+0x25/0xa0\nkernel_init_freeable+0x15f/0x3e0\nkernel_init+0x15/0x1b0\nret_from_fork+0x2f/0x50\nret_from_fork_asm+0x1a/0x30\n-> #0 (cpu_hotplug_lock){++++}-{0:0}:\n__lock_acquire+0x1298/0x1cd0\nlock_acquire+0xc0/0x2b0\ncpus_read_lock+0x2a/0xc0\nstatic_key_slow_dec+0x16/0x60\n__hugetlb_vmemmap_restore_folio+0x1b9/0x200\ndissolve_free_huge_page+0x211/0x260\n__page_handle_poison+0x45/0xc0\nmemory_failure+0x65e/0xc70\nhard_offline_page_store+0x55/0xa0\nkernfs_fop_write_iter+0x12c/0x1d0\nvfs_write+0x387/0x550\nksys_write+0x64/0xe0\ndo_syscall_64+0xca/0x1e0\nentry_SYSCALL_64_after_hwframe+0x6d/0x75\nother info that might help us debug this:\nPossible unsafe locking scenario:\nCPU0 CPU1\n---- ----\nlock(pcp_batch_high_lock);\nlock(cpu_hotplug_lock);\nlock(pcp_batch_high_lock);\nrlock(cpu_hotplug_lock);\n*** DEADLOCK ***\n5 locks held by bash/46904:\n#0: ffff98f6c3bb23f0 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x64/0xe0\n#1: ffff98f6c328e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0xf8/0x1d0\n#2: ffff98ef83b31890 (kn->active#113){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x100/0x1d0\n#3: ffffffffabf9db48 (mf_mutex){+.+.}-{3:3}, at: memory_failure+0x44/0xc70\n#4: ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\nstack backtrace:\nCPU: 10 PID: 46904 Comm: bash Kdump: loaded Not tainted 6.8.0-11409-gf6cef5f8c37f #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nCall Trace:\n\ndump_stack_lvl+0x68/0xa0\ncheck_noncircular+0x129/0x140\n__lock_acquire+0x1298/0x1cd0\nlock_acquire+0xc0/0x2b0\ncpus_read_lock+0x2a/0xc0\nstatic_key_slow_dec+0x16/0x60\n__hugetlb_vmemmap_restore_folio+0x1b9/0x200\ndissolve_free_huge_page+0x211/0x260\n__page_handle_poison+0x45/0xc0\nmemory_failure+0x65e/0xc70\nhard_offline_page_store+0x55/0xa0\nkernfs_fop_write_iter+0x12c/0x1d0\nvfs_write+0x387/0x550\nksys_write+0x64/0xe0\ndo_syscall_64+0xca/0x1e0\nentry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fc862314887\nCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\nRSP: 002b:00007fff19311268 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007fc862314887\nRDX: 000000000000000c RSI: 000056405645fe10 RDI: 0000000000000001\nRBP: 000056405645fe10 R08: 00007fc8623d1460 R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c\nR13: 00007fc86241b780 R14: 00007fc862417600 R15: 00007fc862416a00\nIn short, below scene breaks the \n---truncated---", "In the Linux kernel, the following vulnerability has been resolved:\nmm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled\nThe Linux kernel CVE team has assigned CVE-2024-26987 to this issue.\nUpstream advisory:\nhttps://lore.kernel.org/linux-cve-announce/2024050143-CVE-2024-26987-507c@gregkh/T" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26987\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26987\nhttps://lore.kernel.org/linux-cve-announce/2024050143-CVE-2024-26987-507c@gregkh/T" ], "name" : "CVE-2024-26987", "csaw" : false }